5 research outputs found
Reasoning about Cyber Threat Actors
abstract: Reasoning about the activities of cyber threat actors is critical to defend against cyber
attacks. However, this task is difficult for a variety of reasons. In simple terms, it is difficult
to determine who the attacker is, what the desired goals are of the attacker, and how they will
carry out their attacks. These three questions essentially entail understanding the attacker’s
use of deception, the capabilities available, and the intent of launching the attack. These
three issues are highly inter-related. If an adversary can hide their intent, they can better
deceive a defender. If an adversary’s capabilities are not well understood, then determining
what their goals are becomes difficult as the defender is uncertain if they have the necessary
tools to accomplish them. However, the understanding of these aspects are also mutually
supportive. If we have a clear picture of capabilities, intent can better be deciphered. If we
understand intent and capabilities, a defender may be able to see through deception schemes.
In this dissertation, I present three pieces of work to tackle these questions to obtain
a better understanding of cyber threats. First, we introduce a new reasoning framework
to address deception. We evaluate the framework by building a dataset from DEFCON
capture-the-flag exercise to identify the person or group responsible for a cyber attack.
We demonstrate that the framework not only handles cases of deception but also provides
transparent decision making in identifying the threat actor. The second task uses a cognitive
learning model to determine the intent – goals of the threat actor on the target system.
The third task looks at understanding the capabilities of threat actors to target systems by
identifying at-risk systems from hacker discussions on darkweb websites. To achieve this
task we gather discussions from more than 300 darkweb websites relating to malicious
hacking.Dissertation/ThesisDoctoral Dissertation Computer Engineering 201
APT-MMF: An advanced persistent threat actor attribution method based on multimodal and multilevel feature fusion
Threat actor attribution is a crucial defense strategy for combating advanced
persistent threats (APTs). Cyber threat intelligence (CTI), which involves
analyzing multisource heterogeneous data from APTs, plays an important role in
APT actor attribution. The current attribution methods extract features from
different CTI perspectives and employ machine learning models to classify CTI
reports according to their threat actors. However, these methods usually
extract only one kind of feature and ignore heterogeneous information,
especially the attributes and relations of indicators of compromise (IOCs),
which form the core of CTI. To address these problems, we propose an APT actor
attribution method based on multimodal and multilevel feature fusion (APT-MMF).
First, we leverage a heterogeneous attributed graph to characterize APT reports
and their IOC information. Then, we extract and fuse multimodal features,
including attribute type features, natural language text features and
topological relationship features, to construct comprehensive node
representations. Furthermore, we design multilevel heterogeneous graph
attention networks to learn the deep hidden features of APT report nodes; these
networks integrate IOC type-level, metapath-based neighbor node-level, and
metapath semantic-level attention. Utilizing multisource threat intelligence,
we construct a heterogeneous attributed graph dataset for verification
purposes. The experimental results show that our method not only outperforms
the existing methods but also demonstrates its good interpretability for
attribution analysis tasks
Computer Criminal Profiling applied to Digital Investigations
This PhD thesis aims to contribute to the Cyber Security body of knowledge and its
Computer Forensic field, still in its infancy when comparing with other forensic
sciences.
With the advancements of computer technology and the proliferation of cyber crime,
offenders making use of computers range from state-sponsored cyber squads to
organized crime rings; from cyber paedophiles to crypto miners abusing third-party
computer resources. Cyber crime is not only impacting the global economy in billions of
dollars annually; it is also a life-threatening risk as society is increasingly dependent on
critical systems like those in air traffic control, hospitals or connected cars. Achieving
cyber attribution is a step towards to identify, deter and prosecute offenders in the
cyberspace, a domain among the top priorities for the UK National Security Strategy.
However, the rapid evolution of cyber crime may be an unprecedented challenge in the
forensic science history. Attempts to keep up with this pace often result in computer
forensic practices limited to technical outcomes, like user accounts or IP addresses
used by the offenders. Limitations are intensified when the current cyber security skill
shortage contrasts with the vastness of digital crime scenes presented by cloud
providers and extensive storage capacities or with the wide range of available
anonymizing mechanisms. Quite often, offenders are remaining unidentified,
unpunished, and unstoppable.
As these anonymising mechanisms conceal offenders from a technological
perspective, it was considered that they would not offer the same level of concealment
from a behavioural standpoint. Therefore, in addition to the analysis of the state-of-theart
of cyber crimes and anonymising mechanisms, the literature of traditional crimes
and criminal psychology was reviewed, in an attempt to known what traits of human
behaviour could be revealed by the evidence at a crime scene and how to recognize
them. It was identified that the subdiscipline of criminology called criminal profiling
helps providing these answers. Observing its success rate and benefits as a support
tool in traditional investigations, it was hypothesized that a similar outcome could be
achieved while investigating cyber crimes, providing that a framework could enable
digital investigators to apply criminal profiling concepts in digital investigations.
2
Before developing the framework, the scope of this thesis was delimited to a subset of
cyber crimes, consisting exclusively of computer intrusions cases. Also, among
potential criminal profiling benefits, the reduction of the suspect pool, case linkage and
optimization of investigative efforts were included in the scope. A SSH honeypot
experiment based on Cowrie was designed and deployed in a public cloud
infrastructure. In its first phase, a single honeypot instance was launched, protected by
username and password and accepting connection attempts from any Internet address.
Users that were able to guess a valid pair of credentials, after a random number of
attempts providing strong passwords, were presented to a simple file system, in which
all their interactions within the system were recorded and all downloaded attack tools
were isolated and securely stored for their posterior analysis. In the second phase of
the experiment, the honeypot infrastructure was expanded to a honeynet with 18
(eighteen) nodes, running in a total of 6 (six) geographic regions and making it possible
the analysis of additional variables like location of the “victim” system, perceived
influence from directory/file structure/contents and resistance levels to password
attacks.
After a period of approximately 18 (eighteen) months, more than 7 million connection
attempts and 12 million authentication attempts were received by the honeynet, where
more than 85,000 were able to successfully log into one of the honeynet servers.
Offenders were able to interact with the simulated operating systems and their files,
while enabling this research to identify behavioural patterns that proved to be useful not
only to group offenders, but also to enrich individual offender profiles. Among these
behavioural patterns, the choice of which commands and which parameters to run, the
basis of the attack on automated versus manual means, the pairs of usernames and
passwords that were provided to try to break the honeypot authentication, their
response once a command was not successful, their intent on using specific attack
tools and the motivation behind it, any level of caution presented and, finally,
preferences for naming tools, temporary files or customized ports were some of the
most relevant attributes. Based on the collected data set, such attributes successfully
make it possible to narrow down the pools of suspects, to link different honeypot breakins
to a same offender and to optimize investigative efforts by enabling the researcher
to focus the analysis in a reduced area while searching for evidence.
3
In times when cyber security skills shortage is a concerning challenge and where
profiling can play a critical role, it is believed that such a structured framework for
criminal profiling within cyber investigations can help to make investigation of cyber
crimes quicker, cheaper and more effective
XXIII Edición del Workshop de Investigadores en Ciencias de la Computación : Pósters
Se recopilan los pósters presentados en el XXIII Workshop de Investigadores en Ciencias de la Computación (WICC), organizado por la Universidad Nacional de Chilecito y celebrado virtualmente el 15 y 16 de abril de 2021.Red de Universidades con Carreras en Informátic
XXIII Edición del Workshop de Investigadores en Ciencias de la Computación : Libro de actas
Compilación de las ponencias presentadas en el XXIII Workshop de Investigadores en Ciencias de la Computación (WICC), llevado a cabo en Chilecito (La Rioja) en abril de 2021.Red de Universidades con Carreras en Informátic