Two teams of student researchers supported by the CLTC presented at the recent 2021 RSA Conference, an event that brings together cybersecurity professionals from around the world to exchange ideas and solutions. The students pursued their research while enrolled in the UC Berkeley School of Information’s Master of Information and Cybersecurity (MICS) program. This article was adapted from an article originally published by the UC Berkeley School of Information.
MITRE ATT&CK® as a Framework for Cloud Threat Investigation
MICS students Jasdeep Basra and Tanu Kaushik presented “MITRE ATT&CK® as a Framework for Cloud Threat Investigation,” a survey-based research initiative focused on how security professionals use MITRE ATT&CK® in a cloud context, and the challenges and opportunities for improving cloud security and adoption.
Their research, which was also presented in a CLTC white paper, was a collaboration between CLTC and McAfee®, a device-to-cloud cybersecurity company. MITRE ATT&CK® is a knowledge base of adversary tactics and techniques based on real-world observations; it has become a favorite tool of security professionals because it provides a common taxonomy, and offers a matrix of tactics for organizations to deal with identifying gaps in their security products and tools, and spotlights them based on risk.
Their study found that 87% of respondents agree that ATT&CK will improve cloud security, and 79% say it would increase their comfort with cloud adoption. “The information provided in our report is relevant to CISO’s and other security professionals, since many enterprises are moving to utilize cloud computing,” Basra said, adding that the pandemic accelerated this shift to the cloud, and that it is important to understand how to tackle the security threats that arise in this new era.
“Our comprehensive interviews from security professionals from all backgrounds, from CISOs, CIOs to security architects, penetration testers or governance and risk professionals, ensured we provide insights for a larger information and security community,” Kaushik said.
The students noted that the MICS program provided them with important foundations for conducting their research. “The [MICS] class ‘Usable Privacy and Security’ prepared me by providing knowledge of design heuristics and drafting surveys,” Basra said, “including the use of Qualtrics, which we used to draft the survey.”
“The class ‘Managing Cyber Risk,’” Kaushik added, “helped equip us with current cloud security challenges, associated risks and taught us how to conduct interviews with leading security professionals to investigate how they assess and confront these challenges.”
In a separate presentation at the 2021 RSA Conference, MICS students David Ng and lecturer Stuart Schechter presented their research on password managers, which was funded in part by the Center for Long-Term Cybersecurity. A password manager is meant to generate complex passwords and store them to protect your data. However, Ng and Schechter had a hunch most people weren’t using them correctly, and wanted to discover whether these tools were being used as they’re intended. (Spoiler alert: they aren’t.)
The research, which began as a MICS final project for ‘Usable Privacy and Security,’ involved a study of 100 people who had used a password manager for five months. What they found was that many users simply ignore the password reset notifications suggested by the manager. The pair plan to continue their research and run the study again with some iterations.
“Many users appear to be using password managers without taking advantage of the features necessary to get the security benefits,” said Ng, who had previously participated in the conference as an RSA Scholar. “We hope our research will remind those giving security advice that they need to tell users not only to use password managers, but to do the work to get the security benefits.”