Ciber-Guerra: Ciber-Ameaças

A nível estratégico a guerra da informação implica um domínio do ciberespaço, pois os “ciber-ataques”, vírus e cavalos de Tróia não podemser descurados. Esta forma diferente de guerra implica a adopção de uma política de segurança e defesa para o ciberespaço, pois este impôs uma nova dimensão geopolítica. A definição de uma política de segurança nacional para a área das infra-estruturas de telecomunicações é fundamental. A sua implementaçãoque visa a redução do risco, inclui iniciativas de prevenção/protecção e a atenuação dos efeitos de incidentes. A redução do risco também exige sistemas de alerta antecipado e previsão de ameaças iminentes, para cuja realização é imprescindível a cooperação internacional. No mínimo a dissuasão colabora para a redução do risco. A segurança das redes é, pois, um tema que precisa urgentemente de ser tratado de uma forma racional e usando uma linguagem simples. Dever-se-á ter em conta que tratar riscos de segurança das redes de informações apenascom soluções tecnológicas é adiar um problema. Com este trabalho pretendemos elucidar e realçar quão importante é este problema ao nível do Exército Português. Para isto foram definidos dois tipos de objectivos: Um objectivo geral e alguns objectivos específicos. Como objectivo geral, para este problema, salientamos a importância de saber se o Exército Português, está de facto, preparado para fazer face a este tipo de ameaças. Como objectivos específicos, pretendemos alertar para a importância destas ameaças na sociedade civil e no meio militar, classificar estas ameaças quanto à sua capacidade letal, listar as várias “ciber-ameaças” menos divulgadas e saber se existe alguma unidade vocacionada para defesa destas ameaças no Exército Português. Este novo tipo de guerra está ao nível de quem possui capacidades tecnológicas sofisticadas, bem como de dinheiro para implementarnovas tecnologias, como iremos ter oportunidade de referir durante o trabalho. Portugal e as forças militares estão a passar por um processo de transformação tendo vindo a aperfeiçoar-se para fazer face às ameaças que a era da informação gera, tentando precaver-se da melhor forma possível para fazer face às ciber-ameaças.Abstract Strategically speaking, it is necessary to know cyberspace for information war, because we can’t forget cyber attacks, viruses and Trojan horses. This kind of war implies new security policies and defenses for cyberspace, due to the new geopolitical dimension created by it. Defining national security policies for network area is essential. Its implementation, aiming risk, has protection/prevention initiative and helps to reduce nasty effects. Reducing risk also demands pre-alert systems and prediction of eminent threats, for which is essential international cooperation. Network safety is a theme that is necessary to be taken care of racionally. Taking care of network security using only technological means is to delay a problem. So, this dissertation intend to show how important is this problem in the Portuguese Army. As general purpose, we point out knowing if the Portuguese Army is prepared to face out this kind of threats. As specific purpose, we intend to enhance threats’ value in civil society and military sphere, to classify menaces about its lethal capacities, point out various “cyber threats” that are less known and find out if it exist units to face these threats in Portuguese Army. This new kind of war is only possible for those whohave technological resources, as well as financial means to purchase them. Portugal and armed forces are in a transforming process, trying to evolve to face threats that the information age is creating, protecting its systems to face a new reality in war – the cyber-threats

Categorising Network Telescope data using big data enrichment techniques

Network Telescopes, Internet backbone sampling, IDS and other forms of network-sourced Threat Intelligence provide researchers with insight into the methods and intent of remote entities by capturing network traffic and analysing the resulting data. This analysis and determination of intent is made difficult by the large amounts of potentially malicious traffic, coupled with limited amount of knowledge that can be attributed to the source of the incoming data, as the source is known only by its IP address. Due to the lack of commonly available tooling, many researchers start this analysis from the beginning and so repeat and re-iterate previous research as the bulk of their work. As a result new insight into methods and approaches of analysis is gained at a high cost. Our research approaches this problem by using additional knowledge about the source IP address such as open ports, reverse and forward DNS, BGP routing tables and more, to enhance the researcher's ability to understand the traffic source. The research is a BigData experiment, where large (hundreds of GB) datasets are merged with a two month section of Network Telescope data using a set of Python scripts. The result are written to a Google BigQuery database table. Analysis of the network data is greatly simplified, with questions about the nature of the source, such as its device class (home routing device or server), potential vulnerabilities (open telnet ports or databases) and location becoming relatively easy to answer. Using this approach, researchers can focus on the questions that need answering and efficiently address them. This research could be taken further by using additional data sources such as Geo-location, WHOIS lookups, Threat Intelligence feeds and many others. Other potential areas of research include real-time categorisation of incoming packets, in order to better inform alerting and reporting systems' configuration. In conclusion, categorising Network Telescope data in this way provides insight into the intent of the (apparent) originator and as such is a valuable tool for those seeking to understand the purpose and intent of arriving packets. In particular, the ability to remove packets categorised as non-malicious (e.g. those in the Research category) from the data eliminates a known source of `noise' from the data. This allows the researcher to focus their efforts in a more productive manner

Darknet as a Source of Cyber Threat Intelligence: Investigating Distributed and Reflection Denial of Service Attacks

Cyberspace has become a massive battlefield between computer criminals and computer security experts. In addition, large-scale cyber attacks have enormously matured and became capable to generate, in a prompt manner, significant interruptions and damage to Internet resources and infrastructure. Denial of Service (DoS) attacks are perhaps the most prominent and severe types of such large-scale cyber attacks. Furthermore, the existence of widely available encryption and anonymity techniques greatly increases the difficulty of the surveillance and investigation of cyber attacks. In this context, the availability of relevant cyber monitoring is of paramount importance. An effective approach to gather DoS cyber intelligence is to collect and analyze traffic destined to allocated, routable, yet unused Internet address space known as darknet. In this thesis, we leverage big darknet data to generate insights on various DoS events, namely, Distributed DoS (DDoS) and Distributed Reflection DoS (DRDoS) activities. First, we present a comprehensive survey of darknet. We primarily define and characterize darknet and indicate its alternative names. We further list other trap-based monitoring systems and compare them to darknet. In addition, we provide a taxonomy in relation to darknet technologies and identify research gaps that are related to three main darknet categories: deployment, traffic analysis, and visualization. Second, we characterize darknet data. Such information could generate indicators of cyber threat activity as well as provide in-depth understanding of the nature of its traffic. Particularly, we analyze darknet packets distribution, its used transport, network and application layer protocols and pinpoint its resolved domain names. Furthermore, we identify its IP classes and destination ports as well as geo-locate its source countries. We further investigate darknet-triggered threats. The aim is to explore darknet inferred threats and categorize their severities. Finally, we contribute by exploring the inter-correlation of such threats, by applying association rule mining techniques, to build threat association rules. Specifically, we generate clusters of threats that co-occur targeting a specific victim. Third, we propose a DDoS inference and forecasting model that aims at providing insights to organizations, security operators and emergency response teams during and after a DDoS attack. Specifically, this work strives to predict, within minutes, the attacks’ features, namely, intensity/rate (packets/sec) and size (estimated number of compromised machines/bots). The goal is to understand the future short-term trend of the ongoing DDoS attacks in terms of those features and thus provide the capability to recognize the current as well as future similar situations and hence appropriately respond to the threat. Further, our work aims at investigating DDoS campaigns by proposing a clustering approach to infer various victims targeted by the same campaign and predicting related features. To achieve our goal, our proposed approach leverages a number of time series and fluctuation analysis techniques, statistical methods and forecasting approaches. Fourth, we propose a novel approach to infer and characterize Internet-scale DRDoS attacks by leveraging the darknet space. Complementary to the pioneer work on inferring DDoS activities using darknet, this work shows that we can extract DoS activities without relying on backscattered analysis. The aim of this work is to extract cyber security intelligence related to DRDoS activities such as intensity, rate and geographic location in addition to various network-layer and flow-based insights. To achieve this task, the proposed approach exploits certain DDoS parameters to detect the attacks and the expectation maximization and k-means clustering techniques in an attempt to identify campaigns of DRDoS attacks. Finally, we conclude this work by providing some discussions and pinpointing some future work