NURSE: eNd-UseR IoT malware detection tool for Smart homEs

IoT devices keep entering our homes with the promise of delivering more services and enhancing user experience; however, these new devices also carry along an alarming number of vulnerabilities and security issues. In most cases, the users of these devices are completely unaware of the security risks that connecting these devices entail. Current tools do not provide users with essential security information such as whether a device is infected with malware. Traditional techniques to detect malware infections were not meant to be used by the end-user and current malware removal tools and security software cannot handle the heterogeneity of IoT devices. In this paper, we design, develop, and evaluate a tool, called NURSE, to fill this information gap, i.e., enabling end-users to detect IoT-malware infections in their home networks. NURSE follows a modular approach to analyze IoT traffic as captured by means of an ARP spoofing technique which does not require any network modification or specific hardware. Thus, NURSE provides zero-configuration IoT traffic analysis within everybody's reach. After testing NURSE in 83 different IoT network scenarios with a wide variety of IoT device types, results show that NURSE identifies malware-infected IoT devices with high-accuracy (86.7%) using device network behaviour and contacted destinations.Organisation and Governanc

Beneath the radar: Exploring the economics of business fraud via underground markets

One of the many facets of cybercrime consists in transactions of malicious software, fraudulent information, and other potentially harmful goods and services via underground marketplaces. A portion of these goods comprises the illegal trading of consumer products such as vouchers, coupons, and loyalty program accounts that are later used to commit business fraud. Despite its well-known existence, the impact of this type of business fraud has not been analyzed in depth before. By leveraging longitudinal data from 8 major underground markets from 2011-2017, we identify, classify and quantify different types of business fraud to then analyze the characteristics of the companies who suffered from them. Moreover, we investigate factors that influence the impact of business fraud on these companies. Our results show that cybercriminals prefer selling products of well-established companies, while smaller companies appear to suffer higher revenue losses. Stolen accounts are the most transacted items, while pirated software together with loyalty programs create the heaviest revenue losses. The estimated criminal revenues are relatively low, at under $600,000 in total for the whole period; but the total revenue losses amounted to$7.5 million.Organisation and Governanc

Who's got my back? Measuring the adoption of an internet-wide BGP RTBH Service

Distributed Denial-of-Service (DDoS) attacks continue to threaten the availability of Internet-based services. While countermeasures exist to decrease the impact of these attacks, not all operators have the resources or knowledge to deploy them. Alternatively, anti-DDoS services such as DDoS clearing houses and blackholing have emerged. Unwanted Traffic Removal Service (UTRS), being one of the oldest community-based anti-DDoS services, has become a global free collaborative service that aims at mitigating major DDoS attacks through the Border Gateway Protocol (BGP). Once the BGP session with UTRS is established, UTRS members can advertise part of the prefixes belonging to their AS to UTRS. UTRS will forward them to all other participants, who, in turn, should start blocking traffic to the advertised IP addresses. In this paper, we develop and evaluate a methodology to automatically detect UTRS participation in the wild. To this end, we deploy a measurement infrastructure and devise a methodology to detect UTRS-based traffic blocking. Using this methodology, we conducted a longitudinal analysis of UTRS participants over ten weeks. Our results show that at any point in time, there were 562 participants, including multihomed, stub, transit, and IXP ASes. Moreover, we surveyed 245 network operators to understand why they would (not) join UTRS. Results show that threat and coping appraisal significantly influence the intention to participate in UTRS.Organisation & Governanc

Measuring Cybercrime as a Service (CaaS) Offerings in a Cybercrime Forum

The emergence of Cybercrime-as-a-Service (CaaS) is a critical evolution in the cybercrime landscape. A key area of research on CaaS is where and how the supply of CaaS is being matched with demand. Next to underground marketplaces and custom websites, cybercrime forums provide an important channel for CaaS suppliers to attract customers. Our study presents the first comprehensive and longitudinal analysis of types of CaaS supply and demand on a cybercrime forum. We develop a classifier to identify supply and demand for each type and measure their relative prevalence and apply this to a dataset spanning 11 years of posts on Hack Forums, one of the largest and oldest ongoing English-language cybercrime forum on the surface web. Of 28 known CaaS types, we only found evidence for only 9 of these in the forum.We saw no dramatic shifts in these offerings over time, not even after major underground marketplaces were being seized by law enforcement. Around 16% of first posts of the threads in the ‘Market’ section of the forum offers CaaS, whereas only 3% is focused on product-type criminal offerings. Within the types of CaaS, ‘bot/botnet as a service’, ‘reputation escalation as a service’ and ‘traffic as a service’ categories make up the majority (over 60%) for whole period in terms of both supply and demand. At least half of each CaaS offerings directs potential buyers to an instant messaging app or private message for transacting privately. In sum, we find that forums do in fact provide a channel for CaaS supply and demand to meet, but we see only a fraction of the CaaS landscape and there is no evidence in our data for the supposed growth of CaaS over time. We reflect on the implications of our findings for developing effective disruption strategies by law enforcement.Organisation and Governanc

Partial Device Fingerprints

In computing, remote devices may be identified by means of device fingerprinting, which works by collecting a myriad of clientside attributes such as the device’s browser and operating system version, installed plugins, screen resolution, hardware artifacts, Wi-Fi settings, and anything else available to the server, and then merging these attributes into uniquely identifying fingerprints. This technique is used in practice to present personalized content to repeat website visitors, detect fraudulent users, and stop masquerading attacks on local networks. However, device fingerprints are seldom uniquely identifying. They are better viewed as partial device fingerprints, which do have some discriminatory power but not enough to uniquely identify users. How can we infer from partial fingerprints whether different observations belong to the same device?We present a mathematical formulation of this problem that enables probabilistic inference of the correspondence of observations. We set out to estimate a correspondence probability for every pair of observations that reflects the plausibility that they are made by the same user. By extending probabilistic data association techniques previously used in object tracking, traffic surveillance and citation matching, we develop a general-purpose probabilistic method for estimating correspondence probabilities with partial fingerprints. Our approach exploits the natural variation in fingerprints and allows for use of situation-specific knowledge through the specification of a generative probability model. Experiments with a real-world dataset show that our approach gives calibrated correspondence probabilities. Moreover, we demonstrate that improved results can be obtained by combining device fingerprints with behavioral modelsAccepted author manuscriptOrganisation and Governanc

Ruling the Rules: Quantifying the Evolution of Rulesets, Alerts and Incidents in Network Intrusion Detection

Notwithstanding the predicted demise of signature-based network monitoring, it is still part of the bedrock of security operations. Rulesets are fundamental to the efficacy of Network Intrusion Detection Systems (NIDS). Yet, they have rarely been studied in production environments. We partner with a Managed Security Service Provider (MSSP) to gain more insight into the evolution of rulesets, the alerts that they trigger and the incidents that get investigated. We analyze a combined ruleset - including both commercial and proprietary rules - that consists of 130 thousand rules and was used to monitor hundreds of networks. We find that these rulesets keep growing over time but there is almost no overlap among them in terms of detection options or what indicators of compromise they contain. The combined ruleset triggered more than 62 million alerts and led to 150 thousand incident investigations by SOC analysts, though the vast majority of rules never triggered a single alert. We find that just 0.5% of all rules are responsible for more than 80% of the alerts and incidents and only 1.2% of all alerts were deemed to merit closer investigation. Of all incidents, 16% were labeled as false positives and 9% carried significant risk to the client organization. Independently of the type of rule, updating rules is a minor activity. Most rules are never modified and only a fraction is deleted, except for periodic purges in some sets. Seven in-depth interviews with rule developers corroborate the patterns we found in our analysis. Finally, we identify several rule management practices that influence rule and ruleset efficacy, such as supplementing commercial rules with your own and making rules as specific as possible.Organisation and Governanc

Beyond Labeling: Using Clustering to Build Network Behavioral Profiles of Malware Families

Malware family labels are known to be inconsistent. They are also black box since they do not represent the capabilities of malware. The current state-of the-art in malware capability assessment include mostly manual approaches, which are infeasible due to the ever-increasing volume of discovered malware samples. We propose a novel unsupervised machine learning-based method called MalPaCA, which automates capability assessment by clustering the temporal behavior in malware’s network traces. MalPaCA provides meaningful behavioral clusters using only 20 packet headers. Behavioral profiles are generated based on the cluster membership of malware’s network traces. A Directed Acyclic Graph shows the relationship between malwares according to their overlapping behaviors. The behavioral profiles together with the DAG provide more insightful characterization of malware than current family designations. We also propose a visualization-based evaluation method for the obtained clusters to assist practitioners in understanding the clustering results. We apply MalPaCA on a financial malware dataset collected in the wild that comprises of 1.1k malware samples resulting in 3.6M packets. Our experiments show that (i) MalPaCA successfully identifies capabilities, such as port scans and reuse of Command and Control servers; (ii) It uncovers multiple discrepancies between behavioral clusters and malware family labels; and (iii) It demonstrates the effectiveness of clustering traces using temporal features by producing an error rate of 8.3%, compared to 57.5% obtained from statistical features.Cyber SecurityOrganisation and Governanc

The role of hosting providers in fighting command and control infrastructure of financial malware

A variety of botnets are used in attacks on financial services. Banks and security firms invest a lot of effort in detecting and combating malware-assisted takeover of customer accounts. A critical resource of these botnets is their command-and-control (C&C) infrastructure. Attackers rent or compromise servers to operate their C&C infrastructure. Hosting providers routinely take down C&C servers, but the effectiveness of this mitigation strategy depends on understanding how attackers select the hosting providers to host their servers. Do they prefer, for example, providers who are slow or unwilling in taking down C&Cs? In this paper, we analyze 7 years of data on the C&C servers of botnets that have engaged in attacks on financial services. Our aim is to understand whether attackers prefer certain types of providers or whether their C&Cs are randomly distributed across the whole attack surface of the hosting industry. We extract a set of structural properties of providers to capture the attack surface. We model the distribution of C&Cs across providers and show that the mere size of the provider can explain around 71% of the variance in the number of C&Cs per provider, whereas the rule of law in the country only explains around 1%. We further observe that price, time in business, popularity and ratio of vulnerable websites of providers relate signi ficantly with C&C counts. Finally, we find that the speed with which providers take down C&C domains has only a weak relation with C&C occurrence rates, adding only 1% explained variance. This suggests attackers have little to no preference for providers who allow long-lived C&C domains.Organisation and Governanc

Make notifications great again: learning how to notify in the age of large-scale vulnerability scanning

As large-scale vulnerability detection becomes more feasible, it also increases the urgency to find effective largescale notification mechanisms to inform the affected parties. Researchers, CERTs, security companies and other organizations with vulnerability data have a variety of options to identify, contact and communicate with the actors responsible for the affected system or service. A lot of things can – and do – go wrong. It might be impossible to identify the appropriate recipient of the notification, the message might not be trusted by the recipient, it might be overlooked or ignored or misunderstood. Such problems multiply as the volume of notifications increases. In this paper, we undertake several large-scale notification campaigns for a vulnerable configuration of authoritative nameservers. We investigate three issues: What is the most effective way to reach the affected parties? What communication path mobilizes the strongest incentive for remediation? And finally, what is the impact of providing recipients a mechanism to actively demonstrate the vulnerability for their own system, rather than sending them the standard static notification message. We find that retrieving contact information at scale is highly problematic, though there are different degrees of failure for different mechanisms. For those parties who are reached, notification significantly increases remediation rates. Reaching out to nameserver operators directly had better results than going via their customers, the domain owners. While the latter, in principle, have a stronger incentive to care and their request for remediation would trigger the commercial incentive of the operator to keep its customers happy, this communication path turned out to have slightly worse remediation rates. Finally, we find no evidence that vulnerability demonstrations did better than static messages. In fact, few recipients engaged with the demonstration website.Accepted Author ManuscriptOrganisation and Governanc

Let Me Out! Evaluating the Effectiveness of Quarantining Compromised Users in Walled Gardens

Organisation and Governanc