In the past years, cybercrime has become an increasing burden on society. Criminals have a rising amount of available cheap attacking resources. Additionally, we observe a growing amount of Internet-connected devices containing lots of (new) vulnerabilities and Internet services full of threats for end-users. In response, defending parties have developed cyber threat intelligence (CTI). CTI focuses on collecting, processing, and analyzing data of criminal activities to understand the actor's motives, targets, and behavior, allowing defending parties to understand the cybercrime landscape, and adapt their defense strategies accordingly.

Although CTI has been developed and generated for the past decades many challenges remain to be solved. Most of the defense systems designed using CTI utilize simple indicators such as hash values and IP addresses, and are therefore easily circumvented by cybercriminals. In addition, the cyber landscape is in continuous motion, causing intelligence to become stale, and decreasing the effectiveness of related defense mechanisms. In this dissertation, we contribute to the state of the art by investigating whether it is possible to, in the early stages of attacks, extract information characterizing the criminal’s toolchain and identify behavioral traits. Generating CTI at the early stage of attacks provides the support for defending parties to develop a defense mechanism able to stop criminals in the early stage of attacks preventing them from causing further damage. We focus on gathering CTI related to the tools, tactics, techniques, and procedures attackers use, as they provide the valuable information for developing defense systems.

We observe that the scan landscape has significantly changed in the past nine years and that defense mechanisms based on low-value CTI provide insufficient protection. The observed changes and analyses confirm the necessity to continuously monitor the current threat landscape and adapt the defense mechanisms accordingly. Following, we propose a clustering-based methodology matching randomized scan probe payloads allowing for the reconstruction of templates used by attackers. Using reconstructed templates we can detect large-scale scanning campaigns, and the convergence of cybercriminals using similar toolchains over time increasing the difficulty of distinguishing between criminal operations. To differentiate similar toolchains we analyzed the fingerprinting of SSH handshakes and reveal that the libraries and their versions used to compile said toolchains can be identified allowing further differentiation between campaigns and thus the behavioral analysis of cybercriminals. We showcase that attackers employing distinct toolchains at the early attack stages will behave differently at later attack stages. Finally, we analyze Mirai brute-forcing attacks identifying the different botnet configurations cybercriminals use. We simulate competing botnets configured with the observed settings and conclude that the implemented changes improve the botnet's success rate, indicating that criminals are constantly refining their operations.

In summary, we contribute to the state of the art by generating CTI characterizing the tools, tactics, techniques, and procedures attackers use. The generated CTI spans multiple layers of the toolchains attackers use, providing actionable intelligence at the early attack stages. The generated intelligence can, therefore, contribute to the design of defense in depth systems aimed at mitigating cyberattacks. ... Read more

Over the past decade, the scanning landscape has significantly changed. Powerful tools such as Masscan or Zmap allow anyone to scan the entire Internet in a matter of hours. Simultaneously, we witnessed the emergence of stealthy scanners, which map the Internet from thousands of vantage points at a low rate attempting to forego detection. As scanning is typically the first step towards later intrusion, organizations need to track, understand and draw intelligence from these scan campaigns. Organizations benefit from obtaining insights into what adversaries are currently looking for, which might reveal some new vulnerabilities. Furthermore, relating IP addresses with each other participating in scan campaigns provides valuable insights into the adversary's capabilities. In this paper, we describe a protocol-agnostic approach to extract commonalities and patterns from UDP scan traffic, relate individual scan packets regardless of whether they are sending static data or randomizing their payloads across destinations, and obtain 97% pattern accuracy with a data coverage of 96%. We apply our methodology on seven years of NTP and DNS scan traffic demonstrating that our automatic clustering provides stable tracking of strategies over time and identifies groups of source IPs with these behavioral characteristics effectively. ... Read more

Website fingerprinting aims to identify the web page visited by a victim through the analysis of metadata generated by the encrypted flow between web server and victim. A fingerprinting attack can be performed at several locations and scales, ranging from local adversaries such as employers monitoring their employees browsing behavior to state sponsored actors monitoring civilians to uncover their political views. In this paper we show the feasibility of an attacker performing web page fingerprinting at a large scale by introducing a new twostage fingerprinting method. We evaluate our proposed method using a Wikipedia clone consisting of 828, 907 pages, allowing us to show that attackers are not only able to fingerprint pages from different websites but are also able to fingerprint similar pages belonging to the same website. More so, we show that, even though HTTP2 reduces the available metadata compared to HTTP, attackers using our method can achieve an accuracy of 62.21% when fingerprinting pages from our Wikipedia clone. Finally, we show that an attacker can, when taking browsing behavior into consideration, identify victims searching for specific information with an accuracy of 87.4%. ... Read more

In SSH brute forcing attacks, adversaries try a lot of different username and password combinations in order to compromise a system. As such activities are easily recognizable in log files, sophisticated adversaries distribute brute forcing attacks over a large number of origins. Effectively finding such distributed campaigns proves however to be a difficult problem. In practice, when adversaries would spread out brute-forcing over multiple sources, they would likely reuse the same kind of software across all of these origins to simplify their operation and reduce cost. This means if we are able to identify the tooling used in these attempts, we could cluster similar tool usage into likely collaborating hosts and thus campaigns. In this paper, we demonstrate that it is possible to utilize cipher suites and SSH version strings to generate a unique fingerprint for a brute-forcing tool used by the attacker. Based on a study using a large honeynet with over 4,500 hosts, which received approximately 35 million compromisation attempts over the period of one month, we are able to identify 49 tools from the collected data, which correspond to off-the-shelf tools, as well as custom implementations. The method is also able to fingerprint individual versions of tools, and by revealing mismatches between advertised and actually implemented features detect hosts that spoof identifying information. Based on the generated fingerprints, we are able to correlate login credentials to distinguish distributed campaigns. We uncovered specific adversarial behaviors, tactics and procedures, frequently exhibiting clear timing patterns and tight coordination. ... Read more

In late February 2018, news spread through the mainstream media about a massive distributed denial-of-service attack on the popular software collaboration website github.com. Estimated at a rate of 1.3 Terrabit per second, this massive packet flood was the largest DDoS attack by volume to date, surpassing previous records set by the first IoT-based DDoS attacks in 2017.

In this paper, we analyze the behavior of the actors scanning and probing the Internet for presence of exploitable memcached servers that were the root cause of this attack, both before and after the media coverage. We find that the attacks of late February were preceeded by a large scale reconnaissance action a month before, and that the attacks were the result of an extended evolution of methods to find a suitable attack strategy. Furthermore, we see that the coverage about the massive DDoS attack actually triggered another wave of DDoS attacks, resulting in the large influx of new, previously unseen users who seem to be leveraging ready-made tools.
... Read more