M.J.G. van Eeten
info
Please Note
<p>This page displays the records of the person named above and is not linked to a unique person identifier. This record may need to be merged to a profile.</p>
76 records found
1
Child sexual abuse material (CSAM) presents a critical challenge for online safety, yet the verification procedures that determine which items are classified as CSAM remain poorly understood. Triple verification (requiring three reviewers to agree) is promoted as a safeguard, but little is known about how it is implemented, how it is perceived by experts, and how voting conditions affect reliability. We address this gap through a mixed-methods study. We interviewed 14 experts from seven organizations (e.g., law enforcement, hotlines, etc.) to map current verification practices, then ran an inter-reliability experiment with Dutch National Police experts who reviewed 2,031 images and videos under different voting conditions (blind vs. non-blind, varied order). Finally, we held a focus group to explore the reasons behind disagreements. We find that practices vary widely, perceptions of triple verification reflect both safeguards and burdens, and expert agreement depends on voting conditions and content type.
...
Child sexual abuse material (CSAM) presents a critical challenge for online safety, yet the verification procedures that determine which items are classified as CSAM remain poorly understood. Triple verification (requiring three reviewers to agree) is promoted as a safeguard, but little is known about how it is implemented, how it is perceived by experts, and how voting conditions affect reliability. We address this gap through a mixed-methods study. We interviewed 14 experts from seven organizations (e.g., law enforcement, hotlines, etc.) to map current verification practices, then ran an inter-reliability experiment with Dutch National Police experts who reviewed 2,031 images and videos under different voting conditions (blind vs. non-blind, varied order). Finally, we held a focus group to explore the reasons behind disagreements. We find that practices vary widely, perceptions of triple verification reflect both safeguards and burdens, and expert agreement depends on voting conditions and content type.
“Tell Them They Are a Responsible Entity, Not a Customer”
Understanding Practitioner Challenges in Sector CSIRTs
Conference paper
(2026)
-
Aksel Ethembabaoglu, Natalia I. Kadenko, Yana Angelova, Yury Zhauniarovich, Rolf van Wegberg, Simon Parkin, Michel van Eeten
In this paper, we study the experiences of practitioners in sectoral Computer Security Incident Response Teams (CSIRTs)—specialized teams that mediate between national cybersecurity authorities and the sector constituency. Through interviews with 18 professionals connected to the Informatiebeveiligingsdienst (IBD-CSIRT) for Dutch local governments, we uncover tensions in how key services are valued. For vulnerability notifications, while the CSIRT staff consider them a core service, many constituents hardly mention them, and systemic gaps in information forwarding mean that crucial alerts often never arrive. We extend these insights with 5 interviews across other sector CSIRTs and a validation workshop with 7 participants, all security officers from sector CSIRTs, revealing shared challenges in balancing technical expertise with sector knowledge, building trust-based relationships, and navigating institutional bottlenecks. Our findings contribute the first systematic account of how sector CSIRT professionals understand and perform their role, highlighting the tensions in providing sector-wide support to professionals with differing security needs.
...
In this paper, we study the experiences of practitioners in sectoral Computer Security Incident Response Teams (CSIRTs)—specialized teams that mediate between national cybersecurity authorities and the sector constituency. Through interviews with 18 professionals connected to the Informatiebeveiligingsdienst (IBD-CSIRT) for Dutch local governments, we uncover tensions in how key services are valued. For vulnerability notifications, while the CSIRT staff consider them a core service, many constituents hardly mention them, and systemic gaps in information forwarding mean that crucial alerts often never arrive. We extend these insights with 5 interviews across other sector CSIRTs and a validation workshop with 7 participants, all security officers from sector CSIRTs, revealing shared challenges in balancing technical expertise with sector knowledge, building trust-based relationships, and navigating institutional bottlenecks. Our findings contribute the first systematic account of how sector CSIRT professionals understand and perform their role, highlighting the tensions in providing sector-wide support to professionals with differing security needs.
Human and Organizational Factors in Smart Grid Cybersecurity
A Systematic Literature Review
The increasing digitalization of power systems into “smart grids” has introduced complex cybersecurity challenges. Although technical solutions dominate research in this area, non-technical factors crucial to smart grid cybersecurity remain unknown. This paper presents a systematic review of 27 studies examining how human and organizational factors are addressed in the smart grid cybersecurity literature. Our analysis reveals three key limitations: (1) a disconnect between proposed solutions and real-world challenges; (2) an overemphasis on individual operator decision-making during cyber incidents, despite empirical evidence supporting collaborative approaches; and (3) the imprecise use of concepts like “cybersecurity awareness” and “security culture”, neglecting established human factors literature developed around these concepts. Future research should ground interventions in real-world operational complexities, ensuring alignment between empirical and methodological approaches.
...
The increasing digitalization of power systems into “smart grids” has introduced complex cybersecurity challenges. Although technical solutions dominate research in this area, non-technical factors crucial to smart grid cybersecurity remain unknown. This paper presents a systematic review of 27 studies examining how human and organizational factors are addressed in the smart grid cybersecurity literature. Our analysis reveals three key limitations: (1) a disconnect between proposed solutions and real-world challenges; (2) an overemphasis on individual operator decision-making during cyber incidents, despite empirical evidence supporting collaborative approaches; and (3) the imprecise use of concepts like “cybersecurity awareness” and “security culture”, neglecting established human factors literature developed around these concepts. Future research should ground interventions in real-world operational complexities, ensuring alignment between empirical and methodological approaches.
Journal article
(2026)
-
Abdulkhamid Mukhamedov, Vanessa Simões de Azevedo, Michel van Eeten, Jolien Ubacht, Yury Zhauniarovich
The growing economic value of blockchain-driven financial applications brings increasing risks. In recent years, EU regulators felt the urgent need to address the financial and security risks that digital currencies might pose if left unsupervised. In 2020, the European Commission proposed a draft regulation called Markets in Crypto-Assets (MiCA). It sets out the rules for the crypto-asset issuers and service providers located in the EU or serving EU clients. To date, there is no evaluation of the risks covered by the proposed regulations besides the Commission’s own evaluation.
We conducted a study to identify the risk perceptions of different stakeholder groups in the market by interviewing 20 representatives of Crypto-Asset Service Providers, Crypto-Asset Issuers, Institutional Investors, and Legal Experts. We then compared the risks deemed relevant by the stakeholder groups with the risks covered in the MiCA framework. That allowed us to identify which risks and stakeholder groups’ concerns are insufficiently covered by the current version of the MiCA framework. As a result, we show that Crypto-Asset Issuers’ risks are the least addressed in the current MiCA version. Specifically, residual risks remain with regard to smart contracts, oracles, and transactions. These risks should be considered for upcoming amendments to the regulation. ...
We conducted a study to identify the risk perceptions of different stakeholder groups in the market by interviewing 20 representatives of Crypto-Asset Service Providers, Crypto-Asset Issuers, Institutional Investors, and Legal Experts. We then compared the risks deemed relevant by the stakeholder groups with the risks covered in the MiCA framework. That allowed us to identify which risks and stakeholder groups’ concerns are insufficiently covered by the current version of the MiCA framework. As a result, we show that Crypto-Asset Issuers’ risks are the least addressed in the current MiCA version. Specifically, residual risks remain with regard to smart contracts, oracles, and transactions. These risks should be considered for upcoming amendments to the regulation. ...
The growing economic value of blockchain-driven financial applications brings increasing risks. In recent years, EU regulators felt the urgent need to address the financial and security risks that digital currencies might pose if left unsupervised. In 2020, the European Commission proposed a draft regulation called Markets in Crypto-Assets (MiCA). It sets out the rules for the crypto-asset issuers and service providers located in the EU or serving EU clients. To date, there is no evaluation of the risks covered by the proposed regulations besides the Commission’s own evaluation.
We conducted a study to identify the risk perceptions of different stakeholder groups in the market by interviewing 20 representatives of Crypto-Asset Service Providers, Crypto-Asset Issuers, Institutional Investors, and Legal Experts. We then compared the risks deemed relevant by the stakeholder groups with the risks covered in the MiCA framework. That allowed us to identify which risks and stakeholder groups’ concerns are insufficiently covered by the current version of the MiCA framework. As a result, we show that Crypto-Asset Issuers’ risks are the least addressed in the current MiCA version. Specifically, residual risks remain with regard to smart contracts, oracles, and transactions. These risks should be considered for upcoming amendments to the regulation.
We conducted a study to identify the risk perceptions of different stakeholder groups in the market by interviewing 20 representatives of Crypto-Asset Service Providers, Crypto-Asset Issuers, Institutional Investors, and Legal Experts. We then compared the risks deemed relevant by the stakeholder groups with the risks covered in the MiCA framework. That allowed us to identify which risks and stakeholder groups’ concerns are insufficiently covered by the current version of the MiCA framework. As a result, we show that Crypto-Asset Issuers’ risks are the least addressed in the current MiCA version. Specifically, residual risks remain with regard to smart contracts, oracles, and transactions. These risks should be considered for upcoming amendments to the regulation.
Money for Nothing, Supervision for a Fee
Investigating the Effects of the 5th Anti-Money Laundering Directive on Cryptocurrency Exchanges in the Netherlands
By converting between currencies, cryptocurrency exchanges provide access between the traditional and cryptocurrency ecosystem, making them susceptible to money laundering. The European Union extended the scope of the 5 Anti-Money Laundering Directive (AMLD5) to include cryptocurrency exchanges, requiring them to obtain a registration, conduct customer due diligence, and report unusual transactions. It is, however, unknown whether the measures introduced by the implementation of AMLD5 lead to less risk exposure and what impact it has on cryptocurrency exchanges. This paper uses a mixed-methods approach to explore the effects of the Dutch implementation of AMLD5 measures on cryptocurrency exchanges active in the Netherlands. We analyzed over 335,000 transactions and complemented them with seven qualitative interviews with Dutch cryptocurrency exchanges and the supervisory authority. We find that the Dutch implementation of AMLD5 imposed high administrative burdens and substantial fees on relatively small exchanges that do not pose high money laundering risks. This raises questions about the alignment of the goals and consequences of the regulation.
...
By converting between currencies, cryptocurrency exchanges provide access between the traditional and cryptocurrency ecosystem, making them susceptible to money laundering. The European Union extended the scope of the 5 Anti-Money Laundering Directive (AMLD5) to include cryptocurrency exchanges, requiring them to obtain a registration, conduct customer due diligence, and report unusual transactions. It is, however, unknown whether the measures introduced by the implementation of AMLD5 lead to less risk exposure and what impact it has on cryptocurrency exchanges. This paper uses a mixed-methods approach to explore the effects of the Dutch implementation of AMLD5 measures on cryptocurrency exchanges active in the Netherlands. We analyzed over 335,000 transactions and complemented them with seven qualitative interviews with Dutch cryptocurrency exchanges and the supervisory authority. We find that the Dutch implementation of AMLD5 imposed high administrative burdens and substantial fees on relatively small exchanges that do not pose high money laundering risks. This raises questions about the alignment of the goals and consequences of the regulation.
Understanding public acceptance of data collection by intelligence services in the Netherlands
A factorial survey experiment
Intelligence services must balance values such as national security and privacy when collecting data, with each scenario involving specific contextual trade-offs. While citizens benefit from effective intelligence operations, they also risk having their rights infringed upon. This makes citizen perspectives on acceptable data collection for intelligence and national security salient, as their legitimacy is also contingent upon public support. Yet, important aspects of citizen perspectives are understudied, such as the influence of contextual factors related to the use of intelligence collection methods. This study, inspired by Nissenbaum's contextual integrity framework, uses a factorial survey experiment with vignettes among a representative sample of 1423 Dutch citizens to examine the influence of threat type, duration, data subject, collection method, data type, and data retention on public acceptance of surveillance. Additionally, the study considers the impact of respondents' trust and privacy attitudes. The findings reveal significant influence of both contextual variables – particularly threat type, data subject, and data retention – and respondent predispositions – particularly trust in institutions, trust in intelligence services' competence, and privacy concerns for others. The findings imply that more in-depth contextual knowledge among the public may foster support for intelligence activities.
...
Intelligence services must balance values such as national security and privacy when collecting data, with each scenario involving specific contextual trade-offs. While citizens benefit from effective intelligence operations, they also risk having their rights infringed upon. This makes citizen perspectives on acceptable data collection for intelligence and national security salient, as their legitimacy is also contingent upon public support. Yet, important aspects of citizen perspectives are understudied, such as the influence of contextual factors related to the use of intelligence collection methods. This study, inspired by Nissenbaum's contextual integrity framework, uses a factorial survey experiment with vignettes among a representative sample of 1423 Dutch citizens to examine the influence of threat type, duration, data subject, collection method, data type, and data retention on public acceptance of surveillance. Additionally, the study considers the impact of respondents' trust and privacy attitudes. The findings reveal significant influence of both contextual variables – particularly threat type, data subject, and data retention – and respondent predispositions – particularly trust in institutions, trust in intelligence services' competence, and privacy concerns for others. The findings imply that more in-depth contextual knowledge among the public may foster support for intelligence activities.
Conference paper
(2025)
-
Kotaiba Alachkar, Dirk Gaastra, Eduardo Barbaro, Michel van Eeten, Yury Zhauniarovich
Endpoint Detection and Response (EDR) systems provide continuous monitoring, threat detection, and response capabilities. This has driven their widespread adoption in enterprises, making them a key part of an enterprise's security architecture. However, EDR systems are a double-edged sword, and in this study, we demonstrate how this class of systems can be employed for offensive use. Unlike prior studies that focused on evasion and tampering, we introduce the new concept of EDR repurposing, which we call EvilEDR. Our analysis shows that EvilEDR can be used to execute arbitrary commands via the response console, transfer tools, exfiltrate data, and passively collect system information to facilitate further exploitation and lateral movement. EvilEDR operates covertly, masquerading as a legitimate process and communicating seamlessly with trusted domains. Additionally, we show that EvilEDR can impair defenses by registering its own EPP as the default. It can also isolate the host from the network, severing telemetry and response channels essential for enterprise defense mechanisms. Fortunately, EvilEDR can be effectively detected and mitigated, and in this paper, we propose concrete and actionable defense strategies to achieve this.
...
Endpoint Detection and Response (EDR) systems provide continuous monitoring, threat detection, and response capabilities. This has driven their widespread adoption in enterprises, making them a key part of an enterprise's security architecture. However, EDR systems are a double-edged sword, and in this study, we demonstrate how this class of systems can be employed for offensive use. Unlike prior studies that focused on evasion and tampering, we introduce the new concept of EDR repurposing, which we call EvilEDR. Our analysis shows that EvilEDR can be used to execute arbitrary commands via the response console, transfer tools, exfiltrate data, and passively collect system information to facilitate further exploitation and lateral movement. EvilEDR operates covertly, masquerading as a legitimate process and communicating seamlessly with trusted domains. Additionally, we show that EvilEDR can impair defenses by registering its own EPP as the default. It can also isolate the host from the network, severing telemetry and response channels essential for enterprise defense mechanisms. Fortunately, EvilEDR can be effectively detected and mitigated, and in this paper, we propose concrete and actionable defense strategies to achieve this.
"All Sorts of Other Reasons to Do It"
Explaining the Persistence of Sub-optimal IoT Security Advice
The proliferation of consumer Internet of Things (IoT) devices has raised security concerns. In response, governments have been advising consumers on security measures, but these recommendations are not guaranteed to be implementable owing to the diverse and rapidly evolving IoT landscape, risking wasted efforts and uncertainty caused by unsuccessful attempts to secure devices. Through interviews and a workshop with 14 stakeholders involved in a Dutch national public awareness campaign, we found that while stakeholders recognized the validity of these concerns, they opted to continue the campaign with minor modifications while expecting regulatory changes to resolve the observed problem. Their justifications reveal an institutional incentive structure that overlooks well-documented user realities in security and privacy HCI research. This raises important considerations for the design and delivery of such support strategies. By fostering a collaborative dialogue, we aim to contribute to the development of user-centered security practices.
...
The proliferation of consumer Internet of Things (IoT) devices has raised security concerns. In response, governments have been advising consumers on security measures, but these recommendations are not guaranteed to be implementable owing to the diverse and rapidly evolving IoT landscape, risking wasted efforts and uncertainty caused by unsuccessful attempts to secure devices. Through interviews and a workshop with 14 stakeholders involved in a Dutch national public awareness campaign, we found that while stakeholders recognized the validity of these concerns, they opted to continue the campaign with minor modifications while expecting regulatory changes to resolve the observed problem. Their justifications reveal an institutional incentive structure that overlooks well-documented user realities in security and privacy HCI research. This raises important considerations for the design and delivery of such support strategies. By fostering a collaborative dialogue, we aim to contribute to the development of user-centered security practices.
Conference paper
(2025)
-
X.B. Bouwman, A.M. Ethembabaoglu, B. Hermans, C. Hernandez Ganan, M.J.G. van Eeten
Exposing intrusion campaigns has become a geopolitical tool, with governments and commercial firms publishing threat intelligence reports about hacking attempts and modus operandi. U.S. government officials have explained this as not just a defensive practice but also as a way to ‘impose cost’ on attackers by forcing them to develop new infrastructure, tools, and techniques, consuming their scarce resources. We empirically examine this claim by analyzing attacker behavior before and after the publication of indicators of compromise (IOCs). Using IOC feeds from two leading commercial providers – deemed to best enable detection of sophisticated threats – we matched IOCs against a large dataset of real-world network traffic metadata. This enabled us to generate sightings retroactively, capturing malicious activity up to 150 days before and after publication. Unlike prior work focused on post-publication malicious activity, our method provides a more complete view over time. Our results show that most IOCs point to resources that attackers had already abandoned by the time of IOC publication, limiting their utility for detecting ongoing attacks and undermining the idea of ‘imposing costs’. Statistical modeling further reveals that publication status has low explanatory power for sightings, suggesting that confounding variables exist. We also observed a 30-day delay between the peak of threat actor activity and IOC publication for one provider. This study is the first empirical assessment linking threat intelligence publication to attacker behavior, bridging computer science and international relations.
...
Exposing intrusion campaigns has become a geopolitical tool, with governments and commercial firms publishing threat intelligence reports about hacking attempts and modus operandi. U.S. government officials have explained this as not just a defensive practice but also as a way to ‘impose cost’ on attackers by forcing them to develop new infrastructure, tools, and techniques, consuming their scarce resources. We empirically examine this claim by analyzing attacker behavior before and after the publication of indicators of compromise (IOCs). Using IOC feeds from two leading commercial providers – deemed to best enable detection of sophisticated threats – we matched IOCs against a large dataset of real-world network traffic metadata. This enabled us to generate sightings retroactively, capturing malicious activity up to 150 days before and after publication. Unlike prior work focused on post-publication malicious activity, our method provides a more complete view over time. Our results show that most IOCs point to resources that attackers had already abandoned by the time of IOC publication, limiting their utility for detecting ongoing attacks and undermining the idea of ‘imposing costs’. Statistical modeling further reveals that publication status has low explanatory power for sightings, suggesting that confounding variables exist. We also observed a 30-day delay between the peak of threat actor activity and IOC publication for one provider. This study is the first empirical assessment linking threat intelligence publication to attacker behavior, bridging computer science and international relations.
Conference paper
(2025)
-
Szu-Chun Huang, Harm Griffioen, Max van der Horst, Georgios Smaragdakis, Michel van Eeten, Yury Zhauniarovich
Internet-wide scanning services are widely used for attack surface discovery across organizations and the Internet. Enterprises, government agencies, and researchers rely on these tools to assess risks to Internet-facing infrastructure. However, their reliability and trustworthiness remain largely unexamined. This paper addresses this gap by comparing results from three commercial scanners – Shodan, ONYPHE, and LeakIX – with findings from our independent experiments using verified Nuclei templates, designed to identify specific vulnerabilities through crafted benign requests. We found that the payload based detections of Shodan are mostly confirmed. Yet, Nuclei finds many more vulnerable endpoints, so defenders might face massive underreporting. For Shodan’s banner-based detections, the opposite issue arises: a significant overreporting of false positives. This indicates that banner-based detections are unreliable. Moreover, three commercial services and Nuclei scans exhibit significant discrepancies. Our work has implications for industry users, policymakers, and the many academic researchers who rely on the results provided by these attack surface management services. By highlighting their shortcomings in vulnerability monitoring, this work serves as a call for action to advance and standardize such services to enhance their trustworthiness.
...
Internet-wide scanning services are widely used for attack surface discovery across organizations and the Internet. Enterprises, government agencies, and researchers rely on these tools to assess risks to Internet-facing infrastructure. However, their reliability and trustworthiness remain largely unexamined. This paper addresses this gap by comparing results from three commercial scanners – Shodan, ONYPHE, and LeakIX – with findings from our independent experiments using verified Nuclei templates, designed to identify specific vulnerabilities through crafted benign requests. We found that the payload based detections of Shodan are mostly confirmed. Yet, Nuclei finds many more vulnerable endpoints, so defenders might face massive underreporting. For Shodan’s banner-based detections, the opposite issue arises: a significant overreporting of false positives. This indicates that banner-based detections are unreliable. Moreover, three commercial services and Nuclei scans exhibit significant discrepancies. Our work has implications for industry users, policymakers, and the many academic researchers who rely on the results provided by these attack surface management services. By highlighting their shortcomings in vulnerability monitoring, this work serves as a call for action to advance and standardize such services to enhance their trustworthiness.
Conference paper
(2025)
-
Max van der Horst, Ricky Kho, Olga Gadyatskaya, Michel Mollema, Michel van Eeten, Yury Zhauniarovich
As ransomware attacks grow in frequency and complexity, accurate attribution is crucial. Victim organizations often feel compelled to pay ransom, but must first attribute the attack and conduct sanction screening to ensure the threat actor receiving the payment is not a sanctioned entity, avoiding severe legal and financial risks. This cyber threat actor attribution process typically relies on Indicators of Compromise (IoCs) matching known threat profiles. However, the emergence of the Ransomware-as-a-Service (RaaS) ecosystem and rebranding behavior complicate attribution for sanction screening. Our mixed-methods study, combining interviews with 20 experts with an analysis of ransomware incident reports, reveals significant challenges and limitations in the current attribution process. High-level IoCs, widely regarded as more reliable, lack the necessary specificity for accurate attribution, leading to potential risks of misattribution. Practitioners rely on lower-level IoCs, which provide clearer links to threat actors but are highly volatile, further complicating sanction enforcement. These challenges highlight the need for urgent improvements in the attribution and sanction processes. To mitigate these risks, we offer recommendations aimed at enhancing data-sharing practices, improving attributions frameworks, and refining the sanction violation policy to better support sanction screening efforts. While we do not recommend paying ransomware actors, we acknowledge that some organizations may face pressures to do so in certain situations. In such cases, it is vital to ensure legal compliance, particularly regarding sanctioned entities. This work aims to help victims of ransomware shield themselves from transgressing against sanctions.
...
As ransomware attacks grow in frequency and complexity, accurate attribution is crucial. Victim organizations often feel compelled to pay ransom, but must first attribute the attack and conduct sanction screening to ensure the threat actor receiving the payment is not a sanctioned entity, avoiding severe legal and financial risks. This cyber threat actor attribution process typically relies on Indicators of Compromise (IoCs) matching known threat profiles. However, the emergence of the Ransomware-as-a-Service (RaaS) ecosystem and rebranding behavior complicate attribution for sanction screening. Our mixed-methods study, combining interviews with 20 experts with an analysis of ransomware incident reports, reveals significant challenges and limitations in the current attribution process. High-level IoCs, widely regarded as more reliable, lack the necessary specificity for accurate attribution, leading to potential risks of misattribution. Practitioners rely on lower-level IoCs, which provide clearer links to threat actors but are highly volatile, further complicating sanction enforcement. These challenges highlight the need for urgent improvements in the attribution and sanction processes. To mitigate these risks, we offer recommendations aimed at enhancing data-sharing practices, improving attributions frameworks, and refining the sanction violation policy to better support sanction screening efforts. While we do not recommend paying ransomware actors, we acknowledge that some organizations may face pressures to do so in certain situations. In such cases, it is vital to ensure legal compliance, particularly regarding sanctioned entities. This work aims to help victims of ransomware shield themselves from transgressing against sanctions.
Bits and Pieces
Piecing Together Factors of IoT Vulnerability Exploitation
Conference paper
(2025)
-
Arwa Abdulkarim Al Alsadi, Mathew Vermeer, Takayuki Sasaki, Katsunari Yoshioka, Michel Van Eeten, Carlos Gañán
The proliferation of Internet of Things (IoT) devices has led to a surge in vulnerabilities, with traditional metrics like CVSS and PoC exploits failing to fully explain exploitation patterns. To address this, we leverage features from the-state-of-the-art prediction model EPSS – such as CVSS, CWE, vendors, external references, vulnerability age, and PoCs – and combine it with new features derived from hacking communities. Our study of 23,373 IoT-related CVEs and 25k posts from 25 hacking forums highlights the importance of including insights on attacker behavior from discussions involving vulnerabilities. We identified 38 features with a p-value < 0.05 that impact attackers’ selection of IoT vulnerabilities. We use two metrics to evaluate our model with features from hacking forums: McFadden’s pseudo R2, which showed a 21% improvement in explaining variance, and the Brier score for prediction accuracy, with a 17% improvement over EPSS. These results emphasize that current state-of-the-art methods struggle to capture the distinct nuances and complexity of IoT threats, and incorporating available information such as insights into attacker behavior can enhance the factors influencing the targeting of IoT vulnerability better.
...
The proliferation of Internet of Things (IoT) devices has led to a surge in vulnerabilities, with traditional metrics like CVSS and PoC exploits failing to fully explain exploitation patterns. To address this, we leverage features from the-state-of-the-art prediction model EPSS – such as CVSS, CWE, vendors, external references, vulnerability age, and PoCs – and combine it with new features derived from hacking communities. Our study of 23,373 IoT-related CVEs and 25k posts from 25 hacking forums highlights the importance of including insights on attacker behavior from discussions involving vulnerabilities. We identified 38 features with a p-value < 0.05 that impact attackers’ selection of IoT vulnerabilities. We use two metrics to evaluate our model with features from hacking forums: McFadden’s pseudo R2, which showed a 21% improvement in explaining variance, and the Brier score for prediction accuracy, with a 17% improvement over EPSS. These results emphasize that current state-of-the-art methods struggle to capture the distinct nuances and complexity of IoT threats, and incorporating available information such as insights into attacker behavior can enhance the factors influencing the targeting of IoT vulnerability better.
Finding Harmony in the Noise
Blending Security Alerts for Attack Detection
Conference paper
(2024)
-
Tom-Martijn Roelofs, Eduardo Barbaro, Svetlana Pekarskikh, Katarzyna Orzechowska, Marta Kwapień, Jakub Tyrlik, Dinu Smadu, Michel van Eeten, Yury Zhauniarovich
Large- and medium-sized organizations employ various security systems to protect their assets. These systems, often developed by different vendors, focus on different threats and usually work independently. They generate separate and voluminous alerts that have to be monitored and analyzed by often overburdened security analysts. Prior work has tried to support analysts by better correlating and prioritizing alerts. In this work, we propose to combine the wisdom of individual security systems using an Integration Layer (IL). We validated our idea by deploying the IL in a large global organization (50,000+ employees) running four very different security detection systems. We did so by using end-to-end red-team exercises to generate real attack data. For training, we labeled our dataset with evaluations directly from the incident response team instead of using the escalated decisions of the first/second tier Security Operation Center (SOC) analysts as in prior works. We showed that our approach considerably reduces the number of alerts requiring investigation while maintaining very high performance on multi-step attack detection - Matthews correlation coefficient (MCC) reaches 0.998. The substantial dependence of the model on features derived from the different security systems supports the viability of our integration methodology. The explainability layer added to our system gives analysts insights into why a particular case is marked as an attack or non-attack. Based on the test results, our approach has been added to the production setup.
...
Large- and medium-sized organizations employ various security systems to protect their assets. These systems, often developed by different vendors, focus on different threats and usually work independently. They generate separate and voluminous alerts that have to be monitored and analyzed by often overburdened security analysts. Prior work has tried to support analysts by better correlating and prioritizing alerts. In this work, we propose to combine the wisdom of individual security systems using an Integration Layer (IL). We validated our idea by deploying the IL in a large global organization (50,000+ employees) running four very different security detection systems. We did so by using end-to-end red-team exercises to generate real attack data. For training, we labeled our dataset with evaluations directly from the incident response team instead of using the escalated decisions of the first/second tier Security Operation Center (SOC) analysts as in prior works. We showed that our approach considerably reduces the number of alerts requiring investigation while maintaining very high performance on multi-step attack detection - Matthews correlation coefficient (MCC) reaches 0.998. The substantial dependence of the model on features derived from the different security systems supports the viability of our integration methodology. The explainability layer added to our system gives analysts insights into why a particular case is marked as an attack or non-attack. Based on the test results, our approach has been added to the production setup.
The Unpatchables
Why Municipalities Persist in Running Vulnerable Hosts
Conference paper
(2024)
-
Aksel Ethembabaoglu, Rolf van Wegberg, Yury Zhauniarovich, Michel van Eeten
Many organizations continue to expose vulnerable systems for which patches exist, opening themselves up for cyberattacks. Local governments are found to be especially affected by this problem. Why are these systems not patched? Prior work relied on vulnerability scanning to observe unpatched systems, notification studies on remediating them, and on user studies of sysadmins to describe self-reported patching behavior, but they are rarely used together as we do in this study. We analyze scan data following standard industry practices and detect unpatched hosts across the set of 322 Dutch municipalities. Our first question is: Are these detections false positives? We engage with 29 security professionals working for 54 municipalities to collect ground truth.
All detections were accurate. Our approach also uncovers a major misalignment between systems that the responsible CERT attributes to the municipalities and the systems the practitioners at municipalities believe they are responsible for. We then interviewed the professionals as to why these vulnerable systems were still exposed. We identify four explanations for non-patching: unaware, unable, retired and shut down. The institutional framework to mitigate cyber threats assumes that vulnerable systems are first correctly identified, then correctly attributed and notified, and finally correctly mitigated. Our findings illustrate that the first assumption is correct, the second one is not and the third one is more complicated in practice. We end with reflections on how to better remediate vulnerable hosts. ...
All detections were accurate. Our approach also uncovers a major misalignment between systems that the responsible CERT attributes to the municipalities and the systems the practitioners at municipalities believe they are responsible for. We then interviewed the professionals as to why these vulnerable systems were still exposed. We identify four explanations for non-patching: unaware, unable, retired and shut down. The institutional framework to mitigate cyber threats assumes that vulnerable systems are first correctly identified, then correctly attributed and notified, and finally correctly mitigated. Our findings illustrate that the first assumption is correct, the second one is not and the third one is more complicated in practice. We end with reflections on how to better remediate vulnerable hosts. ...
Many organizations continue to expose vulnerable systems for which patches exist, opening themselves up for cyberattacks. Local governments are found to be especially affected by this problem. Why are these systems not patched? Prior work relied on vulnerability scanning to observe unpatched systems, notification studies on remediating them, and on user studies of sysadmins to describe self-reported patching behavior, but they are rarely used together as we do in this study. We analyze scan data following standard industry practices and detect unpatched hosts across the set of 322 Dutch municipalities. Our first question is: Are these detections false positives? We engage with 29 security professionals working for 54 municipalities to collect ground truth.
All detections were accurate. Our approach also uncovers a major misalignment between systems that the responsible CERT attributes to the municipalities and the systems the practitioners at municipalities believe they are responsible for. We then interviewed the professionals as to why these vulnerable systems were still exposed. We identify four explanations for non-patching: unaware, unable, retired and shut down. The institutional framework to mitigate cyber threats assumes that vulnerable systems are first correctly identified, then correctly attributed and notified, and finally correctly mitigated. Our findings illustrate that the first assumption is correct, the second one is not and the third one is more complicated in practice. We end with reflections on how to better remediate vulnerable hosts.
All detections were accurate. Our approach also uncovers a major misalignment between systems that the responsible CERT attributes to the municipalities and the systems the practitioners at municipalities believe they are responsible for. We then interviewed the professionals as to why these vulnerable systems were still exposed. We identify four explanations for non-patching: unaware, unable, retired and shut down. The institutional framework to mitigate cyber threats assumes that vulnerable systems are first correctly identified, then correctly attributed and notified, and finally correctly mitigated. Our findings illustrate that the first assumption is correct, the second one is not and the third one is more complicated in practice. We end with reflections on how to better remediate vulnerable hosts.
Journal article
(2024)
-
Hilmy Hanif, J.E. Constantino Torres, M.T. Sekwenz, M.J.G. van Eeten, J. Ubacht, Ben Wagner, Y. Zhauniarovich
The AI Act represents a significant legislative effort by the European Union to govern the use of AI systems according to different risk-related classes, imposing different degrees of compliance obligations to users and providers of AI systems. However, it is often critiqued due to the lack of general public comprehension and effectiveness regarding the classification of AI systems to the corresponding risk classes. To mitigate these shortcomings, we propose a Decision-Tree-based framework aimed at increasing legal compliance and classification clarity. By performing a quantitative evaluation, we show that our framework is especially beneficial to individuals without a legal background, allowing them to enhance the accuracy and speed of AI system classification according to the AI Act. The qualitative study results show that the framework is helpful to all participants, allowing them to justify intuitively made decisions and making the classification process clearer.
...
The AI Act represents a significant legislative effort by the European Union to govern the use of AI systems according to different risk-related classes, imposing different degrees of compliance obligations to users and providers of AI systems. However, it is often critiqued due to the lack of general public comprehension and effectiveness regarding the classification of AI systems to the corresponding risk classes. To mitigate these shortcomings, we propose a Decision-Tree-based framework aimed at increasing legal compliance and classification clarity. By performing a quantitative evaluation, we show that our framework is especially beneficial to individuals without a legal background, allowing them to enhance the accuracy and speed of AI system classification according to the AI Act. The qualitative study results show that the framework is helpful to all participants, allowing them to justify intuitively made decisions and making the classification process clearer.
Journal article
(2024)
-
Qingxin Mao, Daisuke Makita, Michel van Eeten, Katsunari Yoshioka, Tsutomu Matsumoto
Carpet bombing-type DDoS attacks targeting a wide-range network rather than a single IP address have threatened the Internet. Some researchers have investigated the characteristics of single-target DDoS attacks. Still, much less is known about the characteristics of carpet bombing, even the differences between them. In this paper, we profile characteristics of carpet bombing via data from amplification DDoS honeypots and the differences between single-target DRDoS attacks and carpet bombing. We analyze attacks highly concentrated on a specific network on victims, duration, number of packets, ports, and TTLs, and describe the differences between single-target DRDoS attacks and carpet bombing. Our analysis at the level of Autonomous Systems demonstrates that carpet bombing attacks target more hosting networks, including some critical targets, than single-target attacks. We found carpet bombing attacks targeting more “Corporate” networks. We also found that each IP address targeted by carpet bombing receives fewer packets than single-target DRDoS attacks. According to the result of the comparison of attack duration and TTL, carpet bombing lasted longer and referred to having diverse values of TTL in the packets. On the contrary, most single-target DRDoS attacks have a single value of TTL in the packets. This implies carpet bombing has a higher probability of originating from multiple sources. Finally, comparing ports shows that using various ports for Carpet Bombing is highly proportional to single-target DRDoS attacks.
...
Carpet bombing-type DDoS attacks targeting a wide-range network rather than a single IP address have threatened the Internet. Some researchers have investigated the characteristics of single-target DDoS attacks. Still, much less is known about the characteristics of carpet bombing, even the differences between them. In this paper, we profile characteristics of carpet bombing via data from amplification DDoS honeypots and the differences between single-target DRDoS attacks and carpet bombing. We analyze attacks highly concentrated on a specific network on victims, duration, number of packets, ports, and TTLs, and describe the differences between single-target DRDoS attacks and carpet bombing. Our analysis at the level of Autonomous Systems demonstrates that carpet bombing attacks target more hosting networks, including some critical targets, than single-target attacks. We found carpet bombing attacks targeting more “Corporate” networks. We also found that each IP address targeted by carpet bombing receives fewer packets than single-target DRDoS attacks. According to the result of the comparison of attack duration and TTL, carpet bombing lasted longer and referred to having diverse values of TTL in the packets. On the contrary, most single-target DRDoS attacks have a single value of TTL in the packets. This implies carpet bombing has a higher probability of originating from multiple sources. Finally, comparing ports shows that using various ports for Carpet Bombing is highly proportional to single-target DRDoS attacks.
Alert Alchemy
SOC Workflows and Decisions in the Management of NIDS Rules
Conference paper
(2023)
-
Mathew Vermeer, Natalia Kadenko, Michel van Eeten, Carlos Gañán, Simon Parkin
Signature-based network intrusion detection systems (NIDSs) and network intrusion prevention systems (NIPSs) remain at the heart of network defense, along with the rules that enable them to detect threats. These rules allow Security Operation Centers (SOCs) to properly defend a network, yet we know almost nothing about how rules are created, evaluated and managed from an organizational standpoint. In this work, we analyze the processes surrounding the creation, management, and acquisition of rules for network intrusion detection. To understand these processes, we conducted interviews with 17 professionals who work at Managed Security Service Providers (MSSPs) or other organizations that provide network monitoring as a service or conduct their own network monitoring internally. We discovered numerous critical factors, such as rule specificity and total number of alerts and false positives, that guide SOCs in their rule management processes. These lower-level aspects of network monitoring processes have generally been regarded as immutable by prior work, which has mainly focused on designing systems that handle the resulting alert flows by dynamically reducing the number of noisy alerts SOC analysts need to sift through. Instead, we present several recommendations that address these lower-level aspects to help improve alert quality and allow SOCs to better optimize workflows and use of available resources. These recommendations include increasing the specificity of rules, explicitly defining feedback loops from detection to rule development, and setting up organizational processes to improve the transfer of tacit knowledge.
...
Signature-based network intrusion detection systems (NIDSs) and network intrusion prevention systems (NIPSs) remain at the heart of network defense, along with the rules that enable them to detect threats. These rules allow Security Operation Centers (SOCs) to properly defend a network, yet we know almost nothing about how rules are created, evaluated and managed from an organizational standpoint. In this work, we analyze the processes surrounding the creation, management, and acquisition of rules for network intrusion detection. To understand these processes, we conducted interviews with 17 professionals who work at Managed Security Service Providers (MSSPs) or other organizations that provide network monitoring as a service or conduct their own network monitoring internally. We discovered numerous critical factors, such as rule specificity and total number of alerts and false positives, that guide SOCs in their rule management processes. These lower-level aspects of network monitoring processes have generally been regarded as immutable by prior work, which has mainly focused on designing systems that handle the resulting alert flows by dynamically reducing the number of noisy alerts SOC analysts need to sift through. Instead, we present several recommendations that address these lower-level aspects to help improve alert quality and allow SOCs to better optimize workflows and use of available resources. These recommendations include increasing the specificity of rules, explicitly defining feedback loops from detection to rule development, and setting up organizational processes to improve the transfer of tacit knowledge.
Pushing boundaries
An empirical view on the digital sovereignty of six governments in the midst of geopolitical tensions
Journal article
(2023)
-
Bernardus Jansen, Natalia Kadenko, Dennis Broeders, Michel van Eeten, Kevin Borgolte, Tobias Fiebig
In just a few years, the issue of “digital sovereignty” has emerged as an important security issue for governments across the globe, reflecting a growing unease about the security risks associated with government services that depend on foreign service providers for digital infrastructure and traffic routing. This work investigates to which extent government services and communication with citizens relies on infrastructure outside their own jurisdiction for six countries facing sensitive or sometimes even antagonistic relations with neighbors: India, the Netherlands, Pakistan, Taiwan, Ukraine, and the United Kingdom. By combining various methods (traceroute measurements, passive DNS data and geolocation), we determine where and how domains are hosted, as well as the network paths taken by citizens' traffic to them. We uncover different strategies and degrees of autonomy, as well as difficult tradeoffs between different risks to autonomy, some of which might be larger than the risks associated with the dependency on foreign providers. This includes transnational providers being used by all countries, with geopolitical rivals even being tenants on the same network and traffic between citizens and governments regularly traversing international borders. Furthermore, we compared our empirical findings to stated governmental policies and find that they are not always consistent.
...
In just a few years, the issue of “digital sovereignty” has emerged as an important security issue for governments across the globe, reflecting a growing unease about the security risks associated with government services that depend on foreign service providers for digital infrastructure and traffic routing. This work investigates to which extent government services and communication with citizens relies on infrastructure outside their own jurisdiction for six countries facing sensitive or sometimes even antagonistic relations with neighbors: India, the Netherlands, Pakistan, Taiwan, Ukraine, and the United Kingdom. By combining various methods (traceroute measurements, passive DNS data and geolocation), we determine where and how domains are hosted, as well as the network paths taken by citizens' traffic to them. We uncover different strategies and degrees of autonomy, as well as difficult tradeoffs between different risks to autonomy, some of which might be larger than the risks associated with the dependency on foreign providers. This includes transnational providers being used by all countries, with geopolitical rivals even being tenants on the same network and traffic between citizens and governments regularly traversing international borders. Furthermore, we compared our empirical findings to stated governmental policies and find that they are not always consistent.
Bin there, target that
Analyzing the target selection of IoT vulnerabilities in malware binaries
Conference paper
(2023)
-
Arwa Abdulkarim Al Alsadi, Kaichi Sameshima, Katsunari Yoshioka, Michel van Eeten, Carlos H. Gañán
For years, attackers have exploited vulnerabilities in Internet of Things (IoT) devices. Previous research has examined target selection in cybercrime, but there has been little investigation into the factors that influence target selection in attacks on IoT. This study aims to better understand how attackers choose their targets by analyzing the frequency of specific exploits in 11,893 IoT malware binaries that were distributed between 2018-2021. Our findings indicate that 78% of these binary files did not specifically target IoT vulnerabilities but rather scanned the Internet for devices with weak authentication. To understand the usage of exploits in the remaining 2,629 binaries, we develop a theoretical model from relevant literature to examine the impact of four latent variables, i.e. exposure, vulnerability, exploitability, and patchability. We collect indicators to measure these variables and find that they can explain to a significant extent (?2=0.38) why some vulnerabilities are more frequently exploited than others. The severity of vulnerabilities does not significantly increase the frequency with which they are targeted, while the presence of Proof-of-Concept exploit code does increase it. We also observe that the availability of a patch reduces the frequency of being targeted, yet that more complex patches are associated with higher frequency. In terms of exposure, more widespread device models are more likely to be targeted by exploits. We end with recommendations to disincentivize attackers from targeting vulnerabilities.
...
For years, attackers have exploited vulnerabilities in Internet of Things (IoT) devices. Previous research has examined target selection in cybercrime, but there has been little investigation into the factors that influence target selection in attacks on IoT. This study aims to better understand how attackers choose their targets by analyzing the frequency of specific exploits in 11,893 IoT malware binaries that were distributed between 2018-2021. Our findings indicate that 78% of these binary files did not specifically target IoT vulnerabilities but rather scanned the Internet for devices with weak authentication. To understand the usage of exploits in the remaining 2,629 binaries, we develop a theoretical model from relevant literature to examine the impact of four latent variables, i.e. exposure, vulnerability, exploitability, and patchability. We collect indicators to measure these variables and find that they can explain to a significant extent (?2=0.38) why some vulnerabilities are more frequently exploited than others. The severity of vulnerabilities does not significantly increase the frequency with which they are targeted, while the presence of Proof-of-Concept exploit code does increase it. We also observe that the availability of a patch reduces the frequency of being targeted, yet that more complex patches are associated with higher frequency. In terms of exposure, more widespread device models are more likely to be targeted by exploits. We end with recommendations to disincentivize attackers from targeting vulnerabilities.
Conference paper
(2023)
-
Hilmy Hanif, Jorge Constantino, Marie Therese Sekwenz, Michel Van Eeten, Jolien Ubacht, Ben Wagner, Yury Zhauniarovich
The AI Act represents a significant legislative effort by the European Union to govern the use of AI systems according to different risk-related classes, linking varying degrees of compliance obligations to the system's classification. However, it is often critiqued due to the lack of general public comprehension and effectiveness regarding the classification of AI systems to the corresponding risk classes. To mitigate those shortcomings, we propose a Decision-Tree-based framework aimed at increasing robustness, legal compliance and classification clarity with the Regulation. Quantitative evaluation shows that our framework is especially useful to individuals without a legal background, allowing them to improve considerably the accuracy and significantly reduce the time of case classification.
...
The AI Act represents a significant legislative effort by the European Union to govern the use of AI systems according to different risk-related classes, linking varying degrees of compliance obligations to the system's classification. However, it is often critiqued due to the lack of general public comprehension and effectiveness regarding the classification of AI systems to the corresponding risk classes. To mitigate those shortcomings, we propose a Decision-Tree-based framework aimed at increasing robustness, legal compliance and classification clarity with the Regulation. Quantitative evaluation shows that our framework is especially useful to individuals without a legal background, allowing them to improve considerably the accuracy and significantly reduce the time of case classification.