search menu icon-carat-right cmu-wordmark

Threat Analysis Mapping, Connected Vehicles, Emerging Technologies, and Cyber-Foraging: The Latest Research from the SEI


As part of an ongoing effort to keep you informed about our latest work, I would like to let you know about some recently published SEI technical reports, technical notes, and white papers. These reports highlight the latest work of SEI technologists in estimating program costs early in the development lifecycle, threat analysis mapping, risks and vulnerabilities in connected vehicles, emerging technologies, and cyber-foraging. This post includes a listing of each report, author(s), and links where the published reports can be accessed on the SEI website.

The QUELCE Method: Using Change Drivers to Estimate Program Costs
By Sarah Sheard

Problems with cost estimation, ranging from estimator overconfidence to unintegrated tools, result in potentially billions of dollars of unanticipated expenses for DoD programs. Quantifying Uncertainty in Early Lifecycle Cost Estimation (QUELCE) is a method, developed by the SEI, for estimating potential program costs in a way that acknowledges and uses uncertainty that occurs early in the development lifecycle. This report first familiarizes the reader with the QUELCE method. QUELCE computes a distribution of program costs based on Monte Carlo analysis of program cost drivers--assessed via analyses of dependency structure matrices and Bayesian belief networks--and a standard project estimation tool. The analyses are based on change drivers, or changes that might occur that would substantially change the cost outcome of a program. The report then provides the current organization scheme of change drivers and describes how each one is used to determine any additional impacts that should be folded into the cost estimate. Finally, it introduces elaborations to the change drivers for application to sustainment-phase programs.
Download a PDF of the Report.

A Unique Approach to Threat Analysis Mapping: A Malware-Centric Methodology
By Deana Shick and Kyle O'Meara

Malware family analysis is a constant process of identifying exemplars of malicious software, recognizing changes in the code, and producing groups of "families" used by incident responders, network operators, and cyber threat analysts. With adversaries constantly changing network infrastructure, it is easy to lose sight of the tools consistently being used and updated by these various actors. Beginning with malware family analysis, this methodology seeks to map vulnerabilities, exploits, additional malware, network infrastructure, and adversaries using open source intelligence (OSINT) and public data feeds for the network defense and intelligence communities. The results provide an expanded picture of adversaries' profiles rather than an incomplete story. The goal of this document is to shift the mindset of many researchers to begin with the tools used by adversaries rather than with network or incident data alone for an outside-in approach to threat analysis instead of an inside-out method. We chose three malware families to use as case studies--Smallcase, Derusbi, and Sakula. The results of each case study--any additional network indicators, malware, exploits, vulnerabilities, and overall understanding of an intrusion--tied to the malware families should be utilized by network defenders and intelligence circles to aid in decision making and analysis.

As they constantly change network infrastructure, adversaries consistently use and update their tools. This report presents a way for researchers to begin threat analysis with those tools rather than with network or incident data alone.
Download a PDF of the Report

On Board Diagnostics: Risks and Vulnerabilities of the Connected Vehicle
By Dan J. Klinedinst and Christopher King

The Department of Homeland Security's US-CERT tasked the CERT Coordination Center (CERT/CC) at the SEI to study aftermarket on-board diagnostic (OBD-II) devices to understand the cybersecurity impact to consumers and the public.

The CERT/CC analyzed a representative sample of devices for vulnerabilities and found widespread failure to apply basic security principles. If these devices are compromised, the potential impact may include loss of privacy, vehicle performance degradation or failure, and potential injury.

The CERT/CC hopes this research will better inform consumers, enterprise fleet managers, insurance companies, and policy makers about the potential risks of these devices. The OBD-II port was created to provide consumers with choice and control over their purchase. At the same time, this freedom must be balanced with thoughtful conversations on how to limit adversaries' access to vehicle internals.

This report describes cybersecurity risks and vulnerabilities in modern connected vehicles.
Download a PDF of the Report

2016 Emerging Technology Domains Risk Survey
By Christopher King, Dan J. Klinedinst, Todd Lewellen, Garret Wassermann

In today's increasingly interconnected world, the information security community must be prepared to address emerging vulnerabilities that may arise from new technology domains. Understanding trends and emerging technologies can help information security professionals, leaders of organizations, and others interested in information security to anticipate and prepare for such vulnerabilities. This report, originally prepared in 2015 for the Department of Homeland Security United States Computer Emergency Readiness Team (US-CERT), provides a snapshot in time of the current understanding of future technologies. This report will be updated every two years to include new estimates of adoption timelines, new technologies, and adjustments to the potential security impact of each domain. This report will also help US-CERT to make an informed decision about the best areas to focus resources for identifying new vulnerabilities, promoting good security practices, and increasing understanding of systemic vulnerability risk.
Download a PDF of the Report

Malware Capability Development Patterns Respond to Defenses: Two Case Studies
By Kyle O'Meara, Deana Shick, Jonathan Spring, Ed Stoner

Adversaries are constantly adding functionality to their tools to evade defense measures deployed by network defenders or software developers. Adversaries adding functionality to their tools avoid almost any simple or known detection technique via a variety of mechanisms. Feature additions make the malware more robust and allow adversaries to use the tool for a variety of use cases beyond the original intent.

This paper uses two case studies to outline the relationship between adversaries and network defenders since feature additions and network defense measures are well known. Zeus is a banking trojan that has been active since 2007 and is used primarily to exfiltrate banking credentials or other financial data from unsuspecting victims. BlackEnergy has been active since early in 2007 and was originally designed to perform distributed denial of service (DDoS) attacks. More recently, BlackEnergy can also degrade the integrity of industrial control systems (ICS).

The progression of the abilities available to actors is a good case study for demonstrating the extent to which cybersecurity is a back-and-forth struggle between adversaries and defenders. The cat-and-mouse nature of the interplay is apparent as Zeus and BlackEnergy continue to add just enough features to stay one step ahead of defensive capabilities. Each minor capability has likely gone through the Adversary Capability Chain (ACC), and by the time they are open source they are evidencing signs of the Ubiquity phase.

We point to the resilience of the adversary ecosystem to raise awareness and help defenders anticipate this phenomenon. There is no obvious solution to end the cat-and-mouse game. However, some advice is relevant in light of this state of affairs. When to burn equities is an important decision, that is, when to reveal defensive strategy information to adversaries and permit them to respond, and when to instead hold such information close.

In this paper, the authors describe their analysis of two case studies to outline the relationship between adversaries and network defenders.
Download a PDF of the Report

Cyber-Foraging for Improving Survivability of Mobile Systems
By Sebastián Echeverría (Universidad de los Andes), Grace Lewis, James Root, and Ben W. Bradshaw

Cyber-foraging is a technique for dynamically augmenting the computing power of resource-limited mobile devices by opportunistically exploiting nearby fixed computing infrastructure. Cloudlet-based cyber-foraging relies on discoverable, generic, forward-deployed servers located in single-hop proximity of mobile devices. We define tactical cloudlets as the infrastructure to support computation offload and data staging at the tactical edge. However, the characteristics of tactical environments--such as dynamic context, limited computing resources, disconnected-intermittent-limited (DIL) network connectivity, and high levels of stress--pose a challenge for the continued operations of mobile systems that leverage cloudlets in tactical environments. We also define survivability of mobile systems as the capability of a system to continue functioning in spite of adversity. This report presents an architecture and experimental results that demonstrate that cyber-foraging using tactical cloudlets increases the survivability of mobile systems.
Download a PDF of the Report

Additional Resources

For the latest publications on SEI research, please visit

Get updates on our latest work.

Each week, our researchers write about the latest in software engineering, cybersecurity and artificial intelligence. Sign up to get the latest post sent to your inbox the day it's published.

Subscribe Get our RSS feed