Cyber Threat Intelligence: Analysis of adversaries and their methods

The growing dependency on interconnected devices makes cyber crime increasingly lucrative. Together with the rise of premade tools to perform exploits, the number of cyber incidents grows rapidly each year. Defending against these threats becomes increasingly difficult as organizations depend heavily on the Internet and have many different...

MD-Honeypot-SSH: Gathering Threat Intelligence Data during the SSH Handshake

With the amount of network connected devices every increasing, and many of them running the Secure Shell (SSH) protocol to facilitate remote management, research into SSH attacks is more important than ever. SSH honeypots can be used to act like vulnerable systems while gathering valuable data on the attacker and its methods in the meantime. The...

Looking under the Streetlights: Evaluating Cyber Threat Intelligence Feeds Using Quantitative Metrics and User Appreciation Scores

In the battle against ever-changing cyber threats, a new ally has joined in: Cyber Threat Intelligence. Evolved from historical blacklists and anti-virus, Threat Intelligence aims to protect and inform its clients against both nation state actors, as well as cyber criminals. Threat Intelligence comes in many shapes and sizes, and for a wide...

Scan, Test, Execute: Adversarial Tactics in Amplification DDoS Attacks

Amplification attacks generate an enormous flood of unwanted traffic towards a victim and are generated with the help of open, unsecured services, to which an adversary sends spoofed service requests that trigger large answer volumes to a victim. However, the actual execution of the packet flood is only one of the activities necessary for a...

Inside the Matrix: CTI Frameworks as Partial Abstractions of Complex Threats

The Cyber Threat Intelligence (CTI) field has evolved rapidly and most of its reporting is now fairly stan-dardized. Where the Cyber Kill Chain was its sole reference framework 5 years ago, today ATT&CK is the de facto standard for reporting adversary tactics, techniques and procedures (TTPs). CTI frameworks are effectively abstraction...

Compare Before You Buy: Privacy-Preserving Selection of Threat Intelligence Providers

In their pursuit to maximize their return on investment, cybercriminals will likely reuse as much as possible between their campaigns. Not only will the same phishing mail be sent to tens of thousands of targets, but reuse of the tools and infrastructure across attempts will lower their costs of doing business. This reuse, however, creates an...

MD-Honeypot: On Adversarial Choices in DRDoS attacks

The Internet has grown from a few interconnections of trusted parties to an incredibly large network with many different use cases. While the Internet grew, threats emerged as well. Although there are many different threats on the Internet, Distributed Denial of Service (DDoS) attacks are a threat that keeps rising in the threat landscape. The...

Opening Pandora’s Box: Charting the ecosystem of Command and Control infrastructures in a terabit-scale network

The amount of people and devices connected through the Internet has been growing at a rapid pace; as of June 2019 58,8% of the world’s population and billions of devices are joined by this vast network of information resources and services. Not every Internet user however has benign intentions. Cybercriminals use this technology for their own...

Inadvertently Making Cybercriminals Rich: A Comprehensive Study of Cryptojacking Campaigns at Internet Scale

Cryptojacking, a phenomenon also known as drive-by cryptomining, involves stealing computing power from others to be used in illicit cryptomining. While first observed as host-based infections with low activity, the release of an efficient browser-based cryptomining application -- as introduced by Coinhive in 2017 -- has skyrocketed...

Scanners: Discovery of distributed slow scanners in telescope data

The internet is rapidly growing, and with it grows the number of malicious actors. For many attacks, the attacker first scans the internet to detect vulnerable devices. In order to evade detection, the attacker distributes the scanning over a large number of machines. Because attackers are distributing this scanning and there is no way to find...

Approximate Automated Campaign Analysis with Density Based Clustering

The modern cybersecurity landscape is characterised by the increasing number of actors capable of performing advanced and highly impactful hacking. The situation has worsened significantly in the last decade because more and more of the critical infrastructure is connected to the Internet, because the capabilities of attackers have improved and...

Governance of cybersecurity communities: Understanding threat intelligence sharing as a collective action problem through incentivization of the National Detection Network

Organizations benefit from improved cybersecurity threat detection capabilities if they share information in a community of their peers. However, organizations are unlikely to share the sensitive information that is most valuable as this poses individual risks. Information sharing in cybersecurity communities therefore forms a collective action...

Privacy-Preserving Combinatorial Set Operations for Cyber Threat Intelligence

In less than a century, the Internet has morphed from being a communication channel to a medium of existence for people. Meanwhile, attacks over the Internet have been growing both qualitatively and quantitatively, with losses transcending the financial kind and threatening the well-being of human lives. This trend fuels the need for Cyber...

Classification of Distributed Strategies for Port Scan Reconnaissance

Prior to exploiting a vulnerable service, adversaries perform a port scan to detect open ports on a target machine. If an adversary is aiming for multiple targets, multiple IP addresses need to be scanned for possible open ports. As sending all this probing traffic with one source IP address causes a lot of suspicion in an intrusion detection...

Remote Identification of Port Scan Toolchains

Port scans are typically at the begin of a chain of events that will lead to the attack and exploitation of a host over a network. Since building an effective defense relies on information what kind of threat an organization is facing, threat intelligence outlining an actor’s modus operandi is a critical ingredient for network security. In this...