Threat Actors Research Articles

Data breach in the travel sector and strategies for risk mitigation

The airline industry relies heavily on personal data for transactions. This paper discusses the British Airways data breach of 2018, how the attack unfolded and problems that led to the attack. It provides examples of other airline-breach incidents through the years, how they were handled, and shows different types of risks airlines face today that should be addressed. Personal data has become increasingly attractive to hackers, and this paper highlights privacy law compliance, the importance of protecting and securing data in the industry including vulnerabilities and levels of acceptable risk in third-party transactions. It reviews various publications and resources about the cyberattack and describes risk mitigation strategies that airlines should implement that would significantly reduce cyber risks. As threat actors adapt with methods of cyberattacks, proper steps should be taken to mitigate these risks.

ProcmonML: Generating evasion resilient host-based behavioral analytics from tree ensembles

Host-based analytics are useful for identifying nefarious activity and limiting the impact of an adversary's cyber attack on an endpoint. The majority of open-source host-based analytics are heuristic in nature and often rely on matching combinations of strings to produce an alert. Recent threat reports demonstrate that threat actors are able to easily evade these types of analytics via variances in attack techniques, implementation differences, or simple string/parameter modifications. This work introduces a novel machine learning-based approach (procmonML) to generate true behavioral host-based analytics that are more resilient to adversary evasion, thus imparting more workload on the adversary to successfully evade detection. This is accomplished by consolidating multiple system events into a single process event. Analytics are generated from a tree ensemble model using labeled host data from a lab environment and are validated on production enterprise endpoints. This approach can detect multiple variations of a single attack technique by capturing and generalizing system behaviors. The results demonstrate that the procmonML approach is able to effectively generate host-based analytics that are applicable to new environments and more resilient to adversary evasion.

Towards a Multi-Layered Phishing Detection

Phishing is one of the most common threats that users face while browsing the web. In the current threat landscape, a targeted phishing attack (i.e., spear phishing) often constitutes the first action of a threat actor during an intrusion campaign. To tackle this threat, many data-driven approaches have been proposed, which mostly rely on the use of supervised machine learning under a single-layer approach. However, such approaches are resource-demanding and, thus, their deployment in production environments is infeasible. Moreover, most previous works utilise a feature set that can be easily tampered with by adversaries. In this paper, we investigate the use of a multi-layered detection framework in which a potential phishing domain is classified multiple times by models using different feature sets. In our work, an additional classification takes place only when the initial one scores below a predefined confidence level, which is set by the system owner. We demonstrate our approach by implementing a two-layered detection system, which uses supervised machine learning to identify phishing attacks. We evaluate our system with a dataset consisting of active phishing attacks and find that its performance is comparable to the state of the art.

The Creation of Network Intrusion Fingerprints by Graph Homomorphism

Attack attribution in cyber-attacks tends to be a qualitative exercise with a substantial room forerror. Graph theory is already a proven tool for modeling any connected system. Utilizing graph theory canprovide a quantitative, mathematically rigorous methodology for attack attribution. By identifyinghomomorphic subgraphs as points of comparison, one can create a fingerprint of an attack. That would allowone to match that fingerprint to new attacks and determine if the same threat actor conducted the attack. Thiscurrent study provides a mathematical method to create network intrusion fingerprints by applying graph theoryhomomorphisms. This provides a rigorous method for attack attribution. A case study is used to test thismethodology and determine its efficacy in identifying attacks perpetrated by the same threat actor and/or usingthe same threat vector.

ChildShield: A rating system for assessing privacy and security of internet of toys

The wave of IoT has spread across the toy market providing designers opportunities for bringing innovation into children’s play in the form of toys that can adapt, connect and communicate referred to as Internet of Toys (IoToys). Research and media reports have underscored the potential misuse by threat actors for surveillance, theft of children’s personal information, opening a covert channel of communication with children and influencing their thoughts and actions. Currently there is a lack of standard labelling system for internet safety of toys that makes it difficult for parents to make the right choice while purchasing. Consumer awareness is critical in this area because of the vulnerability of children, who are the ultimate users. This research identifies the factors affecting privacy and security of IoToys and proposes a methodology for evaluation of toys based on these factors. ChildShield, a privacy and security label, has been recommended as a communication tool between toy manufacturers and consumers.

Cyber Threat Actors for the Factory of the Future

The increasing degree of connectivity in factory of the future (FoF) environments, with systems that were never designed for a networked environment in terms of their technical security nature, is accompanied by a number of security risks that must be considered. This leads to the necessity of relying on risk assessment-based approaches to reach a sufficiently mature cyber security management level. However, the lack of common definitions of cyber threat actors (CTA) poses challenges in untested environments such as the FoF. This paper analyses policy papers and reports from expert organizations to identify common definitions of CTAs. A significant consensus exists only on two common CTAs, while other CTAs are often either ignored or overestimated in their importance. The identified motivations of CTAs are contrasted with the specific characteristics of FoF environments to determine the most likely CTAs targeting FoF environments. Special emphasis is given to corporate competitors, as FoF environments probably provide better opportunities than ever for industrial espionage if they are not sufficiently secured. In this context, the study aims to draw attention to the research gaps in this area.

Fraud matrix: A morphological and analysis-based classification and taxonomy of fraud

A comprehensive taxonomy of fraud is presented based on morphological analysis, attribute listing and matrix analysis. Fraud matrix and tree classification frameworks are presented and discussed. They are then utilized to classify and explain a number of the different types of frauds, shown in the fraud matrix classification framework. First, triangular attributes of fraud are formulated, followed by fraud channels and elementary fraud features. Several well-known fraud types are identified using the proposed fraud classification framework. Further, new fraud types are discovered using the framework, for example, transactional frauds, automated frauds, synchronized fraud, unwitting accomplice, and ‘Robin Hood’ fraud. The importance of the taxonomy is that it can be used to classify both existing and newly identified fraud types in a way and manner that has not been previously reported; that is, it offers understanding to the different classes of frauds, the inherent threat actors behind such frauds, their capabilities, intent and the resulting nature of the frauds. This taxonomy has potential to offer insight in how appropriate countermeasures to mitigating the different types of frauds could be formulated.

An Ensemble of Deep Recurrent Neural Networks for Detecting IoT Cyber Attacks Using Network Traffic

Internet-of-Things (IoT) devices and systems will be increasingly targeted by cybercriminals (including nation state-sponsored or affiliated threat actors) as they become an integral part of our connected society and ecosystem. However, the challenges in securing these devices and systems are compounded by the scale and diversity of deployment, the fast-paced cyber threat landscape, and many other factors. Thus, in this article, we design an approach using advanced deep learning to detect cyber attacks against IoT systems. Specifically, our approach integrates a set of long short-term memory (LSTM) modules into an ensemble of detectors. These modules are then merged using a decision tree to arrive at an aggregated output at the final stage. We evaluate the effectiveness of our approach using a real-world data set of Modbus network traffic and obtain an accuracy rate of over 99% in the detection of cyber attacks against IoT devices.

How Threat Actors are Manipulating the British Information Environment

This article explores how threat actors are manipulating the British information environment and provides recommendations for how the government and citizenry might defend themselves. Daniel Dobrowolski, David V Gioe and Alicia Wanless argue that enforcing heavy moderation of content is counterproductive and that civic education, transparency and ongoing research into the methods that threat actors use are essential to guide an effective response and provide original research towards this end. Through a case study approach, the article assesses two recent type-case informational threats and considers the role the UK government can play, as a model for other Western states facing similar threats, in defending against them.■

A data analytical approach for assessing the efficacy of Operational Technology active defenses against insider threats

In recent years, the need for Operational Technology (OT) defenses has been recognized, serving as an additional line of defense when Information Technology (IT) defenses are bypassed. This is no longer considered an uncommon possibility when dealing with advanced persistent threat (APT) actors expected to be state-sponsored and receiving insider assistance. In these extreme adversarial situations, OT defenses aim to provide another layer of defense for the system, introduced directly at the physical process level, as described by the sensors data, the system model, and control actions. Just like IT defenses, two schools of thought, i.e., passive and active defenses, have emerged to address this challenge. In active defenses, representing the focus of this paper, known signatures, synthesized based on the system's unique characteristics, are inserted into the system. In contradistinction, passive methods rely solely on observing system behavior in search of patterns of normal behavior with deviations thereof representing abnormal behavior. In their most sophisticated implementations, both passive and active defenses rely on the use of data analytics to identify the patterns and synthesize the observed and/or inserted signatures. Past research has shown that passive defenses may be bypassed by APT actors relying on data analytics and their intimate knowledge of the system to evade detection by respecting the patterns identified by the defenders. Thus, this manuscript explores the use of active defenses under the assumption that the attacker has privileged access to the system, including access to the system's model and sensors data. Specifically, this manuscript assesses the ability of active defenses to remain invisible to the attackers, and discusses the associated challenges that must be addressed to ensure their resiliency against APT actors.

Know Abnormal, Find Evil: Frequent Pattern Mining for Ransomware Threat Hunting and Intelligence

Emergence of crypto-ransomware has significantly changed the cyber threat landscape. A crypto ransomware removes data custodian access by encrypting valuable data on victims' computers and requests a ransom payment to re-instantiate custodian access by decrypting data. Timely detection of ransomware very much depends on how quickly and accurately system logs can be mined to hunt abnormalities and stop the evil. In this paper we first setup an environment to collect activity logs of 517 Locky ransomware samples, 535 Cerber ransomware samples and 572 samples of TeslaCrypt ransomware. We utilize Sequential Pattern Mining to find Maximal Frequent Patterns (MFP) of activities within different ransomware families as candidate features for classification using J48, Random Forest, Bagging and MLP algorithms. We could achieve 99 percent accuracy in detecting ransomware instances from goodware samples and 96.5 percent accuracy in detecting family of a given ransomware sample. Our results indicate usefulness and practicality of applying pattern mining techniques in detection of good features for ransomware hunting. Moreover, we showed existence of distinctive frequent patterns within different ransomware families which can be used for identification of a ransomware sample family for building intelligence about threat actors and threat profile of a given target.

Advanced malicious beaconing detection through AI

As efforts to more securely protect the world's privacy and data continue to improve, with the introduction of stricter compliance regulations and the deployment of increasingly complex network infrastructures, so too has enterprise adoption of and reliance on encryption. Cryptographic encryption protocols, namely secure sockets layer (SSL) and its successor, transport layer security (TLS), were estimated by Gartner to be implemented across 80% of enterprise web traffic in 2019, and the Ponemon Institute found that 43% of organisations had a consistent, enterprise-wide encryption strategy in place in 2018. 1,2 As efforts to more securely protect the world's privacy and data continue to improve, so too has enterprise adoption of and reliance on encryption. However, threat actors have also started to leverage encryption and are hiding their nefarious activities among regular encrypted traffic, making malicious packets nearly impossible to detect. Fortunately, by using AI, enterprises can achieve a quicker and more accurate analysis of all traffic on their network to check for beaconing behaviour, explains Yessine Borchani of Barac.

The AI-Based Cyber Threat Landscape

Recent advancements in artificial intelligence (AI) technologies have induced tremendous growth in innovation and automation. Although these AI technologies offer significant benefits, they can be used maliciously. Highly targeted and evasive attacks in benign carrier applications, such as DeepLocker, have demonstrated the intentional use of AI for harmful purposes. Threat actors are constantly changing and improving their attack strategy with particular emphasis on the application of AI-driven techniques in the attack process, called AI-based cyber attack , which can be used in conjunction with conventional attack techniques to cause greater damage. Despite several studies on AI and security, researchers have not summarized AI-based cyber attacks enough to be able to understand the adversary’s actions and to develop proper defenses against such attacks. This study aims to explore existing studies of AI-based cyber attacks and to map them onto a proposed framework, providing insight into new threats. Our framework includes the classification of several aspects of malicious uses of AI during the cyber attack life cycle and provides a basis for their detection to predict future threats. We also explain how to apply this framework to analyze AI-based cyber attacks in a hypothetical scenario of a critical smart grid infrastructure.

Machine learning approach for detection of fileless cryptocurrency mining malware

Cybercrime is the highest threat to every private company and government agency in the world. Using synergistic threats to attack provides many success alternatives that lead to the same goal, which is to take over the network and carry out illegal mining activities using CPU resources from the victim’s computer. One of the main motives for the success of this criminal business is its relatively low cost and high return of investment. Using the infection chain method in carrying out cryptocurrency mining malware attacks with fileless techniques involves loading malicious code into system memory. Monero (XMR) is by far the highest popular cryptocurrency among threat actor installing mining malware because it comes with full anonymity and resistance to an application-specific circuit mining (ASIC). This work proposes a better method for classifying conventional malware and cryptocurrency mining malware. On the other hand, grouping specific of suitable features extracted from the sources of EMBER dataset shown as malware and need to categorize as a cryptocurrency mining malware. The proposed approach is defining a better algorithm for enhancing accuracy and efficiency for cryptocurrency mining malware detection.

Analysis of Malware Communities Using Multi-Modal Features

Identifying possible threat actors from samples of malware remains an active area of research with important ramifications for cybersecruity practitioners. The unsupervised identification and characterization of malware samples has been primarily treated as an early integration, multi-modal clustering problem where all possible features derived from the samples are concatenated into one feature vector, which can then be fed into a standard unsupervised learning algorithm. In this work, we focus on characterizing malware samples into possible threat actors from both late integration and intermediate integration multi-modal data perspectives. In doing so, we propose a new algorithm, Cross-Modal Influence Clustering, for characterizing malware samples into threat actor groups. We test our proposed method along with several other multi-modal clustering techniques on heterogeneous malware samples from three different threat actors. Our results indicate that our proposed method is the best method for clustering malware samples into threat actors in an unsupervised setting and that we observe consistently better results in characterizing malware samples by threat actors from intermediate or late integration multi-modal paradigms rather than an early integration one.

Efficient Non-Linear Covert Channel Detection in TCP Data Streams

Cyber-attacks are causing losses amounted to billions of dollars every year due to data breaches and Vulnerabilities. The existing tools for data leakage prevention and detection are often bypassed by using various different types of sophisticated techniques such as network steganography for stealing the data. This is due to several weaknesses which can be exploited by a threat actor in of existing detection systems. The weaknesses are high time and memory training complexities as well as large training datasets. These challenges become worse when the amount of generated data increasing in every second in many realms. In addition, the number of false positives is high which make them inaccurate. Finally, there is a lack of a framework catering the needs such as raising alerts as well as data monitoring and updating/adapting of a threshold value used for checking the data packets for covert data. In order to overcome these weaknesses, this paper proposes a novel framework that includes elements such as continuous data monitoring, threshold maintenance, and alert notification. This paper also proposes a model based on statistical measures to detects covert data leakages, especially for non-linear chaotic data. The main advantage of proposed model is its capability to provide results with tolerance/threshold values much more efficiently. Experiment are indicated that the proposed framework has low false positives and outperforms over various existing techniques in terms of accuracy and efficiency.

Privacy Challenges With Protecting Live Vehicular Location Context

Future Intelligent Transport Systems (ITS) will require that vehicles are equipped with Dedicated Short Range Communications (DSRC). With these DSRC capabilities, new privacy threats are emerging that can be taken advantage of by threat actors with little experience and cheap components. However, the origins of these privacy threats are not limited to the vehicle and its communications, but extend to non-vehicular devices carried by the driver and passengers. A shortcoming of existing work is that it tends to focus on a specific aspect of privacy leakage when attempting to protect location privacy. In doing so, interactions between privacy threats are not considered. In this work, we investigate the privacy surface of a vehicle by considering the many different ways in which location privacy can be leaked. Following this, we identify techniques to protect privacy and that it is insufficient to provide location privacy against a single threat vector. A methodology to calculate the interactions of privacy preserving techniques is used to highlight the need to consider the wider threat landscape and for techniques to collaborate to ensure location privacy is provided against multiple sources of privacy threats where possible.

The Remarkable 10th Anniversary of Stuxnet

It has been ten years since Stuxnet, a highly sophisticated malware that was originally aimed at Iran’s nuclear facilities, was uncovered in 2010. Stuxnet is considered to be the first cyber weapon, used by a nation state threat actor in a politically motivated cyberattack. It has significantly changed the cybersecurity landscape, since it was the first publicly known malware that could cause physical damage to real processes or equipment. Its complexity and level of sophistication, due to the exploitation of four different zero-day vulnerabilities in Windows and the usage of two stolen certificates, has triggered a paradigm shift in the cybersecurity industry. The recently uncovered cyber espionage campaign known as SolarStorm is a worthy anniversary celebration for Stuxnet. Especially because now the tables have turned. This campaign targeted the United States Government and its interests with a highly sophisticated supply chain attack through the exploitation of the SolarWinds Orion Platform used by thousands of public and private sector customers for infrastructure monitoring and management. In this article, I attempt to summarise the key points about the malware deployed in the SolarStorm campaign that can be drawn from reports available at the time of the writing.

Cyber Threat Intelligence for Improving Cybersecurity and Risk Management in Critical Infrastructure

Cyber-attack is one of the significant threats affecting to any organisation specifically to the Critical Infrastructure (CI) organisation. These attacks are nowadays more sophisticated, multi-vectored and less predictable, which make the Cyber Security Risk Management (CSRM) task more challenging. Critical Infrastructure needs a new line of security defence to control these threats and minimise risks. Cyber Threat Intelligence (CTI) provides evidence-based information about the threats aiming to prevent threats. There are existing works and industry practice that emphasise the necessity of CTI and provides methods for threat intelligence and sharing. However, despite these significant efforts, there is a lack of focus on how CTI information can support the CSRM activities so that the organisation can undertake appropriate controls to mitigate the risk proactively. This paper aims to fill this gap by integrating CTI for improving cybersecurity risks management practice specifically focusing on the critical infrastructure. In particular, the proposed approach contributes beyond state of the art practice by incorporating CTI information for the risk management activities. This helps the organisation to provide adequate and appropriate controls from strategic, tactical and operational perspectives. We have integrated concepts relating to CTI and CSRM so that threat actor's profile, attack detailed can support calculating the risk. We consider smart grid system as a Critical Infrastructure to demonstrate the applicability of the work. The result shows that cyber risks in critical infrastructures can be minimised if CTI information is gathered and used as part of CSRM activities. CTI not only supports understanding of threat for accurate risk estimation but also evaluates the effectiveness of existing controls and recommend necessity controls to improve overall cybersecurity. Also, the result shows that our approach provides early warning about issues that need immediate attention.

#FakeNews


 
 
 Misinformation in the form of “fake news” can potentially be weaponized by malicious actors to undermine Canada’s national security and government infrastructure. Developing a comprehensive database to track and understand potential threat actors and their use of fake news can potentially provide actionable intel, thereby exposing and publicly challenging fake news items. Fake news has been used to negatively influence the reputation of government officials and to incite violence between ethnic groups. Fake news utilizes confirmation bias (the tendency to interpret new evidence as confirmation of one's existing beliefs or theories) through disseminating meticulously crafted messages to targeted audiences, who are selected based on their online activities.