Advanced Persistent Threat (APT) attacks use various strategies and techniques to move laterally within an enterprise environment; however, the existing strategies and techniques have limitations such as requiring elevated permissions, creating new connections, performing new authentications, or requiring process injections. Based on these characteristics, many host and network-based solutions have been proposed to prevent or detect such lateral movement attempts. In this talk, I will present a novel stealthy lateral movement strategy, ShadowMove, in which only established connections between systems in an enterprise network are misused for lateral movements. It has a set of unique features such as requiring no elevated privilege, no new connection, no extra authentication, and no process injection, which makes it stealthy against state-of-the-art detection mechanisms. ShadowMove is enabled by a novel socket duplication approach that allows a malicious process to silently abuse TCP connections established by benign processes. We design and implement ShadowMove for current Windows and Linux operating systems. To validate the feasibility of ShadowMove, we build several prototypes that successfully hijack three kinds of enterprise protocols, FTP, Microsoft SQL, and Window Remote Management, to perform lateral movement actions such as copying malware to the next target machine and launching malware on the target machine. We also confirm that our prototypes cannot be detected by existing host and network-based solutions, such as five top-notch anti-virus products (McAfee, Norton, Webroot, Bitdefender, and Windows Defender), four IDSes (Snort, OSSEC, Osquery, and Wazuh), and two Endpoint Detection and Response systems (CrowdStrike Falcon Prevent and Cisco AMP).Biography:
Dr. Jinpeng Wei is an Associate Professor in the Department of Software and Information Systems at UNC Charlotte. His research focuses on theory, methods, and tools that enhance the security of widely used systems software in a broad spectrum of computer systems, from OS kernels, to file systems, to cloud platforms. He has worked on several important topics, including active cyber defense, malware analysis, cyber threat hunting, cloud computing security, and systems software vulnerabilities. He is the winner of three best paper awards and the AFRL Visiting Faculty Research Program award. He has published in premier venues such as ACSAC, Computers & Security, DSN, ESORICS, ICDCS, IPDPS, USENIX Security, and USENIX ATC. His research has been supported by multiple agencies including ARO, AFRL, DHS, DOD, NSA, NSF, ONR, and industry.
Sharing individually contributed data, such as sensor data and electronic health records (EHR), is a cornerstone of modern artificial intelligence. However, the data generated by individual users contain sensitive information, the disclosure of which may incur serious privacy concerns. In this talk, She will discuss challenges around privacy-preserving data sharing for research purposes. She will present three case studies to show that my work provides rigorous privacy guarantees while retaining the utility of the data.Biography:
Dr. Liyue Fan is an Assistant Professor in Computer Science at UNC Charlotte. Her research is at the intersection of data privacy and machine learning. She was named one of the "Rising Stars in EECS" by MIT. Her current research activities are supported by NSF and UNC Charlotte.
Cyber threat hunting has emerged as a critical part of cyber security practice. However, there is a severe shortage of cybersecurity professionals with advanced analysis skills for cyber threat hunting. Sponsored by NSA, UNC Charlotte and Forsyth Technical Community College (Forsyth Tech) have been developing freely-available, hands-on teaching materials for cyber threat hunting suitable for use in two-year community college curriculum, 4-year universities curriculum, as well as for collegiate threat hunting competitions. Our hands-on labs focus on exercising a set of essential technical skills (called the threat hunting skill set) in an enterprise environment and they are modeled after real-world scenarios. Our lab environment contains real threats (e.g., malware) against real software (e.g., Operating Systems and applications), and real security datasets. These labs are designed to help a student learn how to detect active and dormant malware, analyze its activities, and assess its impact. These labs also teach a student how to search and probe for anomalies in a variety of datasets using multiple analytical skills, such as statistical analysis. In this talk, I will present the design and implementation of our hands-on labs, including a video demo.Biography:
Dr. Jinpeng Wei is an Associate Professor in the Department of Software and Information Systems at UNC Charlotte. His research focuses on theory, methods, and tools that enhance the security of widely used systems software in a broad spectrum of computer systems, from OS kernels, to file systems, to cloud platforms. He has worked on several important topics, including active cyber defense, malware analysis, cyber threat hunting, cloud computing security, and systems software vulnerabilities. He is the winner of three best paper awards and the AFRL Visiting Faculty Research Program Award. He has published in premier venues such as ACSAC, Computers & Security, DSN, ESORICS, USENIX Security, and USENIX ATC. His research has been supported by multiple agencies including ARO, AFRL, DHS, DOD, NSA, NSF, ONR, and industry.
Crucial and critical needs of security and trust requirements are growing in all classes of applications, manufacturing, automobiles, electronic voting machines, wearable devices etc. The increased integration and reliance on remote and embedded electronics as the basis for personal, commercial, and growing industrial systems in internet of things (IoT) is driving the need for upgraded security and trust in these cyber-physical systems (CPS). Compromise of boot process, access and control of a single sensor or micro-controller by a hacker can lead to full control on entire electronic network. This situation is expanding rapidly posing serious security and privacy challenge to manufacturers as well as customers/operators, and requires immediate and tactfully strategic solution to avoid conceivable property and human losses and to counter the advantage made available to adversaries by the increasing complexity of software and hardware and the additional flexibility provided by mobile devices to interact with these systems. The talk will introduce the hardware security primitives to improve the resilience against invasive and non-invasive attacks. Secure boot processes and countermeasures of side channel attacks that target the theft of secret information, e.g., keys for encryption. A microprocessor, an FPGA or an ASIC executes software or hardware versions of the encryption algorithm. We discuss the characteristics of side-channel leakage that occurs on the power rails and from electromagnetic (EM) emanations, as well as a broad range of software and hardware countermeasures that have been developed.Biography:
Dr. Fareena Saqib has several active NSF and Industry grants in the areas of Cybersecurity, hardware security, and trust relating to IoTs. She has published multiple peer-reviewed journal articles and refereed conference papers at top conferences e.g. HOST, ICCAD, VNC, ETS, TVLSI, MDPI Cryptography, Trans. on Computers, etc. She has also served as a Guest Editor for the MDPI Cryptography Journal. She is a member of the technical program committees of leading conferences and workshops. She is also the Program Chair of a workshop for women in hardware systems security (WISE). She is serving as Member, Hardware Vulnerability Database working group of Trusted and Assured Micro Electronics (TAME), 2018-2019. She is a senior member of IEEE.
Cyber agility enables cyber systems to defend proactively against sophisticated attacks by dynamically changing the system configuration parameters (called mutable parameters) in order to deceive adversaries from reaching their goals, disrupt the attack plans by forcing them to change their adversarial behaviors, and/or deterring them through prohibitively increasing the cost for attacks. However, developing cyber agility such as moving target defense techniques that are provable safe is a highly complex task that requires significant time and expertise. Our goal is to address this challenge by providing a framework for automating the creation of configuration-based moving target techniques rapidly and safely.Biography:
Md Mazharul Islam is 4th year Ph.D. student, Department of software and information systems.
His research Interest is Adaptive Cyber resilient systems with safe orchestration using deception and Moving target defense. Currently working on building resilient Email communication environment against spear-phishing attack and social engineering, funded by DARPA. Building a deceptive system against Malware infection funded by ONR. Also working on building Software-defined networking active against stealthy attacks such as DDoS.