Volume 5 (2021-22)

Each volume of Cyber Security: A Peer-Reviewed Journal consists of four 100-page issues published in both print and online. Articles scheduled for Volume 5 are available to view on the 'Forthcoming content' page.

Volume 5 Number 1

  • Editorial
    Simon Beckett, Publisher
  • The human variable: Designing a security strategy for a future in flux
    Gary Sorrentino, Global Deputy CIO, Zoom Video Communications

    The hybrid workforce is no longer a concept, it is a reality. But as employees embrace new working environments and flow in and out of the office, this hybrid approach poses a unique challenge for security leaders. This paper explores how organisations will need to create a security strategy rooted in the variability of the hybrid workforce — one that meets employees where they are and helps them learn the role they play in securing this new model. This strategy is rooted in three key principles: adopt a zero-trust approach, personalise data protection and bolster hands-on, robust training. Readers can expect to learn what it really takes to put this approach into practice — and what threats and roadblocks they should anticipate along the way.
    Keywords: hybrid workforce, security strategy, zero-trust approach, data protection, security training

  • Staying one step ahead of your adversaries: How to build a cyber threat intelligence team capable of delivering business value
    Keith Nicholson, Head of Cyber Threat Operations, Her Majesty’s Revenue and Customs

    From enabling security teams to effectively respond to incidents to ensuring security investments are targeted on real-world risk, when effectively implemented, a cyber threat intelligence (CTI) team can deliver value against a broad range of operational and strategic requirements. While many organisations recognise the value CTI can provide, delivering on that value proposition is often more difficult. CTI is a data-driven process; however, building an effective CTI capability requires far more than effective data collection and exploitation. This paper contends that for many organisations the challenge in realising value from their CTI team is not a data problem, it is a communication problem. To address this challenge, security leaders need to look beyond the traditional intelligence life cycle and a consider a number of organisational factors which, taken together, provide a firm foundation to enable a CTI team to effectively communicate and influence stakeholders across the organisation. Specifically, security leaders should position the team strategically, populate that team with a diverse blend of skills, provide a clear direction and purpose, and implement a robust communication and influencing strategy. Together these measures improve the ability of the organisation to realise business value from CTI.
    Keywords: cyber security, cyber threat intelligence, strategy, influencing stakeholders, communication

  • Discovering CovidLock
    Chad Anderson, Senior Security Researcher, Tarik Saleh, Senior Malware Researcher and Sean M. McNee, Director of Research, DomainTools

    In this paper the authors show the breadth of Coronavirus-themed maliciousness and how they prioritised their hunting across such a large influx of malicious infrastructure to discover CovidLock, a novel Android-based screen locker malware. A full technical analysis of CovidLock and its functions provides a basis for analysing other Android malware. This full-depth paper will show everything from hunting automation and prioritisation techniques to the reversing of the malicious application.
    Keywords: malware, mobile malware, mobile threat research, COVID-19, ransomware

  • Scaling cyber physical systems throughout the organisation
    Matt Leipnik, Lead Industrial Cyber Security Specialist, Nexus Controls

    This paper outlines a realistic and practical examination regarding the considerations and factors in scaling complex cyber physical systems alongside modern digital transformation: a guide for how businesses can strategically and operationally navigate (both proactively and reactively) the ‘unknown unknowns’ not just simply to survive but to be resilient and adaptive, leveraging their own internal processes, structures and constraints without significant disruption or radical changes. It is designed to equip the reader with a blend of strategic, operational, technical and human business thinking paired with a concept of ‘visibility’ beyond just situational business awareness. It aims to guide businesses through management of new business trends, ever -standards and compliance requirements, including larger and more complex developments such as 5G operationalisation, geostrategic challenges and political factors that are increasingly important to and unavoidable for businesses. The paper touches on a variety of disciplines and their convergence within business considerations and their integration and scaling within an organisation.
    Keywords: framework, scale, design, Industrial Internet of Things (IIoT), cyber, physical, maturity model, life cycle

  • Is ransomware winning?
    Chris Goettl, Senior Director of Product Management, Ivanti

    This paper evaluates the performance of ransomware attacks and looks at the tactics and successes to determine effective counterstrategies. By analysing lagging indicators of the successes of ransomware, we can reverse-engineer an effective counterstrategy to fight back and significantly reduce the effectiveness of ransomware. This paper argues that the biggest challenge in countering modern ransomware is that the approach most companies are taking is too narrow. There is no one solution answer to this challenge. The most effective counter to modern ransomware is a balanced security strategy of preventative and detect and response, layered in such a way as to disrupt, reduce and eliminate the tools and tactics that make modern ransomware effective. This also includes activities that happen well in advance of the ransomware attack and devices that may not even be part of the actual attack itself. This paper will also propose an effective strategy to counter modern ransomware and provide organisations with key technologies to remove critical capabilities from our adversary’s arsenal and disrupt the tactics that have made modern ransomware so successful.
    Keywords: zero trust, cyber security, ransomware, risk-based prioritisation, cyberattacks, phishing

  • Home-grown machine learning implementation for a SIRT: A use case — detecting domain-generating algorithms
    Brennan Lodge

    There is a flurry of discussion, press and vendors explaining how helpful data science techniques can assist in cyber security defence; however, there is little information available about how to effectively leverage and implement data science techniques within a company’s cyber security defence team. The goal of this paper is to empower security incident response teams (SIRTs) to seamlessly build, deploy and operate ML solutions at scale. Our proposed solution is designed to cover the end-to-end ML workflows. Take-aways include managing and deploying a prediction pipeline, training data, prediction model evaluations and continuously monitoring these deployments to assist in SIRTs’ ability to defend and thwart cyber security attacks. An additional use case of implementing a machine learning (ML) application to predict domain-generating algorithms with the integrated data science pipeline and platform is also discussed and used as a reference.
    Keywords: data science, machine learning (ML), blue team, domain-generating algorithms (DGAs)

  • Zero trust computing through the application of information asset registers
    Mark Brett, Visiting Fellow, Cyber Security Centre, London Metropolitan University

    It is proposed that information asset registers are a key enabler towards the implementation of zero trust computing (ZTC), which requires a detailed knowledge of the information being processed and especially a detailed, well-documented knowledge of the network and technical infrastructure in order to support a zero-trust environment. ZTC also requires detailed documentation to facilitate operational cyber resilience. Asset registers are a key resource to speed up incident response and recovery. Information asset registers are part of the information management, assurance and governance (IMAG) approach. It is proposed the information asset database is at the heart of the information assurance and ZTC ecosystem. This fact has been partially recognised through the Information Technology Infrastructure Library (ITIL) configuration management database (CMDB). We also explore issues related to hybrid infrastructures.
    Keywords: zero trust computing (ZTC), information asset registers, information governance, information assurance risk management, cyber incident response, information taxonomies, hybrid zero trust environments/operational resilience