Detecting cyber attacks in time : combining attack simulation with detection logic

Detecting cyber attacks in time combining attack simulation with detection logic

Kyberhyökkäysten havaitsemisesta on tullut entistä vaikeampaa, nostaen onnistuneen tietomurron havaitsemisajan tyypillisesti yli puoleen vuoteen, jolloin keskimäärin hyökkäys maksaa lähes neljä miljoonaa dollaria kohteelle. Hyökkäykset ovat yhä edistyneempiä sekä kohdennettuja, tehden huonosti valmi...

Full description

Bibliographic Details
Main Author: Myllylä, Juuso
Other Authors: Informaatioteknologian tiedekunta, Faculty of Information Technology, Informaatioteknologia, Information Technology, Jyväskylän yliopisto, University of Jyväskylä
Format: Master's thesis
Language:eng
Published: 2021
Subjects:
threat detection
cyber defense
attack simulation
SIEM
blue team
Active Directory
Tietotekniikka
Mathematical Information Technology
602
simulointi
kyberturvallisuus
verkkohyökkäykset
simulation
cyber security
cyber attacks
Online Access: https://jyx.jyu.fi/handle/123456789/74965
_version_ 1826225755972960256
author Myllylä, Juuso
author2 Informaatioteknologian tiedekunta Faculty of Information Technology Informaatioteknologia Information Technology Jyväskylän yliopisto University of Jyväskylä
author_facet Myllylä, Juuso Informaatioteknologian tiedekunta Faculty of Information Technology Informaatioteknologia Information Technology Jyväskylän yliopisto University of Jyväskylä Myllylä, Juuso Informaatioteknologian tiedekunta Faculty of Information Technology Informaatioteknologia Information Technology Jyväskylän yliopisto University of Jyväskylä
author_sort Myllylä, Juuso
datasource_str_mv jyx
description Kyberhyökkäysten havaitsemisesta on tullut entistä vaikeampaa, nostaen onnistuneen tietomurron havaitsemisajan tyypillisesti yli puoleen vuoteen, jolloin keskimäärin hyökkäys maksaa lähes neljä miljoonaa dollaria kohteelle. Hyökkäykset ovat yhä edistyneempiä sekä kohdennettuja, tehden huonosti valmistautuneista yrityksistä otollisia kohteita hyökkääjille. Vaikka yrityksillä usein on toimivat palomuurit sekä haittaohjelmien torjuntaohjelmat, saattavat he yllättyä joutuessaan uhriksi esimerkiksi kiristyshaittaohjelmahyökkäykselle. Tämä herättää kysymyksen, miten hyökkäystä ei onnistuttu havaitsemaan ajoissa? Tämän tutkimuksen tarkoituksena on selvittää juurisyyt sille, mikä aiheuttaa liian myöhäisen tai olemattoman hyökkäysten havaitsemisen. Päätavoitteena on esitellä puolustajille testiympäristö riittävillä lokituskäytännöillä, jossa he voivat itse simuloida hyökkäyksiä. Hyökkäyssimulaatiosta saadut tulokset käännetään tämän jälkeen toiminnalliseksi havaitsemislogiikaksi uhkien havaitsemis viitekehyksen avulla. Viitekehys on suunnitteltu ohjaamaan puolustajia nopean ja ketterän prosessin läpi kehittämään laajaa havaitsemislogiikkaa painottaen taktiikoita, tekniikoita sekä käytäntöjä. Tutkimuksen tulokset vastaavat esitettyihin tutkimusongelmiin yleisesti sekä laajasti, jotta puolustajat oppivat sekä ymmärtävät perimmäisen ongelman uhkien havaitsemisessa. Cyber attacks have become harder to detect, causing the average detection time of a successful data breach to be over six months and typically costing the target organization nearly four million dollars. The attacks are becoming more sophisticated and targeted, leaving unprepared environments easy prey for the attackers. Organizations with working antivirus systems and firewalls may be surprised when they discover their network has been encrypted by a ransomware attacker. This raises a serious question, how did the attacks go undetected? The research conducted in this thesis aims to focus on the most common pitfalls regarding late or non-existent detection by defining the root cause behind the failed detections. The main goal is also to empower defenders to set up a test environment with sufficient logging policies and simulating attacks themselves. The attack simulations will then be turned into actionable detection logic, with the help of the detection logic framework. The framework is designed to guide defenders through a quick and agile process of creating more broad detection logic with the emphasis on tactics, techniques and procedures of attacks. The results in this study approach the detection issues in a broad and general manner to help defenders understand the issue of threat detection, instead of providing readily implemented solutions.
first_indexed 2024-09-11T08:49:34Z
format Pro gradu
free_online_boolean 1
fullrecord [{"key": "dc.contributor.advisor", "value": "Costin, Andrei", "language": "", "element": "contributor", "qualifier": "advisor", "schema": "dc"}, {"key": "dc.contributor.author", "value": "Myllyl\u00e4, Juuso", "language": "", "element": "contributor", "qualifier": "author", "schema": "dc"}, {"key": "dc.date.accessioned", "value": "2021-04-07T05:28:42Z", "language": null, "element": "date", "qualifier": "accessioned", "schema": "dc"}, {"key": "dc.date.available", "value": "2021-04-07T05:28:42Z", "language": null, "element": "date", "qualifier": "available", "schema": "dc"}, {"key": "dc.date.issued", "value": "2021", "language": "", "element": "date", "qualifier": "issued", "schema": "dc"}, {"key": "dc.identifier.uri", "value": "https://jyx.jyu.fi/handle/123456789/74965", "language": null, "element": "identifier", "qualifier": "uri", "schema": "dc"}, {"key": "dc.description.abstract", "value": "Kyberhy\u00f6kk\u00e4ysten havaitsemisesta on tullut entist\u00e4 vaikeampaa, nostaen onnistuneen tietomurron havaitsemisajan tyypillisesti yli puoleen vuoteen, jolloin keskim\u00e4\u00e4rin hy\u00f6kk\u00e4ys maksaa l\u00e4hes nelj\u00e4 miljoonaa dollaria kohteelle. Hy\u00f6kk\u00e4ykset ovat yh\u00e4 edistyneempi\u00e4 sek\u00e4 kohdennettuja, tehden huonosti valmistautuneista yrityksist\u00e4 otollisia kohteita hy\u00f6kk\u00e4\u00e4jille. Vaikka yrityksill\u00e4 usein on toimivat palomuurit sek\u00e4 haittaohjelmien torjuntaohjelmat, saattavat he yll\u00e4tty\u00e4 joutuessaan uhriksi esimerkiksi kiristyshaittaohjelmahy\u00f6kk\u00e4ykselle. T\u00e4m\u00e4 her\u00e4tt\u00e4\u00e4 kysymyksen, miten hy\u00f6kk\u00e4yst\u00e4 ei onnistuttu havaitsemaan ajoissa? T\u00e4m\u00e4n tutkimuksen tarkoituksena on selvitt\u00e4\u00e4 juurisyyt sille, mik\u00e4 aiheuttaa liian my\u00f6h\u00e4isen tai olemattoman hy\u00f6kk\u00e4ysten havaitsemisen. P\u00e4\u00e4tavoitteena on esitell\u00e4 puolustajille testiymp\u00e4rist\u00f6 riitt\u00e4vill\u00e4 lokitusk\u00e4yt\u00e4nn\u00f6ill\u00e4, jossa he voivat itse simuloida hy\u00f6kk\u00e4yksi\u00e4. Hy\u00f6kk\u00e4yssimulaatiosta saadut tulokset k\u00e4\u00e4nnet\u00e4\u00e4n t\u00e4m\u00e4n j\u00e4lkeen toiminnalliseksi havaitsemislogiikaksi uhkien havaitsemis viitekehyksen avulla. Viitekehys on suunnitteltu ohjaamaan puolustajia nopean ja ketter\u00e4n prosessin l\u00e4pi kehitt\u00e4m\u00e4\u00e4n laajaa havaitsemislogiikkaa painottaen taktiikoita, tekniikoita sek\u00e4 k\u00e4yt\u00e4nt\u00f6j\u00e4. Tutkimuksen tulokset vastaavat esitettyihin tutkimusongelmiin yleisesti sek\u00e4 laajasti, jotta puolustajat oppivat sek\u00e4 ymm\u00e4rt\u00e4v\u00e4t perimm\u00e4isen ongelman uhkien havaitsemisessa.", "language": "fi", "element": "description", "qualifier": "abstract", "schema": "dc"}, {"key": "dc.description.abstract", "value": "Cyber attacks have become harder to detect, causing the average detection time of a successful data breach to be over six months and typically costing the target organization nearly four million dollars. The attacks are becoming more sophisticated and targeted, leaving unprepared environments easy prey for the attackers. Organizations with working antivirus systems and firewalls may be surprised when they discover their network has been encrypted by a ransomware attacker. This raises a serious question, how did the attacks go undetected? The research conducted in this thesis aims to focus on the most common pitfalls regarding late or non-existent detection by defining the root cause behind the failed detections. The main goal is also to empower defenders to set up a test environment with sufficient logging policies and simulating attacks themselves. The attack simulations will then be turned into actionable detection logic, with the help of the detection logic framework. The framework is designed to guide defenders through a quick and agile process of creating more broad detection logic with the emphasis on tactics, techniques and procedures of attacks. The results in this study approach the detection issues in a broad and general manner to help defenders understand the issue of threat detection, instead of providing readily implemented solutions.", "language": "en", "element": "description", "qualifier": "abstract", "schema": "dc"}, {"key": "dc.description.provenance", "value": "Submitted by Paivi Vuorio (paelvuor@jyu.fi) on 2021-04-07T05:28:42Z\nNo. of bitstreams: 0", "language": "en", "element": "description", "qualifier": "provenance", "schema": "dc"}, {"key": "dc.description.provenance", "value": "Made available in DSpace on 2021-04-07T05:28:42Z (GMT). No. of bitstreams: 0\n Previous issue date: 2021", "language": "en", "element": "description", "qualifier": "provenance", "schema": "dc"}, {"key": "dc.format.extent", "value": "84", "language": "", "element": "format", "qualifier": "extent", "schema": "dc"}, {"key": "dc.format.mimetype", "value": "application/pdf", "language": null, "element": "format", "qualifier": "mimetype", "schema": "dc"}, {"key": "dc.language.iso", "value": "eng", "language": null, "element": "language", "qualifier": "iso", "schema": "dc"}, {"key": "dc.rights", "value": "In Copyright", "language": "en", "element": "rights", "qualifier": null, "schema": "dc"}, {"key": "dc.subject.other", "value": "threat detection", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.subject.other", "value": "cyber defense", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.subject.other", "value": "attack simulation", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.subject.other", "value": "SIEM", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.subject.other", "value": "blue team", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.subject.other", "value": "Active Directory", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.title", "value": "Detecting cyber attacks in time : combining attack simulation with detection logic", "language": "", "element": "title", "qualifier": null, "schema": "dc"}, {"key": "dc.type", "value": "master thesis", "language": null, "element": "type", "qualifier": null, "schema": "dc"}, {"key": "dc.identifier.urn", "value": "URN:NBN:fi:jyu-202104072287", "language": "", "element": "identifier", "qualifier": "urn", "schema": "dc"}, {"key": "dc.type.ontasot", "value": "Pro gradu -tutkielma", "language": "fi", "element": "type", "qualifier": "ontasot", "schema": "dc"}, {"key": "dc.type.ontasot", "value": "Master\u2019s thesis", "language": "en", "element": "type", "qualifier": "ontasot", "schema": "dc"}, {"key": "dc.contributor.faculty", "value": "Informaatioteknologian tiedekunta", "language": "fi", "element": "contributor", "qualifier": "faculty", "schema": "dc"}, {"key": "dc.contributor.faculty", "value": "Faculty of Information Technology", "language": "en", "element": "contributor", "qualifier": "faculty", "schema": "dc"}, {"key": "dc.contributor.department", "value": "Informaatioteknologia", "language": "fi", "element": "contributor", "qualifier": "department", "schema": "dc"}, {"key": "dc.contributor.department", "value": "Information Technology", "language": "en", "element": "contributor", "qualifier": "department", "schema": "dc"}, {"key": "dc.contributor.organization", "value": "Jyv\u00e4skyl\u00e4n yliopisto", "language": "fi", "element": "contributor", "qualifier": "organization", "schema": "dc"}, {"key": "dc.contributor.organization", "value": "University of Jyv\u00e4skyl\u00e4", "language": "en", "element": "contributor", "qualifier": "organization", "schema": "dc"}, {"key": "dc.subject.discipline", "value": "Tietotekniikka", "language": "fi", "element": "subject", "qualifier": "discipline", "schema": "dc"}, {"key": "dc.subject.discipline", "value": "Mathematical Information Technology", "language": "en", "element": "subject", "qualifier": "discipline", "schema": "dc"}, {"key": "yvv.contractresearch.funding", "value": "0", "language": "", "element": "contractresearch", "qualifier": "funding", "schema": "yvv"}, {"key": "dc.type.coar", "value": "http://purl.org/coar/resource_type/c_bdcc", "language": null, "element": "type", "qualifier": "coar", "schema": "dc"}, {"key": "dc.rights.accesslevel", "value": "openAccess", "language": null, "element": "rights", "qualifier": "accesslevel", "schema": "dc"}, {"key": "dc.type.publication", "value": "masterThesis", "language": null, "element": "type", "qualifier": "publication", "schema": "dc"}, {"key": "dc.subject.oppiainekoodi", "value": "602", "language": "", "element": "subject", "qualifier": "oppiainekoodi", "schema": "dc"}, {"key": "dc.subject.yso", "value": "simulointi", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "kyberturvallisuus", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "verkkohy\u00f6kk\u00e4ykset", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "simulation", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "cyber security", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "cyber attacks", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.format.content", "value": "fulltext", "language": null, "element": "format", "qualifier": "content", "schema": "dc"}, {"key": "dc.rights.url", "value": "https://rightsstatements.org/page/InC/1.0/", "language": null, "element": "rights", "qualifier": "url", "schema": "dc"}, {"key": "dc.type.okm", "value": "G2", "language": null, "element": "type", "qualifier": "okm", "schema": "dc"}]
id jyx.123456789_74965
language eng
last_indexed 2025-02-18T10:56:19Z
main_date 2021-01-01T00:00:00Z
main_date_str 2021
online_boolean 1
online_urls_str_mv {"url":"https:\/\/jyx.jyu.fi\/bitstreams\/b1088dd9-77be-4ade-8537-e739455326f5\/download","text":"URN:NBN:fi:jyu-202104072287.pdf","source":"jyx","mediaType":"application\/pdf"}
publishDate 2021
record_format qdc
source_str_mv jyx
spellingShingle Myllylä, Juuso Detecting cyber attacks in time : combining attack simulation with detection logic threat detection cyber defense attack simulation SIEM blue team Active Directory Tietotekniikka Mathematical Information Technology 602 simulointi kyberturvallisuus verkkohyökkäykset simulation cyber security cyber attacks
title Detecting cyber attacks in time : combining attack simulation with detection logic
title_full Detecting cyber attacks in time : combining attack simulation with detection logic
title_fullStr Detecting cyber attacks in time : combining attack simulation with detection logic Detecting cyber attacks in time : combining attack simulation with detection logic
title_full_unstemmed Detecting cyber attacks in time : combining attack simulation with detection logic Detecting cyber attacks in time : combining attack simulation with detection logic
title_short Detecting cyber attacks in time
title_sort detecting cyber attacks in time combining attack simulation with detection logic
title_sub combining attack simulation with detection logic
title_txtP Detecting cyber attacks in time : combining attack simulation with detection logic
topic threat detection cyber defense attack simulation SIEM blue team Active Directory Tietotekniikka Mathematical Information Technology 602 simulointi kyberturvallisuus verkkohyökkäykset simulation cyber security cyber attacks
topic_facet 602 Active Directory Mathematical Information Technology SIEM Tietotekniikka attack simulation blue team cyber attacks cyber defense cyber security kyberturvallisuus simulation simulointi threat detection verkkohyökkäykset
url https://jyx.jyu.fi/handle/123456789/74965 http://www.urn.fi/URN:NBN:fi:jyu-202104072287
work_keys_str_mv AT myllyläjuuso detectingcyberattacksintimecombiningattacksimulationwithdetectionlogic

Similar Items