DKaaS: DARK-KERNEL as a service for active cyber threat intelligence

Abstract

Cyber Threat Intelligence(CTI) plays an indispensable role in providing evidence-based knowledge to plan defensive strategies against advanced cyber attacks. Most threat intelligence data originate from security researchers, vendor blogs, list of threat indicators, and commercial cyber security firms. However, as attack surfaces become more dynamic and threat actors shift towards organization/sector-specific attacks, generic threat information is no longer adequate to safeguard against these targeted attacks. In such scenarios, darknet data can be an invaluable source of threat information at the enterprise level as in darknet, the traffic is destined for a range of unused IP addresses. As these IP addresses are unused, the traffic destined for them is considered suspicious and can serve as a valuable source for threat intelligence. Darknet monitoring is done in either active or passive mode. Passive darknet monitoring gives generic information without active engagement with the attacker devices. So, we developed a novel method for gathering threat intelligence via active darknet monitoring by designing a kernel-level darknet sensor that engages incoming traffic by establishing a 3-way handshake. We called it DARK-KERNEL in our previous work. This work aims to implement DARK-KERNEL as a Service (DKaaS) for organization-level threat intelligence. To achieve this, we deploy the DARK-KERNEL by assigning four unused public IP addresses. We gather 37 days of traffic and provide a comprehensive analysis of captured data using Security Onion and several automated scripts. In addition, we highlight a few attacks to define the effectiveness of DKaaS. Finally, we propose a novel framework that integrates DKaaS with a customizable Security Orchestration and Response (SOAR) engine to deploy behavioral honeypots to lure sophisticated attackers.