Advanced Threats and Security Assurance

Advanced Threats and Security Assurance
Most of the society’s critical infrastructure and key processes in companies and organizations are controlled by computer systems, which makes such systems a natural target for attacks, often for the reasons of industrial espionage, damaging, or intelligence gathering by nation-state actors.

In digital public services, cyber attacks threaten the privacy of clients’ sensitive information, and can cause potentially fatal consequences if the data are altered or removed, e.g., in health care systems. In energy sector, failures in a control or monitoring system can lead to high financial losses and prevent operations of other dependent services, including safety-critical ones, and in the worst-case scenario can paralyze the whole critical infrastructure. Successful attacks on mobile networks will lead to similarly dire consequences.

Cyber Trust program studied key threats across societies and economies, designed effective methods and tools for detecting and countering threats. The program also validated these methods and tools via modern security assurance techniques and practical testing. Forensic analysis and incident response were used in security and privacy assurance of information systems and components, including open source ones, and support of personnel in operating protections systems and dealing with security incidents. Program explored new approaches for detecting targeted attacks within the privacy framework set by local legislation, through collaboration between experts in handling security incidents and experts in network security.

Targeted attacks are attacks against specific companies or industry sectors and governments, often for the reasons of industrial espionage, damaging critical infrastructure (for instance, mobile networks and IT infrastructure of organizations), or intelligence gathering by nation-state actors.

Recently, customers have become very interested in this topic and the participating companies and institutions regard the topic of targeted attacks as a business critical area for their future security service offerings, and this project is targeted to improve significantly the expertise, detection, and mitigation effectiveness against targeted attacks.

Today most detection approaches focus on general malware. Malware detection is often based on signatures, static analysis, and simple behavior-related rules. The program aimed at significant improvements in the capabilities of detecting, reacting to, and preventing targeted attacks, which typically have more complex attack patterns than conventional ones, including, for instance, sophisticated logic of attack escalation. Real attacks were analyzed and malicious objects used in those. Based on that improved understanding, one can construct “behavioral signatures” of attacks that can be used for their effective identification. Open interfaces to the analysis systems were provided and tools were created to aid in the incident response operations. This will also help organizations recover from intrusions faster and more effectively.

A number of Cyber Trust partners, including F-Secure, joined European Organization for Cybersecurity (ECSO). They contributed such efforts as the SRIA preparation for the Horizon 2020 Work Programme 2018-2020.

Collaboration with National Science Foundation Industry/University Cooperative Research Center (I/UCRC)) was coordinated via Cyber Trust. As a result the new S2ERC site was established in Finland. The Security and Software Engineering Research Center (S2ERC) has been operating since 2010. The Finnish cyber security and software engineering research site is open for all Finnish universities and research institutes and it will physically be based on the University of Oulu. Number of Cyber Trust partnerships are expected to continue within S2ERC, for instance, between University of Turku and F-Secure.

Radip Detection Service

F-Secure studied approaches and technologies for detecting advanced attacks on organizational systems and networks. This led a foundation for Rapid Detection Service (RDS). The key partners were University of Turku and nSense.

This service was related to the threat Intelligence work. F-Secure regularly publishes threat reports and analysis of specific attacks, attacker techniques and tactics, which brought insights for developing RDS. In particular, that led to establishing a working relationship with ENISA (the close partners were Nokia, nSense, and Ericsson). The research and exploration of techniques for collecting and pre-processing relevant data from endpoints and of methods for detecting attacks via the collected data contributed significantly into RDS success. There is a great business opportunity for the service and the technology. The RDS pilot, which enabled University of Turku to work with F-Secure on data analysis approaches, was an important learning experience and helped F-Secure to prepare better for various challenges related to such activities.

The RDS-related collaboration with the researchers of University of Turku brought valuable data sets for attack detection analytics. The aim was to introspect live events coming from various programs running on top of an operating system. The introspection targeted profiling and then attaching normal features to either programs or program users. The aim of the work was to develop machine learning based advanced methods to find signs of unnatural, malicious behaviour. Researchers collected for 6 months operative RDS data, and the analysis of it. They developed advanced recognition methods. The continuous analysis of a stream of program events is a completely novel approach into enhancing software security. Researchers have about 1 Terabyte of RDS data collected and its analysis & malicious activity recognition method was developed.

New Open Source Sandboxing and Fuzz Testing Environment

Research for the new sandboxing environment supported F-Secures’s Incident Response and Threat Intelligence work. The task was to extract behavioral features for identifying malicious and unwanted files and web resources. This led to further collaboration plans with University of Turku in the framework of S2ERC. Major parts of the Sandboxed Execution Environment (SEE) was open-sourced and access to it was provided for Cyber Trust partners. There are clear opportunities for the technology in the corporate security business. Open sourcing of F-Secure’s sandboxing technologies led to interesting plans of academic research both within and outside of Cyber Trust. Access to F-Secure’s threat intelligence backends enabled several program partners to validate results of their research work.

Research, development, and adoption of fuzz testing techniques were done in collaboration with Oulu University Secure Programming Group (OUSPG). OUSPG’s work on cloud-based coverage-aided fuzz testing is state-of-the-art worldwide. It compares the tools used widely in the industry, such as Assessment for Learning (AFL), but uses more advanced techniques for mutation. This reduces test performance somewhat, but the researchers showed that the techniques used are able to find problems other tools are not able to easily find. Furthermore, researchers scaled the approach in the cloud. Purpose of fuzzing is to automatically generate lots of test input and to make code crash and increase code coverage. The collaboration on fuzzing resulted in an open-source project (libfuzzerfication) and consistent efforts for applying fuzz testing in F-Secure’s R&D as a part of the standard software development process. LibFuzzer is a library for in-process, coverage-guided evolutionary fuzzing of other libraries.

Credentials Management Software (F-Secure KEY)

F-Secure KEY is a credentials management software. During the program security-related functionality of the product was analyzed and studies of actual customer needs and preferences and ways of communicating the product features to the customers were made. The primary researchers were from Aalto University, University of Jyväskylä, and Tampere University of Technology. They contributed on the both security and user experience sides, supporting in addressing technical challenges, in understanding user problems and preferences, and in identifying ways to position F-Secure KEY for direct users and telecommunication operator partners.

F-Secure is exploring how to turn the technology into a corporate offering and how to sell it via its network of ISP and mobile operators. F-Secure is also shaping business plans for services based on threat intelligence and sandboxing and observing healthy demand from security-conscious corporate customers.

Detection of Fake Accounts at the Social Media Sites

SOMEA research group at the University of Jyväskylä was primed to inform methods and software for social media monitoring and analysis. The group was interested in finding new collaboration possibilities, and supporting the existing research activities regarding application of social media analysis methods to detection of fake identities, and understanding the role of false identities at early stages of targeted attacks.

Over the past two decades, online social media resources have experienced a rapid growth. Now nearly 70% of adults in developed countries have a social media accounts. Most online social media sites bypass the verification of new users’ identity in favour of ease of access, thus opening a door to such fake identity-enabled activities as spamming, phishing, and trolling. Together with F-Secure and nSense the research group performed repeated crawls of metadata of 200.000 newly registered users at social media site The crawling lasted nearly 1 month, and the goal was to collect and analyze activity of these accounts over large period of time, detect anomalies in their behavior (such as rapid growth of friend list), and analyze URLs presented at these accounts using API provided by F-Secure.

Research on Denial-of Services Attack

A denial-of-service attack (DoS attack) is an attack where a machine or network resource is made unavailable by disrupting services of a host connected to the internet. Security specialist Silke Holtmanns from Bell Labs Nokia and other researchers from her group studied how hackers can conduct DoS attacks on 4G cellular devices around the world. Holtmanns presented the results of the research at the Black Hat conference in November 2016.

Holtmanns presented different DoS attacks that can affect any platform or device on mobile LTE (Long-Term Evolution) networks: mobile phones, tablets, and devices connected to the IoT. These attacks can disconnect mobile phone users from their network.

Although the new technique and new communication generation with 4G/LTE is believed to provide better world, we need to be awake. LTE with DIAMETER has similar functionality as earlier technique (SS7). The security researchers have provided clear results that we will face similar interconnection weaknesses with LTE/DIAMETER as SS7 if network do not take protection measures.

Ever since the public revelation of global surveillance and the exploits targeting the mobile communication backend, the general awareness of security and privacy in telecommunication industry has increased. Misusing the technical features of mobile core network technology – specifically the Signaling System 7 (SS7) – has disclosed numerous ways to locate, track and manipulate the routine cellular activities of cellphone users. In fact, the SMS-based key recovery mechanism is becoming vulnerable because of the SS7 vulnerabilities.

Many mobile network operators rush to upgrade their networks to 4G/LTE from 2G and 3G, not only to improve the service, but also the security. With relatively more security and privacy features, Diameter protocol – the successor of SS7 in Long Term Evolution (LTE) networks are believed to guarantee more protection to the network itself and to the end-users. However, Diameter inherits many functionalities and traits of the SS7 network and attention need to be paid to proper security measures like filtering. Therefore, some attacks are also possible there e.g. location tracking in LTE by abusing the Diameter-based interconnection.

Read the rest of Holtmanns’s article here:

Security Protections for Mobile Networks

The US government was supported by Nokia on drafting security protections for mobile networks (Federal Communications Commission and the Department of Homeland Security).  Nokia also supported the Nordic regulators on the evolution of mobile network security. Nokia had further thesis e.g. on machine learning, trusted NFV and related topics.

Nokia and Finland are seen as a worldwide leading trusted expertise center for advanced attacks and protections of mobile networks. This recognition has resulted in many customer requests and orders, which in turn bring capital also to Finland. With the help of Cyber Trust program Nokia was able to pool the critical resources to have the leading edge in the area of advanced attacks. Nokia shared this information freely between the partners, to enhance the Finnish expertise level. Specifically, Cyber Trust program has given Nokia the possibility of creating a demo testbed (with robotic arm, virtual reality control, and 5G connectivity) which will serve as a great demonstration platform for most of the work done in the program.

Cyber Security Standards in Power Grids

Jyväskylän energia focused on current cyber security standards in power grids (water, electricity and heat) and the security of automation systems. The research on threats in energy production was completed. Also security collaboration in the energy industry was conducted. Better understanding of the information security level of the electricity network was achieved. An information security analysis of SCADA system was done. Supervisory control and data acquisition (SCADA) is a system of software and hardware elements that allows industrial organizations control and monitor industrial processes locally or at remote locations

In order to possibly purchase a Security Operations Center (SOC) service, Jyväskylän energia surveyed the existing services and service providers. Jyväskylän energia also surveyed the data protection audit providers in order to start preparing for the EU General Data Protection Regulation (GDPR). It replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.

Jyväskylän energia and University of Jyväskylä analyzed cyber security management, situational awareness and resiliency. Pardco Group provided an environment for the research regarding honeypot utilization for analyzing cyber attacks.

Diversification & Obfuscation

University of Turku applied large scale diversification statically to the different layers of operating systems, applied obfuscation and diversication to other well-known application areas (e.g., AJAX web applications and the SQL query language), applied diversification to operating systems of IoT devices (e.g., memory layout suffling and binary symbol diversification), and studied the possibilities of applying diversification techniques to cloud-based systems (e.g., JavaScript and various API diversisications). Diversification and obfuscation can be applied to binary files in large scale. In addition, the diversification is extremely useful for securing the IoT devices which themselves are generally very poorly secure or completely non-secure; trusting on physical separation.

Honeypot, Sandbox & Monitoring

University of Turku committed surveys to establish fake entity proposals from scientific literature, malware’s anti-honeypot and introspection methods, and current sandboxing implementations. Researchers implemented a diversified honeypot which operated at the system call level and created an experimental honeypot proxy framework for deceiving attackers with fabricated content. Finally, they conducted a survey of application-level sandboxing technologies. The survey analyzed notable sandboxing solutions with a focus on the mechanisms enabling application containment. Additionally, researchers aimed to identify key trends in this area of research. As the diversified interface is only known by the trusted binaries, calls outside this interface clearly revealed non-trusted, suspicious or malicious binaries. The proof-of-concept showed this method to be practical for implementing honeypots for real-world systems.

Trusted Computing & Virtual Environments

Researchers of University of Turku made a survey to identify trends and objectives of using TPM (Trusted Platform Module) in the cloud, proposed and implemented a vTPM (virtual TPM) architecture for enabling TPM in container-based virtualizations, and created a secure live migration protocol for VMs (Virtual Machine). Majority of the research focused on security of traditional hypervisor-based virtualization. The research made notable efforts to bridge these solutions to container-based systems and thus, through vTPM research and other commitments, advanced security solutions in the area.

Secure Agile Software Development

A literature review was made to discover evidence about contemporary use of agile development methods in contexts wherein software security regulations apply, provided a theoretical framework for assessing the interoperability of agile and secure software development activities, and created a secure modification of an agile software development method. The review on prior application of agile methods for security constrained software development accumulated a notable amount of evidence which indicated that agility and security were not mutually exclusive aspects of software development. Further, reserachers demonstrated a generalizable proof-of-concept case study of developing a secure system with agile means.

Software Vulnerabilities and Exploits

Researchers of University of Turku modeled delivery of security advisories, provided a description for how exploits can be traded online, described software vulnerability lifecycles and reected them against aging software products. They also revised clustering and disclosure of software vulnerabilities in products delivered by large software vendors. They committed several in-depth but wide breadth reviews into existing vulnerabilities and exploits in varying software environments. These reviews allowed them to accumulate a mass of data on top of which robust statistical analyses. The results of the analysis allowed to classify and describe several vulnerabilities and argue for example for their common properties which are still disregarded by several software development and vendor organizations; undermining software security by providing exploitation routes into otherwise secure systems

Security-Motivated Web Crawling

Researchers of University of Turku provided a post-mortem of the popularity and distribution of malware files in the contemporary web-facing internet (F-Secure’s Riddler data), analyzed name server IP address importance for the forensics related to DNS-targeting (Domain Name System) malware, and provided design guidelines for simple network resolvers for DNS mining. Many of the efforts committed in this topic area resulted in a rather exhaustive model of the commonly available web. The modelling has also collected data on the routes and behaviour of a plethora of malware operating in the captured web. This allowed to acknowledge several limits and discrepancies of the infrastructure; especially of the DNS. Consequently, the research allowed to design and propose appropriate security enhancements.


Contributors of the research theme: F-Secure, Nokia, Keski-Suomen Sairaanhoitopiiri, Pardco, Nsense, University of Turku, Åbo Akademi, Jyväskylän Energia, Space Systems Finland (SSF)