Michael Mundt successfully defended his PHD thesis

6 Februar 2025

On January 28th Michael Mundt defended his PhD thesis "On efficient and effective Cyber Threat Intelligence-based Mitigation of Data Exfiltration". Congratulations to the excellent grade (magna cum laude).

Thesis Abstract:

Week 27 of 2024. Cyber incidents have been recorded again. No one seems to be immune. This week, among other incidents, Technical Inspection Association (TÜV) Rheinland was burgled. The cybergang Ransomexx is said to have stolen 650 GB of data from the organisation. FalconFeeds.io announced this on the social media channel X. This is just one selected example of many this week. It shows a current pattern of cyber criminals' modus operandi. They penetrate the victim system, sift through it for valuable data, compile that data, and exfiltrate sensitive data to later blackmail the victim or reselling the stolen data, or both. After the data has been stolen, it is encrypted by the use of ransomware to increase the operational, extortionate pressure on the victim by increasing the damage in the event of non-payment of the extortion money demanded. The victim gets into a vicious circle. The stolen and encrypted data can be used repeatedly for extortion. Even if production operations could be restored, the attackers threaten to publish the stolen data as often as and whenever they want.

With this thesis, we have set ourselves the goal of breaking this vicious circle. We present a concept to better protect against the theft of sensitive data. Active protection against unauthorised data exfiltration is the core of this work.

We first investigate methods to become aware of the current cyber threats for one's own organisation. As an essential part of our concept, we work out how to become aware of your own sensitive data and relevant processes and then use a Cyber Threat Intelligence (CTI) approach to check what current cyber threat vectors emanate from Advanced Persistent Threats (APT). Cyber incidents are evaluated by analysts worldwide. The knowledge about the perpetrators' modus operandi, skills and equipment is compiled and stored in knowledge databases in a structured manner. Faster, structured exchange of information on current cyber threats promotes targeted resistance and the automation of processes. We are taking advantage of this development and align our approach with the current cyber threats.

Foto1.jpeg

We show how our concept can be procedurally integrated into an existing Information Security Management System (ISMS). Many organisations today operate an international standard-compliant ISMS to ensure an appropriate level of security. By showing how our concept can be integrated into this, we open up the possibility of later exploitation of the results of our work up to the possibility of integrating our concept into international standards in the future.

We investigate the optimal structure of a simulation cycle and the mandatory properties of a simulation engine. The findings of the CTI are to be used by executing the current cyber threats in the context of a simulation. The simulation should be as realistic as possible and is carried out directly in the productive IT system that needs to be protected. Our approach is to run the simulation before an attacker uses this specific attack vector and to learn from the execution which detection and protection measures can be improved and how we can protect them. We perform an in vitro evaluation of this simulation cycle. We show furthermore how novel forensic methods are used to detect the effects of simulation in real time and to detect and secure the precipitation of digital traces on the assets of the productive system driven by the simulation.

Finally, we implemented our concept as a prototype and provided proof of feasibility. We have used commercially available and open-source software for this purpose. It was important to us to show that our approach can be used immediately. We set up the entire simulation cycle and drilled through it on the basis of selected hazards. All phases of the simulation cycle were run through several times. New, dangerous methods of attack-techniques such as breaking down sensitive data into small pieces and then silently exfiltrating these small pieces without being noticed were simulated. We have thus shown that our approach can cope with current cyber threats.

Foto3.jpeg

 

Aktuelles

FSI: Digital Investigation - Two papers accepted

Our two articles on "Source Camera Identification" and "Optimising data set creation in the cybersecurity landscape with a special focus on digital forensics" have been accepted in the FSI Digital Investigation Journal.

NordSec 2024 - Paper accepted

We will present our work on Do-it-yourself drones in Karlstad (Sweden) at the NordSec 2024.

ForTrace Workshop @ DFRWS APAC 2024

We are offering a workshop at DFRWS APAC 2024 on our data synthesis framework ForTrace.

IWODF 2024 - Paper accepted

Our paper on "Scenario-based Data Set Generation for Use in Digital Forensics: A Case Study" was accepted for presentation at the IWODF (INFORMATIK) 2024.

IMF 2024 - Two papers accepted

Our two papers on "Data Synthesis is Going Mobile – On Community-driven Dataset Generation for Android Devices" and "Causal Inconsistencies are Normal in Windows Memory Dumps (too)" were accepted for presentation at the IMF 2024.

Vortrag des Forschungsinstituts CODE auf der 31. DFN-CERT Konferenz in Hamburg

Als externer Doktorand stellte Michael Mundt die Arbeit "Gib dem Dino Futter – adaptive Detektion von Bedrohungen in KRITIS-Netzwerken mittels Open-Source-Forensik" auf der 31. DFN-CERT Konferenz am 30./31. Januar vor.