Vasileios Mavroeidis | University of Oslo (original) (raw)

Uploads

Papers by Vasileios Mavroeidis

Research paper thumbnail of The Role of OASIS OpenC2 in Cybersecurity Automation and Orchestration

Effective and efficient cybersecurity operations require establishing a symbiotic function across... more Effective and efficient cybersecurity operations require establishing a symbiotic function across tools, processes, and people. Cybersecurity automation intersects the above pillars and, via orchestration, enables the (as per the need) automatic execution of cybersecurity processes. In this regard, the underlying challenge is the complexity of architecting, deploying, and maintaining such environments due to the need for customized integrations and their dependence on proprietary interfaces. In response to this challenge, OASIS OpenC2 is a standardization work that introduces an interoperable, function-centric, vendor- and tool-agnostic language for the command and control of systems and components that perform or support cybersecurity operations.

Research paper thumbnail of A nonproprietary language for the command and control of cyber defenses – OpenC2

Research paper thumbnail of Data-Driven Threat Hunting Using Sysmon

Threat actors can be persistent, motivated and agile, and leverage a diversified and extensive se... more Threat actors can be persistent, motivated and agile, and leverage a diversified and extensive set of tactics and techniques to attain their goals. In response to that, defenders establish threat intelligence programs to stay threat-informed and lower risk. Actionable threat intelligence is integrated into security information and event management systems (SIEM) or is accessed via more dedicated tools like threat intelligence platforms. A threat intelligence platform gives access to contextual threat information by aggregating, processing, correlating, and analyzing real-time data and information from multiple sources, and in many cases, it provides centralized analysis and reporting of an organization's security events. Sysmon logs is a data source that has received considerable attention for endpoint visibility. Approaches for threat detection using Sysmon have been proposed, mainly focusing on search engine technologies like NoSQL database systems. This paper demonstrates one of the many use cases of Sysmon and cyber threat intelligence. In particular, we present a threat assessment system that relies on a cyber threat intelligence ontology to automatically classify executed software into different threat levels by analyzing Sysmon log streams. The presented system and approach augments cyber defensive capabilities through situational awareness, prediction, and automated courses of action.

Research paper thumbnail of Cyber Threat Intelligence Model: An Evaluation of Taxonomies, Sharing Standards, and Ontologies within Cyber Threat Intelligence

2017 European Intelligence and Security Informatics Conference, 2017

Cyber threat intelligence is the provision of evidence-based knowledge about existing or emerging... more Cyber threat intelligence is the provision of evidence-based knowledge about existing or emerging threats. Benefits from threat intelligence include increased situational awareness, efficiency in security operations, and improved prevention, detection, and response capabilities. To process, correlate, and analyze vast amounts of threat information and data and derive intelligence that can be shared and consumed in meaningful times, it is required to utilize structured, machine-readable formats that incorporate the industry-required expressivity while at the same time being unambiguous. To a large extent, this is achieved with technologies like ontologies, schemas, and taxonomies. This research evaluates the coverage and high-level conceptual expressivity of cyber-threat-intelligence-relevant ontologies, sharing standards, and taxonomies pertaining to the who, what, why, where, when, and how elements of threats and attacks in addition to courses of action and technical indicators. The results confirm that little emphasis has been given to developing a comprehensive cyber threat intelligence ontology, with existing efforts being not thoroughly designed, non-interoperable, ambiguous, and lacking proper semantics and axioms for reasoning.

Research paper thumbnail of Quick Response Code Secure: A Cryptographically Secure Anti-Phishing Tool for QR Code Attacks

7th International Conference on Mathematical Methods, Models and Architectures for Computer Networks Security (MMM-ACNS 2017), 2017

The two-dimensional quick response (QR) codes can be misleading due to the diculty in di erentia... more The two-dimensional quick response (QR) codes can be misleading
due to the diculty in di erentiating a genuine QR code from a
malicious one. Since the vulnerability is practically part of their design,
scanning a malicious QR code can direct the user to cloned malicious
sites resulting in revealing sensitive information. In order to evaluate
the vulnerabilities and propose subsequent countermeasures, we demonstrate
this type of attack through a simulated experiment where a malicious
QR code directs a user to a phishing site. For our experiment, we
cloned Google's web page providing access to their email service (Gmail).
Since the URL is masqueraded into the QR code, the unsuspecting user
who opens the URL is directed to the malicious site. Our results proved
that hackers could easily leverage QR codes into phishing attack vectors
targeted at smartphone users, even bypassing web browsers' safe browsing
feature. In addition, the second part of our paper presents adequate
countermeasures and introduces QRCS (Quick Response Code Secure).
QRCS is a universal ecient and e ective solution focusing exclusively
on the authenticity of the originator and consequently the integrity of
QR code by using digital signatures.

Research paper thumbnail of The Role of OASIS OpenC2 in Cybersecurity Automation and Orchestration

Effective and efficient cybersecurity operations require establishing a symbiotic function across... more Effective and efficient cybersecurity operations require establishing a symbiotic function across tools, processes, and people. Cybersecurity automation intersects the above pillars and, via orchestration, enables the (as per the need) automatic execution of cybersecurity processes. In this regard, the underlying challenge is the complexity of architecting, deploying, and maintaining such environments due to the need for customized integrations and their dependence on proprietary interfaces. In response to this challenge, OASIS OpenC2 is a standardization work that introduces an interoperable, function-centric, vendor- and tool-agnostic language for the command and control of systems and components that perform or support cybersecurity operations.

Research paper thumbnail of A nonproprietary language for the command and control of cyber defenses – OpenC2

Research paper thumbnail of Data-Driven Threat Hunting Using Sysmon

Threat actors can be persistent, motivated and agile, and leverage a diversified and extensive se... more Threat actors can be persistent, motivated and agile, and leverage a diversified and extensive set of tactics and techniques to attain their goals. In response to that, defenders establish threat intelligence programs to stay threat-informed and lower risk. Actionable threat intelligence is integrated into security information and event management systems (SIEM) or is accessed via more dedicated tools like threat intelligence platforms. A threat intelligence platform gives access to contextual threat information by aggregating, processing, correlating, and analyzing real-time data and information from multiple sources, and in many cases, it provides centralized analysis and reporting of an organization's security events. Sysmon logs is a data source that has received considerable attention for endpoint visibility. Approaches for threat detection using Sysmon have been proposed, mainly focusing on search engine technologies like NoSQL database systems. This paper demonstrates one of the many use cases of Sysmon and cyber threat intelligence. In particular, we present a threat assessment system that relies on a cyber threat intelligence ontology to automatically classify executed software into different threat levels by analyzing Sysmon log streams. The presented system and approach augments cyber defensive capabilities through situational awareness, prediction, and automated courses of action.

Research paper thumbnail of Cyber Threat Intelligence Model: An Evaluation of Taxonomies, Sharing Standards, and Ontologies within Cyber Threat Intelligence

2017 European Intelligence and Security Informatics Conference, 2017

Cyber threat intelligence is the provision of evidence-based knowledge about existing or emerging... more Cyber threat intelligence is the provision of evidence-based knowledge about existing or emerging threats. Benefits from threat intelligence include increased situational awareness, efficiency in security operations, and improved prevention, detection, and response capabilities. To process, correlate, and analyze vast amounts of threat information and data and derive intelligence that can be shared and consumed in meaningful times, it is required to utilize structured, machine-readable formats that incorporate the industry-required expressivity while at the same time being unambiguous. To a large extent, this is achieved with technologies like ontologies, schemas, and taxonomies. This research evaluates the coverage and high-level conceptual expressivity of cyber-threat-intelligence-relevant ontologies, sharing standards, and taxonomies pertaining to the who, what, why, where, when, and how elements of threats and attacks in addition to courses of action and technical indicators. The results confirm that little emphasis has been given to developing a comprehensive cyber threat intelligence ontology, with existing efforts being not thoroughly designed, non-interoperable, ambiguous, and lacking proper semantics and axioms for reasoning.

Research paper thumbnail of Quick Response Code Secure: A Cryptographically Secure Anti-Phishing Tool for QR Code Attacks

7th International Conference on Mathematical Methods, Models and Architectures for Computer Networks Security (MMM-ACNS 2017), 2017

The two-dimensional quick response (QR) codes can be misleading due to the diculty in di erentia... more The two-dimensional quick response (QR) codes can be misleading
due to the diculty in di erentiating a genuine QR code from a
malicious one. Since the vulnerability is practically part of their design,
scanning a malicious QR code can direct the user to cloned malicious
sites resulting in revealing sensitive information. In order to evaluate
the vulnerabilities and propose subsequent countermeasures, we demonstrate
this type of attack through a simulated experiment where a malicious
QR code directs a user to a phishing site. For our experiment, we
cloned Google's web page providing access to their email service (Gmail).
Since the URL is masqueraded into the QR code, the unsuspecting user
who opens the URL is directed to the malicious site. Our results proved
that hackers could easily leverage QR codes into phishing attack vectors
targeted at smartphone users, even bypassing web browsers' safe browsing
feature. In addition, the second part of our paper presents adequate
countermeasures and introduces QRCS (Quick Response Code Secure).
QRCS is a universal ecient and e ective solution focusing exclusively
on the authenticity of the originator and consequently the integrity of
QR code by using digital signatures.