Threat Hunting Research Articles

TRIPLE: A blockchain-based digital twin framework for cyber-physical systems security

Cyber-physical systems (CPSs) are being increasingly adopted for industrial applications, yet they involve a dynamic threat landscape that requires CPSs to adapt to emerging threats during their operation. Recently, digital twin (DT) technology (which refers to a virtual representation of a device, process, or environment) has emerged as a suitable candidate to address the security challenges faced by dynamic CPSs. DT has the capability of strengthening the security of CPSs by continuously mapping the physical to twin counterparts to detect inconsistencies. The existing DT-based security solutions are constrained by untrustworthy data dissemination as well as limited data sharing among the involved stakeholders, which, in turn, limit the ability of DTs to run accurate simulations or make valid decisions. To address these challenges, this paper proposes a modular framework called TRusted and Intelligent cyber-PhysicaL systEm (TRIPLE), that leverages blockchain, DTs, and threat intelligence (TI) to secure CPSs. The blockchain-based DT components in the framework provide data integrity, traceability, and availability for trusted DTs. Furthermore, to accurately and comprehensively model system states, the framework envisions fusing process knowledge for modeling DTs from system specification-based and learning-based information and other sources, including infrastructure-as-code (IaC) and knowledge base (KB). The framework also integrates TI for future-proofing against emerging threats, such that threats can be detected either reactively by mapping the behavior of physical and virtual spaces or proactively by TI and threat hunting. We demonstrate the viability of the framework through a proof of concept. Finally, we formally verify the TRIPLE framework to demonstrate its correctness and effectiveness in enhancing CPS security.

Risks to cybersecurity from data localization, organized by techniques, tactics and procedures

ABSTRACT The risks of data localization to cybersecurity – organizational effects”, we provided a framework for the risks of data localization to cybersecurity, finding that 13 of 14 ISO 27002 controls would be negatively affected by the localization of personal data. This paper complements that analysis, focusing on the techniques, tactics and procedures (TTPs) of threat actors and defenders. Using the ENISA Guidelines and the MITRE ATT&CK Framework as authoritative approaches for cataloguing relevant TTPs, we highlight three important tactics that defenders use for cybersecurity purposes – threat hunting; privilege-escalation attack; and red teaming/pen testing. These three categories, considered essential to a mature cybersecurity programme, would routinely require cybersecurity defenders to access personal data that would be restricted by current data localization laws and proposals. The paper then provides a quantitative model illustrating the effects of data localization, finding that halving the number of IP addresses available to a defender would more than double the likely time until a new attack was detected. The paper concludes by noting that until and unless the proponents of localization address the unintended effects of data localization, scholars, policymakers and practitioners have strong reason to expect significant cybersecurity harms from hard localization requirements.

Proactive threat hunting to detect persistent behaviour-based advanced adversaries

Persistence behavior is a tactic advanced adversaries use to maintain unauthorized access and control of compromised assets over extended periods. Organizations can efficiently detect persistent adversaries and reduce the growing risks posed by highly skilled cyber threats by embracing creative techniques and utilizing sophisticated tools. By taking a proactive stance, businesses may increase their entire cybersecurity posture by anticipating and mitigating possible risks before they escalate. Security analysts perform thorough investigations and extract meaningful insights from large datasets with greater technical advantage by using Elasticsearch in conjunction with a variety of linguistic tools. This research presents a novel methodology for proactive threat intelligence to identify and mitigate advanced adversaries that use persistent behaviors. The authors designed and set up an Elasticsearch-based advanced Security Information and Event Management platform to offer a proactive threat-hunting strategy. This enables comprehensive analysis and detection by integrating Lucene, Kibana, and domain-specific languages. The goal of this research is to locate hidden advanced enemies who exhibit persistent behavior during cyberattacks. The framework can help improve the organization’s resilience to identify and respond to threats by closely examining activities like boot or logon auto-start execution in registry keys, tampering with system processes and services, and unauthorized creation of local accounts on compromised assets. This study emphasizes proactive actions over reactive reactions, which advances danger detection techniques. This technical study provides security practitioners seeking to improve defenses against new advanced attacks to stay ahead in a dynamic threat landscape.

Proactive Threat Hunting in Critical Infrastructure Protection through Hybrid Machine Learning Algorithm Application.

Cyber-security challenges are growing globally and are specifically targeting critical infrastructure. Conventional countermeasure practices are insufficient to provide proactive threat hunting. In this study, random forest (RF), support vector machine (SVM), multi-layer perceptron (MLP), AdaBoost, and hybrid models were applied for proactive threat hunting. By automating detection, the hybrid machine learning-based method improves threat hunting and frees up time to concentrate on high-risk warnings. These models are implemented on approach devices, access, and principal servers. The efficacy of several models, including hybrid approaches, is assessed. The findings of these studies are that the AdaBoost model provides the highest efficiency, with a 0.98 ROC area and 95.7% accuracy, detecting 146 threats with 29 false positives. Similarly, the random forest model achieved a 0.98 area under the ROC curve and a 95% overall accuracy, accurately identifying 132 threats and reducing false positives to 31. The hybrid model exhibited promise with a 0.89 ROC area and 94.9% accuracy, though it requires further refinement to lower its false positive rate. This research emphasizes the role of machine learning in improving cyber-security, particularly for critical infrastructure. Advanced ML techniques enhance threat detection and response times, and their continuous learning ability ensures adaptability to new threats.

Blockchain and explainable AI for enhanced decision making in cyber threat detection

SummaryArtificial Intelligence (AI) based cyber threat detection tools are widely used to process and analyze a large amount of data for improved intrusion detection performance. However, these models are often considered as black box by the cybersecurity experts due to their inability to comprehend or interpret the reasoning behind the decisions. Moreover, AI‐based threat hunting is data‐driven and is usually modeled using the data provided by multiple cloud vendors. This is another critical challenge, as a malicious cloud can provide false information (i.e., insider attacks) and can degrade the threat‐hunting capability. In this paper, we present a blockchain‐enabled eXplainable AI (XAI) for enhancing the decision‐making capability of cyber threat detection in the context of Smart Healthcare Systems. Specifically, first, we use blockchain to validate and store data between multiple cloud vendors by implementing a Clique Proof‐of‐Authority (C‐PoA) consensus. Second, a novel deep learning‐based threat‐hunting model is built by combining Parallel Stacked Long Short Term Memory (PSLSTM) networks with a multi‐head attention mechanism for improved attack detection. The extensive experiment confirms its potential to be used as an enhanced decision support system by cybersecurity analysts.

UNRAVELING RANSOMWARE IN THE DIGITAL BATTLEFIELD: THREAT ANALYSIS AND COUNTERMEASURES

Ransomware is a well-known form of malware known for causing severe and permanent damage to its targets. Timely identification of such attacks is important to mitigate the consequences of these attacks. According to Data Breach Investigation Report (DBIR), since 2021, ransomware attacks have grown 17% yearly. It is widely considered a major cybersecurity threat at individual and organizational levels. There are several techniques that organizations can use to manage ransomware, such as backup, network segmentation, HR education, endpoint protection, and advanced threat hunting. It’s worth noting that only some techniques are foolproof, and a comprehensive defense strategy often involves combining multiple techniques. Ransomware has been used in the context of the Russia-Ukraine war, primarily by Russian-backed cybercriminal groups. These groups have targeted Ukrainian infrastructure and businesses with ransomware attacks, encrypting their victims’ data and demanding payment to unlock the data. These attacks have caused significant disruptions and financial losses for the targeted organizations. The paper aims to study the ransomware technique and summarize the most prominent threat actors involved in the war. We have chosen one of the well-known malwares,” HermeticRansom”, performed its thorough analysis and created a Yara rule for its detection.

From Detection to Prediction: AI-powered SIEM for Proactive Threat Hunting and Risk Mitigation

The evolution of cybersecurity has witnessed a transformative shift from reactive defense measures to proactive threat-hunting and risk-mitigation strategies. In response to the rapidly evolving threat landscape, the integration of Artificial Intelligence (AI) into Security Information and Event Management (SIEM) tools has emerged as a crucial solution. Historically, SIEMs primarily aggregated security data but struggled to analyze the vast, complex datasets effectively. The integration of AI, especially Machine Learning (ML) and Deep Learning (DL), revolutionized these systems. AI algorithms enable SIEMs to extract meaningful insights from massive datasets, allowing for the identification of subtle anomalies and hidden threats that may not be detected by traditional detection methods. This transition marks a fundamental shift from simple data aggregation to intelligent analysis, empowering SIEMs to move beyond detection towardproactive threat hunting. This paper highlights the role of AI in predicting threats, leveraging historical data to forecast potential risks, and continuously learning to adapt to evolving threat landscapes. It also explores the real-world use cases of AI-powered SIEMs in proactive threat hunting and risk mitigation.

General purpose data streaming platform for log analysis, anomaly detection and security protection

INFN-CNAF is one of the Worldwide LHC Computing Grid (WLCG) Tier-1 data centres, providing computing, networking and storage resources to a wide variety of scientific collaborations, not limited to the four LHC (Large Hadron Collider) experiments. The INFN-CNAF data centre will move to a new location next year. At the same time, the requirements from our experiments and users are becoming increasingly challenging and new scientific communities have started or will soon start exploiting our resources. Currently, we are reengineering several services, in particular our monitoring infrastructure, in order to improve the day-by-day operations and to cope with the increasing complexity of the use cases and with the future expansion of the centre. This scenario led us to implement a data streaming infrastructure designed to enable log analysis, anomaly detection, threat hunting, integrity monitoring and incident response. Such data streaming platform has been organised to manage different kinds of data coming from heterogeneous sources, to support multi-tenancy and to be scalable. Moreover, we will be able to provide an on demand end-to-end data streaming application to those users/communities requesting such kind of facility. The infrastructure is based on the Apache Kafka platform, which provides streaming of events at large scale, with authorization and authentication configured at the topic level for ensuring data isolation and protection. Data can be consumed by different applications, such as those devoted to log analysis, which provide the capability to index large amounts of data and implement appropriate access policies to inspect and visualise information. In this contribution we will present and motivate our technological choices for the definition of the infrastructure, we will describe its components and we will depict use cases which can be addressed with this platform.

The Impacts of Cybersecurity and AI on Businesses and Individuals

In today’s ever growing technological world, the protection of systems is needed and cybersecurity does just that. Cyber security is the field of prohibiting unauthorized users from accessing data, networks, and devices and keeping data safeguarded. AI or artificial intelligence plays a major part in this field since they can enhance the activities of humans more efficiently. Therefore, this paper deeply explores the specific positive and negative effects of cyber security and AI on businesses and individuals. This paper also dives deep into some tools of the field: CVE or common vulnerability and exposures and CVSS or common vulnerability scoring system. This leads the paper to discuss two major cyber incidents from JP Morgan and Chase and Microsoft Exchange Data Breach and the attacks used. These incidents displayed the need for a more vigorous cyber security. A few of the attacks these companies encountered and more types of attacks are explained in this paper as well. In addition, this paper informs about the specific effects cyber breaches can have on companies. This paper revealed that cybersecurity can positively affect businesses and individuals through mitigating attacks, securing data, making data accessible to only those who are allowed, and better quality of life and negative effects include high costs, more management, user inconvenience, constant new threats, and human error. The negative effects of AI include analyzing personal information, target vulnerabilities, mislead individuals, impersonate humans, and provide false information and positives include network intrusion detection products, threat hunting, vulnerability management, and data centers.

FedChain-Hunter: A reliable and privacy-preserving aggregation for federated threat hunting framework in SDN-based IIoT

In the development of the Industrial Internet of Things (IIoT), cyber threats and attacks have become major issues and concerns in Industry 4.0 due to the negative impacts on the infrastructures and services across organizations. Nevertheless, due to the issues in preserving privacy and transparency, there is a lack of threat intelligence sharing among parties, leading to the low performance in uncovering malicious actors. In fact, the method of gathering and exploiting such data has been getting more crucial in a trend of machine learning (ML) adoption in cybersecurity. In this scenario, Federated Learning (FL) can assume a significant role in constructing an ML-based threat hunting solution for IIoT networks. This can be achieved by harnessing data resources from diverse parties, utilizing a local training strategy that eliminates the need for centralized data collection. Hence, this paper proposes FedChain-Hunter, a blockchain and FL-based threat-hunting framework to mutually seek cyber threats while ensuring data privacy and the transparency in the contribution of data owners. Specifically, Software Defined Networking (SDN) with programmable and flexible security orchestration is used to easily monitor and gather appropriate security events in the IIoT network. In addition, the Fully Homomorphic Encryption (HE) and Differential Privacy (DP) are integrated into the FL scheme to provide strong security and privacy-preserving aggregation for each ML model update. Also, the blockchain adoption offers the transparency, auditability for collaboration and contribution management through a decentralized platform. The experimental results on 5 datasets indicate that FedChain-Hunter can achieve high performance for cyber threat detection with security, reliability, and privacy guarantee.

Effects of Ransomware: Analysis, Challenges and Future Perspective

This review paper highlights the challenges and best practices in malware analysis, specifically focusing on the age of ransomware. It provides an overview of malware and its impact on computer systems and user privacy by lists various types of malware, including viruses, Trojans, spyware,adware, worms and highlights major malware attacks including the methods used and the resulting damages. Further, the article explores the challenges faced in ransomware analysis, including advanced encryption and evasion techniques, anti-analysis mechanisms, zero-day exploits and vulnerabilities, polymorphic and dynamic behavior, lack of resources, complexity of ransomware, collaboration difficulties, and cost implications. These challenges make it necessary for security researchers to constantly update their knowledge and techniques to effectively analyze ransomware. This study concludes best practices for ransomware analysis including isolating and segmenting ransomware samples in controlled environments, emphasizing behavior analysis and threat hunting, investing in advanced reverse engineering and automated analysis techniques, promoting collaborative intelligence and information sharing, and implementing security measures to protect against ransomware attacks. Additionally, the article briefly mentions static analysis techniques which explains that static analysis involves examining malware files and code without executing them. It can be used to identify ransomware characteristics, such as encryption algorithms, ransom demands, remote command execution, and obfuscation techniques. Moreover, file and code analysis methods, signature-based detection, code deobfuscation and unpacking techniques, and malicious document analysis and exploit detection are also suggested as part of static analysis.

Beyond detection: Uncovering unknown threats

Threat management is essential for ensuring an organisation’s security, but traditional strategies often only address known threats, leaving the organisation vulnerable to unknown threats. To be well equipped against advanced cyberattacks, a proactive approach beyond detection that uncovers unknown and emerging threats is necessary. This paper proposes a comprehensive approach to threat management involving the partnership between the threat detection, threat hunting, threat intelligence and threat exposure teams. Various approaches for hunting unknown threats are explored, including simulation, forensics, threat modelling, incident pivoting, deception, and a process to hunt once and automate. Insights detailed in this paper will also help organisations make informed decisions on resources and practices around threat hunting. The proposed strategy emphasises the need for a proactive and iterative approach to threat management, allowing organisations to stay ahead of adversaries and be prepared for unknown threats.

Threat Hunting System for Protecting Critical Infrastructures Using a Machine Learning Approach

Cyberattacks are increasing in number and diversity in nature daily, and the tendency for them is to escalate dramatically in the forseeable future, with critical infrastructures (CI) assets and networks not being an exception to this trend. As time goes by, cyberattacks are more complex than before and unknown until they spawn, being very difficult to detect and remediate. To be reactive against those cyberattacks, usually defined as zero-day attacks, cyber-security specialists known as threat hunters must be in organizations’ security departments. All the data generated by the organization’s users must be processed by those threat hunters (which are mainly benign and repetitive and follow predictable patterns) in short periods to detect unusual behaviors. The application of artificial intelligence, specifically machine learning (ML) techniques (for instance NLP, C-RNN-GAN, or GNN), can remarkably impact the real-time analysis of those data and help to discriminate between harmless data and malicious data, but not every technique is helpful in every circumstance; as a consequence, those specialists must know which techniques fit the best at every specific moment. The main goal of the present work is to design a distributed and scalable system for threat hunting based on ML, and with a special focus on critical infrastructure needs and characteristics.

Generative Adversarial Networks for Cyber Threat Hunting in Ethereum Blockchain

Ethereum blockchain has shown great potential in providing the next generation of the decentralized platform beyond crypto payments. Recently, it has attracted researchers and industry players to experiment with developing various Web3 applications for the Internet of Things (IoT), Defi, Metaverse, and many more. Although Ethereum provides a secure platform for developing decentralized applications, it is not immune to security risks and has been a victim of numerous cyber attacks. Adversarial attacks are a new cyber threat to systems that have been rising. Adversarial attacks can disrupt and exploit decentralized applications running on the Ethereum platform by creating fake accounts and transactions. Detecting adversarial attacks is challenging because the fake materials (e.g., accounts and transactions) as malicious payloads are similar to benign data. This article proposes a model using Generative Adversarial Networks (GAN) and Deep Recurrent Neural Networks (RNN) for cyber threat hunting in the Ethereum blockchain. Firstly, we employ GAN to generate fake transactions using genuine Ethereum transactions as the first phase of the proposed model. Then in the second phase, we utilize bi-directional Long Short-Term Memory (LSTM) to identify adversarial transactions in a hunting exercise. The results of the first phase evaluation show that the GAN can generate transactions identical to the actual Ethereum transactions with an accuracy of 82.51%. Also, the results of the second phase show 99.98% accuracy in identifying adversarial transactions.

Deep AI-Powered Cyber Threat Analysis in IIoT

Distributed Industrial Internet of Things (IIoT) has entirely revolutionized the industrial sector that varies from autonomous industrial processes to automation of processes without human intervention. However, threat hunting and intelligence is the most complex task in distributed IIoT. Besides, there exist no standard architectures for hunting micro services orchestration in distributed IIoT systems. The authors propose an efficient and self-learning autonomous multi-vector threat intelligence and detection mechanism to proactively defend IIoT systems/networks. Our proposed novel Cuda-empowered Convolutional LSTM2D (ConvLSTM2D) mechanism is highly scalable with self-optimizing capabilities to proficiently tackle diverse dynamic variants of emerging IIoT sophisticated threats and attacks. For a comprehensive evaluation, the authors employed a current state-of-the-art dataset with 21 million instances comprised of varying attack patterns and prevalent threat vectors. Moreover, the proposed technique is compared with our constructed contemporary Deep Learning (DL)-driven architectures and benchmark algorithms. The proposed mechanism outperforms in terms of detection accuracy with a trivial trade-off in speed efficiency.

UNLEASHING THE POWER OF MOBILE THREAT HUNTING TOOLKITS: WHY THEY ARE CRUCIAL IN TODAY’S CYBERSECURITY LANDSCAPE

This article discusses the importance of mobile threat hunting toolkits in modern cybersecurity, emphasizing their ability to provide efficiency, accuracy, and agility in detecting and mitigating threats. With the rise of advanced technologies, specialized teams focused on threat hunting have become essential for organizations to protect their digital assets and data. The article explores the benefits of threat hunting toolkits, highlighting their comprehensive suite of tools for threat detection, investigation, and response, and their integration with other security technologies and data sources. The article also introduces the PANTHER toolkit, a portable toolkit for threat hunting teams, designed to enhance visibility and security in non-compliant network segments or during M&A processes. Lastly, the article mentions some of the leading vendors in the threat hunting toolkit landscape, as outlined in Gartner's ”Market Guide for Threat Hunting,” and emphasizes the importance of adopting a proactive approach to cybersecurity to stay ahead of evolving threats.

APTHunter: Detecting Advanced Persistent Threats in Early Stages

We propose APTHunter, a system for prompt detection of Advanced and Persistent Threats (APTs) in early stages. We provide an approach for representing the indicators of compromise that appear in the cyber threat intelligence reports and the relationships among them as provenance queries that capture the attacker’s malicious behavior. We use the kernel audit log as a reliable source for system activities and develop an optimized whole system provenance graph that provides the causal relationships and information flows among system entities in a compact format. Then, we model the threat hunting as a behavior match problem by applying provenance queries to the optimized provenance graph to find any hits as indicators of an APT attack. We evaluate APTHunter on adversarial engagements from DARPA over different OS platforms, as well as real-world APT campaigns. Based on our experimental results, APTHunter promptly and reliably detects attack artifacts in early stages.

Explainable artificial intelligence envisioned security mechanism for cyber threat hunting

AbstractCyber threat hunting proactively searches for cyber threats, which are undetected by the traditional defense mechanisms. It scans deep to identify malicious programs (ie, malware) that escape from detection. It is important because sophisticated cyber threats can bypass the cyber security mechanisms. The performance of the cyber threat hunting can be improved through artificial intelligence (AI), especially, explainable AI (XAI), which adds trust component to the cyber threat hunting process. Due to the inclusion of XAI, the security experts get the full explanations of the detected threats as the working of the detection model in XAI is known. Information, like, which one is a threat, how it has been detected, and why it has been detected, can be obtained very easily due to the inclusion of XAI in the cyber threat hunting. Therefore, an XAI‐envisioned mechanism for cyber threat hunting has been proposed (in short, XAISM‐CTH). The network and threat models of XAISM‐CTH are designed and discussed. The conducted security analysis proves the security of XAISM‐CTH against various potential attacks. XAISM‐CTH also performs better than the other existing schemes. At the end, a practical implementation of XAISM‐CTH has been provided to observe its impact on the performance of the system.

Basic concepts, approaches and fundamentals of cyber threat intelligence


 
 
 This article is designed to introduce readers to Cyber Threat Intelligence (CTI). Various Threat Hunting (TH) techniques and sources of information about threats were mentioned. Commercial tools and open source software for cyber threat hunting are also described.
 
 

Cyber threat detection: Unsupervised hunting of anomalous commands (UHAC)

The cyber security industry is rapidly adopting threat hunting as a proactive tool for early and faster detection of suspected malicious actors. In this paper, we propose a machine learning-based method, Unsupervised Hunting of Anomalous Commands (UHAC), to detect text-based anomalous commands in security information and event management (SIEM) logs that are good candidates for threat hunting. A unique feature of the proposed method is that it first creates a feature set based on the augmentation of document-term and document-character matrices. Then, an autoencoder-based detector is trained on this feature set using a custom loss function. UHAC consistently outperforms other feature sets and algorithms such as one-class support vector machine, density-based spatial clustering of applications with noise, and word-embedding based models such as word2vec. The UHAC detector identifies 84–89% of anomalies in the top 10% of the data. Findings have implications for cybersecurity analysts who perform threat hunting in SIEM logs for process auditing on endpoint devices.