Biblio

Cyber Threat Intelligence (CTI) sharing platforms are valuable tools in cybersecurity. However, despite the fact that effective CTI exchange highly depends on human aspects, cyber behavior in CTI sharing platforms has been notably less investigated by the security research community.Motivated by this research gap, we ground our work in the concrete challenge of understanding users’ perceptions of information sharing in CTI platforms. To this end, we propose a conceptual workflow and toolchain that would seek to verify whether users have an accurate comprehension of how far information travels when shared in a CTI sharing platform.We contextualize our concept within MISP as a use case, and discuss the benefits of our socio-technical approach as a potential tool for security analysis, simulation, or education/training support. We conclude with a brief outline of future work that would seek to evaluate and validate the proposed model.

Often, analysts have to face a challenging situation when formally verifying the implementation of a security protocol: they need to build a model of the protocol from only poorly or not documented code, and with little or no help from the developers to better understand it. Security protocols implementations frequently use services provided by libraries coded in the C programming language; automatic tools for codelevel reverse engineering offer good support to comprehend the behavior of code in object-oriented languages but are ineffective to deal with libraries in C. Here we propose a systematic, yet human-dependent approach, which combines the capabilities of state-of-the-art tools in order to help the analyst to retrieve, step by step, the security protocol specifications from a library in C. Those specifications can then be used to create the formal model needed to carry out the analysis.

To achieve its goals, ransomware needs to employ strong encryption, which in turn requires access to high-grade encryption keys. Over the evolution of ransomware, various techniques have been observed to accomplish the latter. Understanding the advantages and disadvantages of each method is essential to develop robust defense strategies. In this paper we explain the techniques used by ransomware to derive encryption keys and analyze the security of each approach. We argue that recovery of data might be possible if the ransomware cannot access high entropy randomness sources. As an evidence to support our theoretical results, we provide a decryptor program for a previously undefeated ransomware.