Ing. Simona Fornůsek, Ph.D.

Ing. Simona Buchovecká

Ing. Miroslav Prágl, MBA

Department of Computer Systems

Organizations that use Active Directory for managing identities have to protect their data from adversaries and security threats. This thesis analyses known attacks targeting Active Directory and the possibilities of detection based on Windows Security auditing. The implementation part focuses on designing detection rules covering the analyzed attack scenarios. The rules were designed and implemented in Splunk; tested and evaluated by performing the attacks in a virtual environment. The rules, or the detection principles used in them, can serve as a baseline for implementation of Active Directory security monitoring in organizations, regardless of the chosen technology. The appendix contains the designed rules set in the form of Analytic Stories, extending the content of an existing application Splunk ES Content Update. The Stories are supplemented by related searches providing context useful for investigation.

Thesis on DSpace

Ing. Simona Fornůsek, Ph.D.

Ing. Jiří Dostál, Ph.D.

Department of Information Security

Active Directory is a central point of administration and identity management in many organizations. Ensuring its security is indispensable to protect user credentials, enterprise systems, and sensitive data from unauthorized access. Security monitoring of Active Directory environments is typically performed using signature-based detection rules. However, those are not always effective and sufficient, especially for attacks similar to legitimate activity from the auditing perspective. This thesis applies machine learning techniques for detecting two such attack techniques - Password Spraying and Kerberoasting. Several machine learning algorithms are utilized based on features from Windows Event Log and evaluated on data originating from a real Active Directory environment. Best approaches are implemented as detection rules for practical use in the Splunk platform. In experimental comparison with signature-based approaches, the proposed solution was able to improve detection capabilities, and at the same time, reduce the number of false alarms for both considered attack techniques.

Thesis on DSpace

Ing. Simona Fornůsek, Ph.D.

prof. Ing. Róbert Lórencz, CSc.

Department of Information Security

This thesis deals with the topic of malware persistence, focusing on what techniques are used by these pieces of malicious software to launch repeatedly on target machines, and investigating them in detail in the theoretical part. The techniques are classified in alignment with the MITRE ATT&CK matrix. Based on this research, a solution including a set of rules for detecting selected persistence techniques is created in an Azure cloud laboratory environment utilizing the Splunk log management tool. In addition, the topic of automatic artifact acquisition is explored, while deploying the Google Rapid Response tool to collect interesting files automatically in coordination with the detection platform.

Thesis on DSpace

Ing. Simona Fornůsek, Ph.D.

Mgr. Martin Jureček, Ph.D.

Department of Information Security

This thesis presents the design and implementation of innovative approach to malware analysis through the integration of honeypot systems and neural network technology. The proposed system uses a honeypot as a decoy server to attract and execute malicious files, capturing the process through various records and artifacts. This data is then transmitted to a centralized log collecting server for preservation and preprocessing. Leveraging the power of neural networks, the preprocessed data is utilized to train a model capable of recognizing malware patterns. Using multiple separate designs to sufficiently train the neural network, the system is deployed to perform automated malware analysis on incoming files, enabling real-time threat detection and mitigation. The final product is ready to be deployed in a real environment.

Thesis on DSpace

Ing. Simona Fornůsek, Ph.D.

Ing. Josef Kokeš, Ph.D.

Department of Information Security

As sophisticated cyberattacks continue to evolve, cybersecurity researchers and experts are challenged to keep pace with an ever-changing threat landscape. Developing effective defense mechanisms remains a formidable task. This thesis employs a threat-informed approach to develop analytics for detecting lateral movement techniques, a critical phase in cyberattacks where adversaries expand their access and control within a compromised environment. Typically, adversaries move laterally within their target network to reach their objectives, which are often located on more secured or isolated devices, following an initial compromise via less secured devices or phishing. This work provides an overview of lateral movement techniques, reviews and applies a threat-informed approach to cyber threat analytics development, and focuses on the in-depth analysis of one such technique, T1091 Replication Through Removable Media. Utilizing adjusted threat-informed cyber threat analytics development framework, this thesis analyzes lateral movement technique T1091, proposes specific detection strategies, implements them in a popular Security Information and Event Management (SIEM) system, and evaluates their performance and validity. Ultimately, this thesis demonstrates the effectiveness of the threat-informed approach to developing and implementing cyber threat analytics and detection strategies, summarizing the process and evaluating the outcomes to enhance cybersecurity defenses.

Thesis on DSpace

Ing. Simona Fornůsek, Ph.D.

prof. Ing. Róbert Lórencz, CSc.

Department of Information Security

This thesis focuses on analysis and defense against ransomware using detection rules. It provides an overview of the different types of ransomware and explores their lifecycle from infecting the system to extorting the victim. It also deals with methods of static and dynamic analysis of malicious software. In addition, it also examines the techniques that are used to defend against analysis. Subsequently, work with rules in YARA and Sigma formats is described. In the design part, rules are implemented in these formats aimed at general detection of ransomware samples.

Thesis on DSpace