Which of the following best describes the heuristic or behavior-based detection method?

Possible Conflicts of Antivirus Software

Beware that a common problem with virus applications is their incompatibility with each other. Installing multiple virus applications on the same computer can cause unexpected problems. Before installing any new virus program, uninstall any existing program first so that there is no conflict between the programs.

9.4.1 Action: Recovering from and Managing Incidents

Even in the best instrumented and most secure operational model, incidents have to be expected. In fact, the number of incidents queued up for handling may be extremely large. It is essential for the incident response system not only to prioritize the incidents in the queue, but also to eliminate false positives and other clutter from the queue. To do this, incidents should be automatically checked against a global repository of items that analysts have previously investigated and resolved, before the new incidents are put on the queue. The incident response system should continually learn from these previous incidents, updated threat information, changes to operational configurations and other data sources in order to simplify the analyst’s job as much as possible.

The incident response system should, as much as possible, prioritize the incidents in terms of known or potential impact on the business. The “Security Engineering Report on Smart Grids” by Hwang et al. (2012) explores this impact from two perspectives. The first is technical impact factors:

Loss of confidentiality. How much data may have been disclosed and how sensitive is it?

Loss of integrity: How much data could have been corrupted and how damaged is it?

Loss of availability: How much service may have been lost and how vital is it?

Loss of accountability: Is the incident traceable to one or more individuals?

The second is business impact factors:

Financial damage: how much financial damage may result from the incident?

Reputation damage: How much reputation damage that would harm the business may result from the incident?

Non-compliance: How much exposure to and risk of non-compliance does the incident introduce?

Privacy violation: How much personally identifiable information may have been disclosed?

A full understanding of the impact may not be reachable until after the investigation is complete, or even for some length of time after that. But the incident response system should provide what prioritization it can, while ensuring that information related to the periodization decision is available to the response team so that they can ensure that the most important incidents are addressed as quickly as possible.

Incident response system should provide a rich set of context about prospective problems. For instance, for an incident related to a suspicious file that may represent malware, the system should correlate suspicious behaviors about the file (e.g. a driver, a process, a DLL), capture what’s known about the file (e.g. file size, file attributes, MD5 file hash) through static and heuristic analysis, provide context on the file owner or user, and so on. Security analysts can then use this information to investigate if the file is malicious, and should be blacklisted, or non-malicious, and should be whitelisted. If an item is deemed malicious, all occurrences of the problem across the entire IT environment can be instantly identified. Then, once a remedy is determined, the security operations team can perform any necessary forensics investigations and/or clean all the affected endpoints.

Incident response systems should also ingest information from external sources to enrich the organization’s internal data sources for purposes of incident investigation and response. For example, the security analytics platform and management dashboard should aggregate and operationalize the best and most relevant intelligence and context from inside and outside the organization to accelerate the analysts’ decision making and workflows.

Remediation after malware infection is a complicated task. If the compromised machine is vital for the system availability, it is usually not always possible to use previously saved safe machine images. The incident response team should check all the machine environments to remove all potential access points that attackers could utilize. Cyber criminals tend to use different entrench techniques in a victims’ network. The term entrenchment is used to describe a technique used by the attackers that allows them to maintain unauthorized access into an enterprise network despite attempted remediation efforts by the victim. The victims’ machine can be compromised in a variety of ways; for example the attackers could install web shells, they can add malicious or modified DLL to running web servers, they can utilize RDP backdoors, hide malware that will commence malicious activity after a fixed period of time, etc…

It is always good practice before starting to clean infected machines, to monitor network traffic and search for similar traffic patterns or similar IP connections as well as checking for all the possible lateral movements analyzing forensically the victim’s machine. The aim is to perform this in a stealth way so the attacker is unaware they are under surveillance thereby avoiding the possibility that the attacker will lunch countermeasures to cover their evidence or start to deploy other entrenchment techniques to remain in the network. Forensics analysts should search not only for malicious software but also for legitimate software that could be installed on the machine for malicious purposes as well for misconfigurations created by the attackers.

An effective incident response team should be composed of malware experts, IT forensics analysts and network experts thereby giving the organization a wide competency and skills blend to enable successful detection, protection and investigation. Operations teams may be confronted with potential evidence of an infiltration or breach, but find themselves exploring potential causes without success for weeks or even months. When that happens, it helps to bring in people with specialized expertise and tools in incident response (IR). IR specialists can deploy technologies that capture activity on networks and endpoints in key segments of the IT environment. Based on the scans, analyses and supplemental information these technologies generate, experienced IR professionals can usually pinpoint where and how security breaches are occurring and shut down ongoing cyber attacks much faster than organizations can do on their own.

9.4.2 Action: Remediating Vulnerabilities and Anomalies

Responding to the incident itself is essential. But equally important is determining whether there were vulnerabilities that contributed to the incident’s occurrence or impact. These vulnerabilities may have been technological, such as software vulnerabilities that provided access for an attacker or that caused unexpected behavior in operation of a component. They may have been process issues that prevented an issue from being recognized until it had reached a critical level or that resulted in the initiation of a failure condition. Or they may be organizational, educational or other issues related to the structure and people of the organization, such as in individual vulnerability to social engineering attacks that resulted in malware infections.

The incident management system should support the determination of such vulnerabilities and assist in the remediation of those vulnerabilities, such as through the remediation planning shown in the Figure 9.6.

On a more comprehensive level, an incident may indicate a more fundamental issue in the operational model, such as in terms of missing or improperly instrumented controls. For example, the 2009 paper by the US Department of Energy calls out the vulnerabilities inherent in the older control systems that are currently deployed throughout the United States and that may have to be replaced: “The electric power industry relies heavily on control systems to manage and control the generation, transmission, and distribution of electric power. Many of the control systems in service today were designed for operability and reliability during a time when security was a low priority. Smart Grid implementation is going to require the installation of numerous advanced control system technologies along with greatly enhanced communication networks.” (p. 4) This book has disused many of these advanced technologies that may need to be considered as part not only in the initial development of the operational model but also in addressing incidents that occur.

9.4.3 Action: Mitigating Risk

The Smart Grid operational model includes the effective risk management discipline discussed earlier, employing a broad range of factors to make probabilistic decisions about risk and take prioritized actions, including alerts to response teams, to recover from incidents and remediate vulnerabilities. But an incident may also indicate the opportunity to take actions to mitigate the risk associated with that incident.

For example, a well-prepared security teams will know what the organization’s valuable information assets are and which systems, applications and users have access to them. Awareness of these parameters help security analysts narrow their field of investigation during a breach so they can address problems faster and with greater confidence. But a given incident may indicate that the security operations teams should conduct a breach readiness assessment or institute

Practice drills to improve the speed and efficacy of their reactions to cyber attacks. They may need to revise their inventory of high-value assets that must be protected based on their new knowledge of what is attractive to an attacker. They may need to review their security policies again business priorities and regulatory requirements.

The Figure 9.7, expanding on a similar diagram in the Popovik paper (2013), provides an example of a process for mitigating risk in response to incidents such as detected intrusions.

Such a process can take advantage of operational incidents, regardless of whether they result from a security incident, equipment failure, natural disaster or any other cause, to enable organizations to take new actions to progressively improve their processes, optimize staffing and skills, modify their technology platforms, change their supplier relationships or take any other of the multiple of actions that could help them better address the risk of such an incident.

These improvements can be assisted by the technology advancements in big data and security analytics systems that deliver “imagine if” capabilities. The bounds of what’s imaginable are now being explored by operations professionals and business leaders together. For organizations concerned about an effective operational model, these “imagine if” scenarios often focus on injecting better intelligence and context into both operational and security practices. For example, if we apply new analytic approaches to historical data, what could we learn? What do the cyber attacks we’ve encountered tell us about our business and operational risks? If we add new log sources or external intelligence feeds to our data warehouse, what patterns could we look for that we couldn’t even imagine seeing before? What types of intelligence might help us hunt down threats or respond to operational incidents more quickly, including through automated capabilities that do not require human intervention?

An effective operational model for Smart Grid should ensure that this connection between incident response and the risk management process is established and effective.

Uniqueness of the Medical Domain

An important aspect that makes conducting human factors work in the medical device industry different from non-healthcare industries is the huge emphasis regulatory bodies place on minimizing user errors and use-related hazards caused by inadequate medical device usability. International standards on human factors engineering specify processes that medical device manufacturers should follow to demonstrate that a rigorous usability engineering process has been adopted and risks to user or patient safety have been mitigated. This means analytic techniques (e.g., task analysis, interviews, focus groups, heuristic analysis) as well as formative evaluations (e.g., cognitive walkthrough, usability testing) and validation testing with a production-equivalent system with at least 15 participants from each representative user group is required to optimize medical device design. Compliance to standards also requires maintenance of records showing that the usability engineering work has been conducted. Though a variety of user feedback techniques were employed in this project as well, this case study will focus on the use of a lightweight cognitive walkthrough with subject matter experts, which was employed to gather early feedback from users on design ideas before creating fully functional prototypes for rigorous usability testing. Cognitive walkthroughs are a great technique to discover users’ reactions to concepts that are being proposed earlier on in the product development life cycle, to determine whether we are going in the right direction.

Preparing for the Cognitive Walkthroughs

The cognitive walkthrough materials included the following:

An introduction of the Attain Performa quadripolar lead and the objective of the interview session.

Snapshots of user interface designs being considered, in a Microsoft PowerPoint format. Having a pictorial representation of the concepts makes it easier to communicate our thoughts with end users and, in turn, gauge users’ reactions.

Clinical scenarios that would help to evaluate the usefulness of the proposed feature. Specifically, participants were presented with two scenarios: implant, where a patient is being implanted with a CRT device, and follow-up, where a patient has come to the clinic complaining of phrenic nerve stimulation (i.e., hiccups). Data collection form is as follows: For each scenario, a table was created with “questions to be asked during the scenario” (e.g., “When will you use the test?” “How long would you wait for the automated test to run during an implant?” “Under what circumstances would you want to specify a subset of vectors on which you want to run the test?” “How would you use the information in the table to program a vector?”) and “user comments” as headers. Each question had its own tabular entry in the table.

Conducting the Cognitive Walkthroughs

Cognitive walkthroughs were conducted at Medtronic’s Mounds View, Minnesota, campus with physicians. A total of three cognitive walkthroughs (CWs) were conducted. Unlike studies that are conducted in a clinic or hospital where physicians take time out of their busy day to talk to us and where there is a higher potential of interruptions, studies conducted at Medtronic follow a schedule, with physicians dedicating their time to these sessions. Though three CWs at first glance seem like a small sample size, it is important to point out that we followed up with multiple rounds of usability testing with high-fidelity, interactive prototypes later on.

Each CW session included a human factors scientist and a research scientist. The purpose of including the research scientist was to have a domain expert who was able to describe the specifics of the VectorExpressTM algorithm. It is also good practice to include your project team in the research because this helps them understand user needs and motivations firsthand. Both the interviewers had printed copies of the introductory materials and the data collection forms. The PowerPoint slides illustrating the user interface designs were projected onto a big screen in the conference room.

The session began with the human factors scientist giving physicians an overview of the feature that Medtronic was considering and also describing the objective of the session. This was followed by the research scientist giving an overview of how the VectorExpressTM algorithm works—in other words, a description of how the algorithm is able to take the electrical measurements of all the LV pacing configurations. Then, using the context of an implant and follow-up scenario, the human factors scientist presented the design concepts and asked participants questions about how they envisioned the feature to be used. This was a “lightweight” CW, meaning that we did not ask participants each of the four standard questions as recommended by Polson et al. (1992). Time with the participants was extremely limited, and therefore, in order to get as much feedback about the design concepts as possible, we focused on interviewing participants deeply about each screen they saw. Both the interviewers recorded notes in their data collection forms.

Analyzing Information from Cognitive Walkthroughs

The human factors scientist typed up the notes from the CWs by typing in the responses to the questions in the data collection form. The “key takeaways” section was then generated for each CW session that was conducted. The document was then sent to the research scientist for review and edits. The report from each CW session was submitted to the cross-functional team (i.e., Systems Engineering, Software Engineering, and Marketing). Note that these one-on-one CW sessions were also preceded by a focus group with electrophysiologists to gather additional data from a larger group. After all of these sessions, we came together as a cross-functional team and identified key takeaways and implications for user interface design based on the learnings from the CWs and focus groups.

Next Steps

The feedback obtained from the CWs helped us to conclude that overall, we were going in the right direction, and we were able to learn how users would use the proposed feature during CRT device implants and follow-ups. The CWs also provided insights on the design of specific user interface elements.

In preparation for formative testing, we developed high-fidelity software prototypes and generated a test plan with a priori definition of usability goals and success criteria for each representative scenario. We worked with Medtronic field employees to recruit representative users for formative testing.

We also conducted a user error analysis on the proposed user interface, to evaluate potential user errors and any associated hazards.

A formative test plan was generated with a priori definition of usability goals and success criteria for each representative scenario.

We worked with Medtronic field employees to recruit representative users for formative testing.

Things to Remember

When conducting any research study, including CWs, flexibility is important. Research sessions with key opinion leaders rarely follow a set agenda. Sessions with highly-skilled users, such as electrophysiologists, involve a lot of discussion, with the physicians asking a lot of in-depth technical questions. Be prepared for that by projecting ahead of time the technical questions they might ask. I have in the past created a cheat sheet with a list of potential questions and answers to these. These cheat sheets should be developed with input from a technical expert.

Involve cross-functional partners such as the project systems engineer or the research scientist (who are domain experts) in the user research process. They have a much more in-depth understanding of the system that becomes complementary to the role of a human factors engineer.

Most research studies run into the issue of taking what users say at face value. It is important to question in depth the motivation behind a perceived user need before jumping to conclusions. In addition, it is important to triangulate the data with conclusions derived from other techniques, such as behavioral observations and formative testing.

2.3.1 DroidRanger

The DroidRanger tool [33] detects the characteristic behaviors present in malware from several malicious families. It relies on a crawler to collect Android applications from existing Android markets and stores them in a local repository. For each application collected, DroidRanger extracts the fundamental properties associated with each application (requested permissions, author information, etc.) and organizes them into a central database.

DroidRanger performs two distinct detection processes. The first, for known malware, is based on a permission-based behavioral footprint. The second, for previously unknown malware, is based on a heuristic analysis of the app’s behavior, as reconstructed from the bytecode and the manifest file. Suspicious applications are then executed and monitored to verify if they actually display malicious behavior at runtime. If this is the case, the associated behavioral fingerprint will be extracted and included in the first detection process’ database.

This study was tested on the most popular applications of the year 2011, and yielded positive results. However, DroidRanger only covers free applications and only five Android markets, with a false negative rate of 4.2%.

2.3.2 DREBIN

Arp et al. created DREBIN [4], a tool that performs malware detection on the results of a static analysis of the applications. DREBIN’s feature set appears to be one of the most thorough of all the works we have surveyed. In all, they create 8 feature sets for each app, using data from the Android manifest file (including permissions, components and requested hardware), and from the decompiled .dex file (including selected API calls and network addresses). The entire feature set is constructed in linear time, without necessitating complex static analysis such as data flow analysis.

Detection is then performed using SVMs. In order to maintain a lightweight footprint on the end-users’ device, training is not performed on the smartphone itself. Instead, the classifier is trained offline, and the only resulting model is passed to the user. In order to provide explanations for its results, DREBIN’s classifier is trained not only to detect, but also to identify the features that lead to the application being flagged as malware. From these, DREBIN constructs a parametrized sentence that explain the reason of the verdict to the user.

DREBIN was tested using 131611 benign apps coming from the GooglePlay Store, as well as two other markets (one Chinese and one Russian), and 5560 malware samples from the Android Malware Genome Project [34]. It obtained a detection rate of 93%, with only 1% of false-positives, outperforming several anti-virus software on the same dataset.