Proceedings of the5th InterdisciplinaryCyber Researchconference 201929th of June 2019Tallinn University of Technology

Proceedings of the5th InterdisciplinaryCyber Researchconference 201929th of June 2019Tallinn University of TechnologyJune 2019

5th Interdisciplinary Cyber Research conference 29th of June 2019The 5th Interdisciplinary Cyber Research conference is organised by TalTech Centre forDigital Forensics and Cyber Security.Editors:Dr Anna-Maria Osula, Prof Olaf MaennelPublished by:Tallinn University of Technology, Department of Software ScienceDesign and layout: Anu TederProgramme Committee: Dr Asma Adnane, Loughborough UniversityProf Hayretdin Bahsi, Tallinn University of TechnologyMr Bernhards Blumbergs, CERT LVProf Ahto Buldas, Tallinn University of TechnologyProf Tobias Eggendorfer, Ravensburg-Weingarten University of Applied SciencesDr Denis Firsov, GuardtimeDr Kenneth Geers, Atlantic CouncilDr Lachlan Gunn, Aalto UniversityMs Kadri Kaska, NATO CCD COEDr Agnes Kasper, Tallinn University of TechnologyProf Olaf Maennel, Tallinn University of TechnologyMs Merle Maigre, CybExer TechnologiesMr Stephen Mason, UK barristerProf Raimundas Matulevicius, University of TartuMr Tomáš Minárik, NATO CCD COEMr Pavel Laptev, Tallinn University of Technology/TeliaDr Andra Lutu, Telefonica ResearchDr Hung Nguyen, University of AdelaideDr Anna-Maria Osula, Tallinn University of Technology/GuardtimeMr Arnis Paršovs, University of TartuDr Despoina Perouli, Marquette UniversityDr Iain Phillips, Loughborough UniversityMs Jenny Radcliffe, University of LiverpoolMr Henry Rõigas, GuardtimeDr Thomas C. Schmidt, Hamburg University of Applied SciencesDr Matthew Simon, Magnet ForensicsProf Matthew Sorell, University of AdelaideDr Andreas Ventsel, University of TartuMr Teemu Väesänen, Finnish Transport Safety AgencyElectronically available at: mer:This publication contains the opinions of the respective authors only and does not reflectthe policy or the opinion of any other entity. The publisher may not be held responsible forany loss or harm from the use of information contained in this book and is not responsible for any content of the external sources, including external websites referenced in thispublication.ISBN: 978-9949-584-15-4 (pdf)

5th Interdisciplinary Cyber Research conference 29th of June 2019ContentsINTRODUCTORY REMARKS . 5Session 1: Cyber Exercises . .6Modeling Attack and Defense Scenarios for Cyber SecurityExercisesMuhammad Mudassar Yamin, Basel Katt.7CYBER-PHYSICAL BATTLEFIELD FOR CYBER EXERCISESMaj. Gabor Visky .10Cyber Game to Cyber Exercise: A New Methodologyfor Cybersecurity SimulationsKieren Niĉolas Lovell.13TEAM LEARNING IN CYBERSECURITY EXERCISESKaie Maennel, Joonsoo Kim, Stefan Sütterlin .17Session 2: Digital Forensics 1 . .20Exploiting Dark Current for Forensic Image IdentificationRichard Matthews, Nickolas Falkner, Matthew Sorell.21Framework for Industrial Control Systems Digital Forensicsin the Energy SectorAndrew Roberts .24A Proactive Approach to Improving the Way We Use MachineLearning to Detect Social Bots on TwitterSamuel Henderson, Brian Du, David Hubczenko, Tamas Abraham,Matthew Sorell.27Multi-Modal Biometric System Security and PrivacyAkim Essen, Matthew Sorell, Olaf Manuel Maennel .30Session 3: Tech 1 . .33EXERCISE NEPTUNE: MARITIME CYBERSECURITY TRAINING USINGTHE NAVIGATIONAL SIMULATORSKieren Niĉolas Lovell, Dan Heering .34SIEMS in Crisis Management: Detection, Escalation andPresentation – A Work in ProgressØstby, Grethe; Yamin, Muhammad Mudassar; Al Sabbagh, Bilal.38RELIABILITY AND TRUST IN GLOBAL NAVIGATION SATELLITE SYSTEMSLiam Shelby-James, Stefan Norman, Richard Matthews, Matthew Sorell.413

5th Interdisciplinary Cyber Research conference 29th of June 2019Session 4: Legal Responses to Cyber Threats . 45ROLE OF LAWYERS IN CYBER EXERCISES: QUALITATIVE STUDYJakub Harašta.46LEGAL CONSTRAINTS ON CYBER WEAPONSIvana Kudláčková . .48Decryption Passwords and Biometric Authentication vs.Law EnforcementMarija Makariūnaitė.50Session 5: Tech 2 .52ANALYIS OF THE IMPACT OF POISONED DATA WITHIN TWITTERCLASSIFICATION MODELSKristopher Price, Sven Nõmm, Jaan Priisalu . .53RISC-V ISA Custom Extensions for Use in CryptographyMatthew Theiley, Vu (Kelly) Hoang, Dr Matthew Sorell, Dr Yuval Yarom.58Utilising a Vehicle Testbed Environment to DevelopDeceptive CAN Bus AttacksStefan Smiljanic, Charlie Tran, Aaron Frishling, Bradley Cooney, Daniel Coscia,Matthew Sorell.63De-Hyping Blockchain-Based Cross-Border Payment Solutions:A Quantitative Comparative Study of Decentralized Blockchain Infrastructures vs. SWIFT GPI1Ahmad Amine Loutfi .66Session 6: Digital Forensics 2 . 68An Overview of Information Security Concepts andTheir Relevance to Digital Forensic Evidence ProceduresBen Agnew, Matthew Sorell, Cate Jerram .69Forensic Applications of 3D ScanningJimmy Tang, Glenn Walsh, Matthew Sorell, Richard Matthews .73Identifying Patterns and Activities from iPhone and AppleWatch Step-Count Data for Use in a Digital InvestigationLuke Jennings, Matthew Sorell .78AUTOMATED PHOTO CATEGORIZATION FOR DIGITAL FORENSIC ANALYSISUSING A MACHINE LEARNING-BASED CLASSIFIERJoanna Rose Castillon del Mar . .82Bios. 864

5th Interdisciplinary Cyber Research conference 29th of June 2019INTRODUCTORY REMARKSIt is our great pleasure to welcome you in Tallinn, Estonia for the 5th InterdisciplinaryCyber Research (ICR) conference, held at the Tallinn University of Technology on the29th of June, 2019, and organised by Tallinn University of Technology Centre for DigitalForensics and Cyber Security.This year we celebrate a mini-jubilee of our conference as the event is taking place alreadyfor the 5th time. Within these 5 years, ICR has brought together more than 600 participantsthroughout the world, we have had the chance to listen to more than 125 presentationsfrom world class researchers as well as young scholars, and published more than hundredabstracts in our annual ICR Proceedings. Furthermore, the interdisciplinary approach ofICR has really paid off as we have hosted successful panels on legal, policy, election, cyberexercises, digital forensics, Internet of Things, etc topics – underlining that cyber securityis not only a technical area but involves numerous relevant research domains.Foremost, ICR has proven itself as a connector of people: we are proud that our eventsbring together active researchers across different research areas, thereby allowing forthe creation of new synergies and interesting research projects. For example, one of theconcrete results of ICR is a joint academic article “Time of Signing in the Estonian DigitalSignature Scheme”, written by Tõnu Mets and Arnis Parsovs from the University of Tartu,combining both legal and technical arguments. The authors have admitted that ICR wasthe key factor for successfully finding a co-author.We would also underline the long and fruitful cooperation with the Cyber Security Summer School, University of Adelaide as well as the University of Applied Sciences Ravensburg-Weingarten. In particular, University of Adelaide has throughout the years broughtnumerous excellent authors to our agenda from the other side of the world.This year’s programme boasts 26 presentations from all over the world. We hope that thepresentations will not only be informative about “cyber”-research carried out by otherdisciplines than your own, but also inspiring regarding your current and future research.We continue to underline the interdisciplinary nature of “cyber” by combining differentresearch fields into common sessions.Most of the speakers have been hand-picked by our international Programme Committee,and the results of the Call for Abstracts are presented in this publication. This year wereceived a record number of abstracts, and the Programme Committee had to makes somehard choices. The selected abstracts explain the relevance of the research, outline principle research questions and expected or achieved results.ICR is very thankful to our sponsors we have the pleasure to work with: NATO Cooperative Cyber Defence Centre of Excellence, Microsoft, Guardtime, Startup Estonia, andSaku Brewery.Last but not the least, we would like to thank everyone involved in organising this event:the members of the Programme Committee for their efforts in reviewing the abstracts,moderators for guiding the discussions in the sessions, speakers for sharing their greatideas, conference participants for being so engaged in the debates, as well as the staff ofthe Tallinn University of Technology for providing excellent support.Dr Anna-Maria Osula, TalTech/GuardtimeProf Olaf Maennel, Tallinn University of TechnologyChairs of ICR2019Tallinn, June 20195

5th Interdisciplinary Cyber Research conference 29th of June 2019Session 1: Cyber ExercisesSession moderated by Prof Olaf Maennel,Tallinn University of TechnologyMr Muhammad Mudassar Yamin,“Modeling Attack and Defense Scenariosfor Cyber Security Exercises”,Norwegian University of Science and TechnologyMr Gabor Visky,“Cyber-Physical Battlefield for Cyber Exercises”,NATO CCD COEMr Kieren Niĉolas Lovell,“Cyber Game to Cyber Exercise: A New Methodologyfor Cybersecurity Simulations”,Tallinn University of TechnologyMs Kaie Maennel,“Team Learning in Cybersecurity Exercises”,Tallinn University of Technology6

5th Interdisciplinary Cyber Research conference 29th of June 2019Modeling Attack andDefense Scenariosfor Cyber Security ExercisesMuhammad Mudassar Yamin and Basel Katt(Muhammad.m.yamin,Basel.katt)@ntnu.noNorwegian University of Science and Technology1.IntroductionTechnology is evolving at a rapid rate which makes individual, ranging from security specialists to average citizens, technological skill sets obsolete in a short time. The situation of cyber-security in a technologically evolving world is not ideal. Global IT infrastructure and individual’s privacy are under threat all the time. One way to tackle this problem is by providingconstant training and self-learning platforms. Cyber-security exercise provides a platform forthe training of individuals in cyber-security skills. But due to lack of cyber-security skills, adversarial opponents are not readily available for training exercises. The research project willfocus on developing novel techniques for emulating adversarial opponents in a cyber-securityexercise using a model driven methodology. The researcher plans to segregate attack anddefense scenarios and create a modeling language to scientifically model such. The developedattack and defense models will be used to generate artifacts that will be executed in humanv/s machine and human assisted with machine v/s human cyber-security exercises to extractempirical data for evaluation of individuals against performance matrices.2. Research BackgroundThere are two types of cyber-security exercises tabletop based and operation based cyber-security exercises[1]. Tabletop based exercises focus on decision making at a managerial level whileoperation-based exercises focus on practical cyber-security skill development. We are currentlyfocusing on operation based cyber-security exercises due to their practical skill developmentnature. In term of operation based cyber-security exercise these teams include in general[2]:1.2.3.White team: A team that creates or generates a cyber-security exercise environment.Red team: A team that attacks the cyber-security exercise environment.Blue team: A team that defends the cyber-security exercise environment.These teams are primarily involved in three main types of cyber-security exercises.1.2.3.Cyber-attack exercise: Theses exercises are conducted to train, assess and evaluatethe performance of red teams. An environment is created by a white team, in whichred teams need to achieve specific objectives to compromise the exercise environment in a particular interval of time.Cyber-defense exercise: Theses exercises are conducted to train, assess and evaluate the performance of blue teams. An exercise environment is created by a whiteteam, in which blue teams needs to investigate and prevent a cyber-attack on theexercise environment by red teams under a particular interval of timeCyber-attack/defense exercise: These exercises are conducted to assess and evaluate the performance of red and blue teams at the same time. A white team createsan exercise environment on which active engagement between a red and blue teamoccurs to attack and defend a exercise environment simultaneously.3. Research QuestionWe are arguing that if the role of white, red and blue team can be modeled then cybersecurity exercise can be executed in an efficient and adaptable manner[3]. Therefore we are7

5th Interdisciplinary Cyber Research conference 29th of June 2019proposing three RQ(research question) were formulated for modeling attack and defensescenarios in cyber-security exercises which are given below:1.2.How can an efficient and adaptable active offensive opposition process execution bemodeled against a given cyber-security exercise defense scenario?How can an efficient and adaptable active defensive opposition process execution bemodeled against a given cyber-security exercise attack scenario?The findings of RQ(1) and RQ(2) will be used as a basis for the modeling of the exerciseenvironment in which proposed RQ(1) and RQ(2) will be executed. Hence3.How can an efficient and adaptable cyber-security exercise environment be modeled with respect to attack and defense scenarios?4. Research MethodologyBased upon our research findings[4] we identified that automation can assist in reducing timerequirements for cyber-security exercises. For this we identified that gamification can assist[5],gamification of cyber-security exercises is a recent trend in which participants are divided intoteams for achieving a specific objective, like flags. The strategies that the participants applyto solve the problem, e.g. capture the flag in cyber-security exercise scenario is very difficult tomodel due to real time decision making of exercise participants, which makes the decision treeinvolved very complex. To tackle this problem, we are proposing the development of a real timecyber-security strategy game in which players will have the ability to play as an attacker oras a defender in a real time multiplayer environment. Resources are assigned to attacker anddefenders based upon the scenario requirement and their actions are recorded and observedby and observer. A detailed scenario creator will be developed in which the scenario is modeledby experts. This will result in a dynamic generation of attack and defense trees, which will begenerated during the real time cyber-security strategy game exercise execution. The attack anddefense tree model will then be used to execute attacker and defender actions in a real cybersecurity exercise environment as an active adversary against human opponents.5. A Sample ScenarioWe developed a POC of multiplayer attack and defense game in which a scenario creatorcreates a scenario. The scenario has an internet facing website for defenders to defend.The website uses multiple APIs to fetch data and present it, the defender responsibility isto ensure the availability of website in case of cyber-attacks. In order to ensure the security of the website the defenders implement a WAF on the website as a security measure.The attacker tries to exploit the website and identifies that one of the API that the websiteis used to fetch data from is vulnerable to DoS attack, so they attack the vulnerable APIto compromise the availability of the website. Created scenarios and their expected attackdefense strategies are to be saved and used for future training exercises. The scenario developed using our proposed cyber-security strategy game can be seen in the figure below:Figure 1. Sample scenario created by scenario creator8

5th Interdisciplinary Cyber Research conference 29th of June 2019EvaluationWe evaluated the developed game during NCSC (Norwegian Cyber Security Challenge)2019[6]. The test subjects consisted of 25 participates who qualified the initial CTF NCSC.We collected important research data through surveys. Multiple questions were askedafter the participants played the game results of which are given below:1.Do you think playing/practicing cyber-security exercise scenarios in a simulated/modeled game is an efficient way for conducting cyber-security exercises?2.Do you think current game can be useful for cyber-security education?We collected additional data as well but due to word count limitations details are omitted.ConclusionThe developed game is a first step in developing autonomous attack and defense agents.Data generated from the game will be useful in developing complex decision trees that anautonomous agent need for executing red or blue team roles.Keywords: Cyber Security, Exercises, ScenariosReferences[1]R. Gurnani, K. Pandey, S. K. Rai, A scalable model for implementing cyber securityexercises, in: Computing for Sustainable Global Development (INDIACom), 2014International Conference on, IEEE, 2014, pp. 680–684.[2] J. Vykopal, M. Vizv ary, R. Oslejsek, P. Celeda, D. Tovarnak, Lessons learned fromcomplex hands-on defence exercises in a cyber range, in: Frontiers in EducationConference (FIE), IEEE, 2017, pp. 1–8.[3] Yamin, M. M., & Katt, B. Inefficiencies in Cyber-Security Exercises Life-Cycle:A Position Paper. AAI Fall Symposium 2018[4] Yamin, M. M., Katt, B., Torseth, E., Gkioulos, V., & Kowalski, S. J. (2018,September). Make it and Break it: An IoT Smart Home Testbed Case Study.In Proceedings of the 2nd International Symposium on Computer Science andIntelligent Control (p. 26). ACM.[5] Hendrix, M., Al-Sherbaz, A., & Victoria, B. (2016). Game based cyber securitytraining: are serious games suitable for cyber security training?. InternationalJournal of Serious Games, 3(1), 53–61.[6] Norwegian Cyber Security Challenge – NCSC. (n.d.). Retrieved from

5th Interdisciplinary Cyber Research conference 29th of June 2019CYBER-PHYSICAL BATTLEFIELD FORCYBER EXERCISESMaj. Gabor VISKYNATO Cooperative Cyber Defence Centre of [email protected] cyber-physical system (CPS) is an implement intertwining physical processes, hardware, software and communication networks[1]. Examples include energy production anddistribution facilities, water treatment plants, and traffic and transportation control systems. The number of security incidents affecting CPS has increased over the past years[2]as has their impact on society[3]. Operation Technology (OT) and Information Technology(IT) can now be monitored, controlled and configured remotely via a private or public network like the internet.From an engineering and availability perspective, the controlling systems are usually welldesigned and tested; however, cyber-security considerations seem to be missing in themajority of cases. Prevention measures[4] and well designed and configured[5] systems canreduce the risk of cyber attacks, but the education and practice of the responsible personnel are also important since in the event of service dropout they have to handle the situation. This is challenging in the case of critical infrastructure elements such as nuclearpower plants, since loss of control could be dangerous. This issue can be solved by using aspecial, isolated, safe and secure environment, a so-called cyber battlefield or cyber range,where methods can be tested and personnel can be trained and drilled under controlledconditions.A cyber exercise offers a good opportunity for testing the CPS and its applied measures,checking the configurations and analysing the implemented mechanisms for cyber personnel practising defending activities, without jeopardising the real critical infrastructure.Because of this, the cyber exercise is usually conducted on a cyber battlefield which contains critical infrastructure control elements such as Programmable Logic Control (PLC),physical or virtualised hardware elements and simulated environment.The main objective of this article is to describe the design considerations and the construction of a cyber-physical battlefield, containing several processes controlling CPSs and anenvironment (process) simulator, that can be used as a scenario-independent critical infrastructure element during operations-based cyber exercises for fully isolated participantteams. The platform, since it contains an environment simulator subsystem, can supportcomplex scenarios, scoring and real-time status checking as well. This unique platformcan be used by exercise participants to focus on the specialities of critical infrastructurewhich can be crucial for preparation and training.Cyber-physical battlefieldFor educational, training and system testing purposes during cyber exercises, cyber battlefields are used as a playground by cyber security staff to practise real-world incidentmanagement scenarios. Depending on the scale of the exercise, the complexity of the battlefield can become extremely high, so it must be carefully designed and run to meet therequirements[6]. A cyber-physical battlefield should provide a safe and secure infrastructure developed and managed by the Green team for participants who are at least partlyisolated from the real cyber world. It should contain a monitoring, controlling and scoringsystem which is independent of the attacker (Red) and defender (Blue) teams, so its statuscannot be influenced by the participants. In practice, cyber exercises are often visited bypoliticians, decision-makers and the media[7], so the system should contain a demonstra10

5th Interdisciplinary Cyber Research conference 29th of June 2019tion element displaying very limited and easily understandable information, such as thevalue of the parameter regulated by the controller of the defender team.The construction of a universal CPS simulator platform has become a critical goal for theTechnology Branch of NATO CCD COE, since this kind of compilation of various devicesand technological solutions can be used for different purposes – courses, exercises, research and demonstration – with different scenarios. The main objective of the project wasconstructing a scenario-independent mobile tool, reusable in different cases with differentPLC software but without hardware modification. It needed to have a relatively largenumber of independent channels and environment simulation parts, with some visualelements such as displays that show the current status of the controlled process and afirecracker that explodes when the simulated critical infrastructure is irreversibly damaged. These requirements were based on the experiences from previous exercises such asthe number of the realised independent channels. The universal platform was scaled to beable to provide service for 28 participant teams. To meet this requirement, the platformcontains 28 similar CPS instances and one environment simulator device.Figure 1. Architecture of CPS PlatformThe architecture of the CPS Platform is shown in Figure 1. The green parts represent theenvironment (process) simulation. This part simulates the environment and sends dataregularly to the scoring server according to the status of the environment which is controlled by the CPS. The blue part shows one instance of the process controller CPS which theBlue teams are responsible for; this is repeated for each Blue team.Each simulated CPS can influence the simulated environment through two digital signals.The environment simulator can send back one analogue and two digital signals as theresponse of the environment. This setup enables the build-up of a simple and clear closedcontrol loop, which is very commonly used for process control.Both the environment and the process controller CPSs can be connected to other systemswith different communication protocols, which gives an easy integration capability. OneCPS instance can be connected to two different Human Machine Interface (HMI) devices.One of them is controlled by the Blue team, the other is installed for demonstration andsupport purposes and controlled by the Green team.ConclusionThe cyber-physical battlefield was first introduced during Locked Shields 2019, when theplatform was successfully integrated into the infrastructure of the exercise and provided agood practising environment for the Blue and Red teams. In this case the simulated critical infrastructure was a power plant, and the process controller regulated power production according to the power consumption that was sent via S7 protocol.The key result of the research is the constructed battlefield that will be used in futureexercises and training, since it can be reprogrammed according to the use case and can11

5th Interdisciplinary Cyber Research conference 29th of June 2019be moved to external premises. Although the project was closed successfully, we faced difficulties with the mechanical construction since the platform has to be rugged enough tomove while being compact and light.Since the process controller CPS contains exactly the same program except when an external connection is established (in which case the IP address of the PLC differs), possiblefurther research should be the realisation of fast PLC content multiplication with thesame content but different addresses.Keywords: Cyber-Physical System, Cyber-Exercise, Critical InfrastructureReferences[1]E. A. Lee, ‘Cyber Physical Systems: Design Challenges,’ in 11th {IEEE} International Symposium on Object-Oriented Real-Time Distributed Computing {(ISORC}2008), 5–7 May 2008, Orlando, Florida, {USA}, 2008.[2] G. Loukas, Cyber-physical attacks: A growing invisible threat, Butterworth-Heinemann, 2015.[3] M. J. A. T. C. Robert M. Lee, ‘Analysis of the Cyber Attack on the Ukrainian PowerGrid,’ Electricity Information Analyzing and Sharing Center, Washington,March 18, 2016.[4] E. E. O. S. O. O. Oludele Awodele, ‘Vulnerabilities in Network Infrastructures andPrevention/Containment Measures,’ Department of Computer Science, BabcockUniversity, Ilishan-Remo, Ogun State; Nigeria, 2012.[5] French Network and Security Agency, ‘Managing Cybersecurity for IndustrialControl Systems,’ 03 06 2012. [Online]. Available: Cybe for ICS EN.pdf. [Hozzáférés dátuma: 06 04 2019].[6] K. Kukk, ‘Mapping The Best Practices For Designing Multi-Level Cyber SecurityExercises in Estonia – Master’s thesis,’ Tallinn University of Technology, Tallinn,2017.[7] ‘President Kaljulaid at the visit of the largest cyber defence exercise LockedShields: politicians should make full use of its opportunities,’ 26 04 2018. [Online].Available: .html. [Download: 08 04 2019].[8] R. G. P. T. V. S. a. A. Z. A. Ogee, ‘‘The 2015 Report on National and InternationalCyber Security Exercises’,’ ENISA, [Online], 2015.[9] Cyber Storm V: National Cyber Exercise, Cybersecurity and Infrastructure Security Agency (CISA), Online, 2016.12

5th Interdisciplinary Cyber Research conference 29th of June 2019Cyber Game to Cyber Exercise:A New Methodologyfor Cybersecurity SimulationsKieren Niĉolas LovellTalTech University of e increasing role that technology plays within

5th inTerdisciplinary cyber research conference 29th of June 2019 The 5th Interdisciplinary Cyber Research conference is organised by TalTech Centre for Digital Forensics and Cyber Security. Editors: Dr Anna-Maria Osula, Prof Olaf Maennel Published by: Tallinn University of Technology, Department of Software Science