Threat Intelligence in the Early Stages of Cyberattacks
V.D.H. Ghiette (TU Delft - Cyber Security)
J. van den Berg – Promotor (TU Delft - Cyber Security)
C. Dörr – Promotor (TU Delft - Computer Engineering)
More Info
expand_more
Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.
Abstract
In the past years, cybercrime has become an increasing burden on society. Criminals have a rising amount of available cheap attacking resources. Additionally, we observe a growing amount of Internet-connected devices containing lots of (new) vulnerabilities and Internet services full of threats for end-users. In response, defending parties have developed cyber threat intelligence (CTI). CTI focuses on collecting, processing, and analyzing data of criminal activities to understand the actor's motives, targets, and behavior, allowing defending parties to understand the cybercrime landscape, and adapt their defense strategies accordingly.
Although CTI has been developed and generated for the past decades many challenges remain to be solved. Most of the defense systems designed using CTI utilize simple indicators such as hash values and IP addresses, and are therefore easily circumvented by cybercriminals. In addition, the cyber landscape is in continuous motion, causing intelligence to become stale, and decreasing the effectiveness of related defense mechanisms. In this dissertation, we contribute to the state of the art by investigating whether it is possible to, in the early stages of attacks, extract information characterizing the criminal’s toolchain and identify behavioral traits. Generating CTI at the early stage of attacks provides the support for defending parties to develop a defense mechanism able to stop criminals in the early stage of attacks preventing them from causing further damage. We focus on gathering CTI related to the tools, tactics, techniques, and procedures attackers use, as they provide the valuable information for developing defense systems.
We observe that the scan landscape has significantly changed in the past nine years and that defense mechanisms based on low-value CTI provide insufficient protection. The observed changes and analyses confirm the necessity to continuously monitor the current threat landscape and adapt the defense mechanisms accordingly. Following, we propose a clustering-based methodology matching randomized scan probe payloads allowing for the reconstruction of templates used by attackers. Using reconstructed templates we can detect large-scale scanning campaigns, and the convergence of cybercriminals using similar toolchains over time increasing the difficulty of distinguishing between criminal operations. To differentiate similar toolchains we analyzed the fingerprinting of SSH handshakes and reveal that the libraries and their versions used to compile said toolchains can be identified allowing further differentiation between campaigns and thus the behavioral analysis of cybercriminals. We showcase that attackers employing distinct toolchains at the early attack stages will behave differently at later attack stages. Finally, we analyze Mirai brute-forcing attacks identifying the different botnet configurations cybercriminals use. We simulate competing botnets configured with the observed settings and conclude that the implemented changes improve the botnet's success rate, indicating that criminals are constantly refining their operations.
In summary, we contribute to the state of the art by generating CTI characterizing the tools, tactics, techniques, and procedures attackers use. The generated CTI spans multiple layers of the toolchains attackers use, providing actionable intelligence at the early attack stages. The generated intelligence can, therefore, contribute to the design of defense in depth systems aimed at mitigating cyberattacks.