Just a couple of years ago, attackers mostly used the same tools and techniques, and by looking for these ‘knowns’ and incorporating such information into semi-automated detection systems, we had a reasonable line of defense. Today this is no longer the case. We are constantly being confronted with unknown actors as well as new attack vectors and changing methods and customized tooling. Protecting an organization with a high-risk pro- file against cyber threats has become a game of cat and mouse. Once a new security system is implemented, hackers will immediately try to break it. It is therefore important to understand the threat landscape and the associated risks. To stay ahead of the cyber adversaries, it is no longer sufficient to protect against known threats. Organizations also have to be able to protect themselves against unknown threats.
Today, cyber domain is counted as fth domain of war after land, sea, air and space because of its potential to be destructive as other domains. Mankind has witnessed a large number of devastating attacks coming from the cyber domain targeting governments, critical infrastructures, enterprise organizations and other important entities. It is not dicult to imagine how disastrous it is for a critical infrastructure to be out of service for many hours or days as a result of a cyber attack. And many large enterprise organizations are confronted with cyber attacks which are real threat to their reputation, privacy and availability. It is also possible to show many examples of cyber attacks targeting banks or other nancial organizations which have resulted in theft of mind-boggling amounts of money and customer information. Governmental organizations also are under threat of espionage-motivated cyber attacks which are mostly state-sponsored and well-organized attacks. In response to the threats coming from cyber domain for which we gave a short description, hardware and software-based protection techniques have been developed and deployed over the last decades. However, experiences till today has shown us that developed security measures are not sucient by themselves for full protection from cyber attacks.
Conclusion and future work Efficient and fully automated collection and processing of data from very hetero- geneous sources poses a challenge. Especially in the cyber security industry it is important to gather as much information as possible about malicious files, websites, and activities, in order to provide best possible protection to the users of security software. In particular, proactively gathering information from third parties is crucial to achieve protection for the “first customer”, i.e. the first user of a security software who encounters a malicious file or visits a malicious website. Without getting infor- mation about these samples from a different source, the security provider can only wait and react after their first customer encountered the malware and possibly got infected, scammed, etc.
Sharing CyberThreatIntelligence (CTI) is a key strategy for improving cyber defense, but there are risks of breaching regulations and laws regarding privacy. With regulations such as the General Data Protection Regulation (GDPR) that are designed to protect citizens’ data privacy, the managers of CTI datasets need clear guidance on how and when it is legal to share such information. This paper defines the impact that GDPR legal aspects may have on the sharing of CTI. In addition, we define adequate protection levels for sharing CTI to ensure compli- ance with the GDPR. We also present a model for evaluating the legal require- ments for supporting decision making when sharing CTI, which also includes advice on the required protection level. Finally, we evaluate our model using use cases of sharing CTI datasets between entities.
Threatintelligence is used to combat the efforts of threat agents such as hackers. In response to this, threat agents try to counter the efforts of the defenders by changing the resources or procedures used. Attackers can make changes on their end to render indicators of compromise obsolete . Some indicators are harder to change than others, as seen in Figure 2. Changing malware hash values is trivial, as a change to any byte is enough to generate a new hash. Switching IP addresses takes more effort, but an attacker with a botnet of thousands of computers has a wide selection of addresses to use. On the other end of the spectrum, it would be difficult for attackers to craft entirely new malware capable of deceiving detailed intrusion detection system rules such as Yara. Similarly, if tactical threatintelligence is used to thwart the attacker’s tactics, techniques, and procedures, it would require more effort for the attacker to come up with ways to attack the target system.
Hence, SIEM systems must also comply to the regulations themselves, which leads to conflicting interests. On the one hand, SIEM systems rely on personal data such as information from the identity and access management (IAM) for providing high detection rates of incidents and thus a high level of protection. On the other hand, the requirements of the GDPR suggest that investigations of data streams as carried out in current SIEM systems may no longer be legally compliant. To complicate things even further, regulations regarding the handling of digital evidence mandate that authenticity and integrity of the data related to an incident should be guaranteed at all times in order to maintain its high legal probative value. It is therefore necessary to find the best trade-off between those two demands. With this work we attempt to fill the resulting research gap and to harmonize legal GDPR requirements with the technical architecture for SIEM systems. To bridge the gap between the disciplines of computer science and law and to produce the most reliable results possible, this paper was written by IT security researchers in collaboration with a lawyer A central idea is the integration of anonymization and pseudonymization into threat analytics mech- anisms. While this makes it necessary to change the original data, it is possible to maintain legal integrity and authenticity by using redactable and sanitizable signatures, a cryptographic concept to retain a level of authenticity useful to re- tain a suitable level of legal evidence even when data gets obfuscated or if certain parts of it are missing. We deploy cryptography to enable balancing authenticity proofs for the collected security-related events with the confidentiality require- ments of the information about commercially-relevant internals (trade secrets) and employees’ as well as customers’ privacy (personal data). Thus, our goal is to minimize the amount of data which is being made accessible to third-parties in every step of the SIEM process. By enforcing this with cryptography the pro- posed system adheres to the security-by-design principle of least privilege as well as the privacy-by-design principle of data minimization. At the same time we aim to keep the impact on detection as low as possible and thus we provide an audit-able process to gain access to more details if security analysis is needing
At the very basic level, intelligence must be forward-looking. Forensics and “digital dumpster diving” can provide pathology, but cyber professionals need to know what the next attack will likely be, not a rear view mirror understanding of what attacks already happened. iSIGHT Partners has 200+ people in 16 countries focused on the cyber underground. We see what the threats are before they materialize into active events.
Ø There is cyberthreatintelligence in both industry and government. If par:es on both sides could increase their sharing it would be good for collec:ve defense. Understanding the issues each face and some key percep:ons may help enhance this sharing.
domains based on their popularity across resolvers. The authors validate their approach on Italian Internet domains. The ranking is based on node degree and Eigen-vector cen- trality metrics. Regarding threat network analysis, Nadji et al.  conduct an outstand- ing effort to unveil the structure of criminal networks. They use DNS history of known C&Cs, IP addresses found in blacklists, and spam URLs to build graphs. They develop a method based on the Eigen-vector metric to identify general structural trends and deter- mine which strategy should be adopted for an effective remediation through take-down. The authors show that in many cases, by de-registering five domain names, many criminal networks can be taken down. Moreover, in one highlighted case, disabling 20% of crim- inal network hosts reduces the volume of successful DNS look-ups by 70%. Despite the interesting results shown by Nadji et al, we aim to provide more insightful information related to cyber-threat infrastructures by including new actors such as malware families, second-level domains, organizations, owners, etc. We also focus on the study of the evo- lution of cyber-threat infrastructures to understand their scale and forecast their potential evolution in the near future.
While each technique in HAMMERTOSS is not new, APT29 has combined them into a single piece of malware. Individually, each technique offers some degree of obfuscation for the threat group’s activity. In combination, these techniques make it particularly hard to identify HAMMERTOSS or spot malicious network traffic; determine the nature and purpose of the binary; discern the malware’s CnC method and predict its CnC accounts; capture and decode second-stage CnC information; and pinpoint and decrypt the image files containing malware commands. This makes HAMMERTOSS a powerful backdoor at the disposal of one of the most capable threat groups we have observed.
Evidence for the use of steganography by al-Qaeda terrorist organization is the ar- rest in Berlin in 2012 of a 22 year old Austrian who had just arrived from Pakistan. Later it was conÞ rmed that he is a member of this terrorist organization. The digital storage and memory cards he tried to hide were password protected and the information were invisible. After the initial analysis it was found that inside memory cards was buried a pornographic video “Kick Ass” and a Þ le named “Sexy Tanja”. A few weeks later, after great efforts to combat a password and the software to make the Þ le almost invisible, German researchers encoded in the video of a treasure trove of intelligence – over 100 documents including al-Qaeda Þ rsthand about some of the plots of the terrorist group and a bolder road map for future operations for which there were not speciÞ ed neither the date nor the location. Also various terrorist training manuals used by this organization were found. All these data were hidden using steganographic tools.
Equally, with targeted searches there is the occasion to highlight, evaluate and determine whether those examined are legitimate targets. It is not too difficult to discern those individuals who manufacture, maintain or use the website to facilitate the threat. However, in order for the visitors to be linked to the conspiracy they must be connected through one overt act to show complicity in the threat. 7 Complicity might include a relationship that provides either intellectual or direct logistical support, often demonstrated by the transference of money and/o r goods, mutual communication on a member’s only password-protected site, or other actions that reflect the intent to cause others harm. This would also include knowing about the threat and not acting to prevent it. Luckily, determining contributors for these types of websites can be relatively easy. Their closed nature means that participation can be demonstrated through signing up and using passwords to gain access, contributing to the organisation of the threat, or sanctioning or encouraging an operation through dialogue. Each of these requires an exerted effort by the visitor, marking their contributing to part of the threat.
The archives of the mailing list are available via Nabble (http://mantis-threat- intelligence-management-framework-discussion-list.57317.x6.nabble.com/) Many thanks to the TF-CSIRT Trusted Introducer for their support in hosting the list! All issues regarding Mantis and its components are tracked on the Mantis Issue Tracker (https://github.com/siemens/django-mantis/issues?state=open)
The table below shows top attacks that were captured attacking Pakistan’s cyber space. Suspicious traffic to MSSQL port 1433 dominates with a total share of 39%. Verify if you have any of the services listed below running in your environment. It is advised to apply latest security updates on all the services exposed and ensure complex password is enforced.
concluded that most of the scanning activities were characterized by intensive scans to a speciﬁc host. Furthermore, they found that few port scanning activities take place over a wide destination port space. Harrop and Armitage [218, 219] describe a system where a 3D game engine technology is used to enable collaborative net- work control. The proposed approach leverages simplistic interaction techniques by translating network events into visual activities. Their idea is to monitor a darknet network state that is represented in the 3D world by avatars spinning and jumping to visually alert network operators to a network anomaly. Subsequently, the operators can detect and shoot the alerting avatars to trigger a ﬁrewall access control list on a border router, preventing any further attacks. In a similar work, Parry  describe the L3DGEWorld project that is based on the OpenArena open source game engine platform. The approach aims to visualize network data based on the engine of a spe- ciﬁc game. The approach describes the input interface to the L3DGEWorld server, which can be used to visualize and represent data in a real-time fashion. Moreover, the proposed approach also describes the output abstraction layer, through which data is connected from the virtual platform to the external daemon on the output interface.
Languages play an important role in selecting an effective threatintelligence provider. Cyber threats are a global phenomena and a provider that offers no coverage of, for example, Russian and Mandarin Chinese online threats will miss a significant proportion of relevant information. Therefore providers with staff who can demonstrate fluency in key foreign languages will offer a considerable advantage. This includes ensuring that the provider’s technology can ingest, process and manage content in multiple languages.
& control servers (C&Cs) of malicious networks enclosing infected machines. C&Cs communicate with bots through DNS queries to perpetrate malicious activities like key-logging, spamming and spreading infections through networks. DNS protocol has been also used to conduct reﬂection DDoS attacks. As such, there is a desideratum in the generation of cyber-threatintelligence based on DNS traﬃc replica. Thus, some research eﬀorts [3,4,7,8,40] put an emphasis on using passive DNS to detect malicious activities as well as DNS abuses. They use mainly classiﬁcation techniques to segre- gate malicious domains from benign domains or to detect fast-ﬂux malicious services. In spite of interesting results obtained by proposed systems in aforementioned works, they have not integrated all-in-one solution to gather threat-intelligence. To this quest, the availability of a tool that detects passive DNS anomalies is of a great help for security experts since it allows to pinpoint abnormal DNS activities (e.g., frequent change of city for a given domain, abrupt changes in DNS query number, detection of new fast ﬂuxing IPs, TTL values change, malicious abuse of DNS records). These abnormal activities are considered as good indicators to detect zero-day attacks, and can be correlated with malware analysis. We perceive our work as being diﬀerent in the proposition of a system that integrates an all-in-one solution, which has the following capabilities:
Directly or indirectly websites are part of an attacking process. To detect these kind of attack attempts, security solutions such as IDS, Web proxies with SSL interception capabilities, automatic sandboxing features and various monitoring solutions are used. To express it as a chain of activities, then this approach is limited in the cyber kill chain only on the intrusion parts. There after most commonly an incident response is triggered. However, to take a step further, the next phase is called active defense. This refers to the process of monitoring for and learning from malicious activity. The outcome of the learning process is stored in a CTI database. This last step before offense is also referred as active defense CTI gathering and validation, whereas the collected data is converted into re-usable information to detect sim- ilar attacks from the same adversaries . Lastly, these databases need to be revalidated constantly to avoid any threat hunting or cyberthreat incidence response based on false positive outdated threatintelligence. A low level rapid and automated solution can give a much quicker initial verdict than any other high level computer resource consuming ATD system.