Unsolicited traffic sent to advertised network space that does not host active services provides insights about misconfigurations as well as potentially malicious activities, including the spread of Botnets, DDoS campaigns, and exploitation of vulnerabilities. Network telescopes have been used for many years to monitor such unsolicited traffic. Unfortunately, they are limi the available address space for such tasks and, thus, limited to specific geographic and/or network regions.

In this paper, we introduce a novel concept to broadly capture unsolicited Internet traffic, which we call a "meta-telescope". A meta-telescope is based on the intuition that, with the availability of appropriate vantage points, one can (i) infer which address blocks on the Internet are unused and (ii) capture traffic towards them-both without having control of such address blocks. From this intuition, we develop and evaluate a methodology for identifying unlikely to be used Internet address space and build a meta-telescope that has very desirable properties, such as broad coverage of dark space both in terms of size and topological placement. Such meta-telescope identifies and captures unsolicited traffic to more than 350k /24 blocks in more than 7k ASes. Through the analysis of background radiation towards these networks, we also highlight that unsolicited traffic differs by destination network/geographic region as well as by network type. Finally, we discuss our experience and challenges when operating a meta-telescope in the wild.@en

The growing dependency on interconnected devices makes cyber crime increasingly lucrative. Together with the rise of premade tools to perform exploits, the number of cyber incidents grows rapidly each year. Defending against these threats becomes increasingly difficult as organizations depend heavily on the Internet and have many different connected devices, all with their own protocols and vulnerabilities. The rise in cyber crime and plethora of devices make it difficult for organizations to detect and mitigate all attacks targeting their business. Cyber Threat Intelligence (CTI) provides defenders with information about cyber threats and thus the ability to scope the defensive efforts towards the areaswith the highest risk of damages. This information comes in different forms, from lists if indicators that are direcly ingestible into the defensive infrastructure of a company to documents describing the Tactics, Techniques and Procedures (TTPs) of adversaries. A major challenge in CTI is identifying indicators that describe more abstract features of adversaries, such as the tools that are used, to automatically detect mitigation attempts in defensive infrastructure. Furthermore, the identification of adversarial campaigns remains challenging, but the analysis on the campaigns that are identified proves to provide valuable information about actor capabilities and the threat landscape. In this thesis, we focus on improving CTI by getting a better understanding of adversarial behavior and evolution. We first create metrics to measure the quality of CTI feeds and address some measurement bias in network-based measurements. To obtain better understanding of adversaries we focus on tool fingerprinting, adversarial evolution and campaign analysis. We find a surprising lack of sophistication and evolution of adversaries. But we also find that the quality of CTI feeds is poor with on average a response time of 21 days before an indicator is added to a feed after it is active. We show that by fingerprinting adversarial tools and performing campaign analysis on individual attacks, we can learn the sophistication of adversaries and obtain a better understanding of the threat landscape. In addition, following attacker campaigns over time allows us to better understand the evolution of actors and their objectives. To allow for this campaign analysis in DDoS attacks, we introduce a new model to describe attacks and cluster these on behavior. Finally, we utilize adversarial TTPs to devise a method to disrupt malware propagation and evaluate this method on a real-world botnet.@en

Amplification attacks generate an enormous flood of unwanted traffic towards a victim and are generated with the help of open, unsecured services, to which an adversary sends spoofed service requests that trigger large answer volumes to a victim. However, the actual execution of the packet flood is only one of the activities necessary for a successful attack. Adversaries need, for example, to develop attack tools, select open services to abuse, test them, and adapt the attacks if necessary, each of which can be implemented in myriad ways. Thus, to understand the entire ecosystem and how adversaries work, we need to look at the entire chain of activities. This paper analyzes adversarial techniques, tactics, and procedures (TTPs) based on 549 honeypots deployed in 5 clouds that were rallied to participate in 13,479 attacks. Using a traffic shaping approach to prevent meaningful participation in DDoS activities while allowing short bursts of adversarial testing, we find that adversaries actively test for plausibility, packet loss, and amplification benefits of these servers, and show evidence of a 'memory' of previously exploited servers among attackers. In practice, we demonstrate that even for commonplace amplification attacks, adversaries exhibit differences in how they work.

@en

In order to mount an effective defense, information about likely adversaries, as well as their techniques, tactics and procedures is needed. This so-called cyber threat intelligence helps an organization to better understand its threat profile. Next to this understanding, specialized feeds of indicators about these threats downloaded into a firewall or intrusion detection system allow for a timely reaction to emerging threats. These feeds however only provide an actual benefit if they are of high quality. In other words, if they provide relevant, complete information in a timely manner. Incorrect and incomplete information may even cause harm, for example if it leads an organization to block legitimate clients or if the information is too unspecific and results in an excessive amount of collateral damage. In this paper, we evaluate the quality of 17 open source cyber threat intelligence feeds over a period of 14 months, and 7 additional feeds over 7 months. Our analysis shows that the majority of indicators are active for at least 20 days before they are listed. Additionally, we have found that many list have biases towards certain countries. Finally, we also show that blocking listed IP addresses can yield large amounts of collateral damage.

@en

To compromise a computer, it is first necessary to discover which hosts are active and which services they run. This reconnaissance is typically accomplished through port scanning. Defense systems monitor for these unsolicited packets and raise an alarm if a predefined threshold is exceeded. To remain undetected, adversaries can either slow down the scan, and/or distribute it over multiple hosts. With each source below the threshold, the combination of all may still complete the scan efficiently. It is especially this group that is of concern: with enough resources and knowledge to execute such a coordinated activity, they will pose a more potent threat than the noisy "script kiddie". Correlating which out of 4 billion IPs potentially collaborate is however a challenging task, hence today’s systems do not consider coordination beyond basic subnet aggregation.In this paper, we propose a method to identify and fingerprint distributed scanners based on commonalities in header fields, which are an artifact of the way fast port scanning software is built. We demonstrate that this method can effectively locate groups, and based on the monitoring logs we report on a number of new groups and tools, which have previously not been reported in the academic literature.Fingerprints generated can ultimately be used as Indicators of Compromise to detect and mitigate scanning behavior in order to deny adversaries the possibility to learn about weaknesses of a system.@en

Ever since the introduction of the domain name system (DNS), attacks on the DNS ecosystem have been a steady companion. Over time, targets and techniques have shifted, and in the recent past a new type of attack on the DNS has emerged. In this paper we report on the DNS random subdomain attack, querying floods of non-existent subdomains, intended to cause a denial-of-service on DNS servers. Based on five major attacks in 2018 obtained through backscatter measurements in a large network telescope, we show the techniques pursued by adversaries, and develop a taxonomy of strategies of this attack.

@en

The evaluation of cognitive agent systems, which have been advocated as the next generation model for engineering complex, distributed systems, requires more benchmark environments that offer more features and involve controlling more units. One issue that needs to be addressed time and again is how to create a connector for interfacing cognitive agents with such richer environments. Cognitive agents use knowledge technologies for representing state, their actions and percepts, and for deciding what to do next. Issues such as choosing the right level of abstraction for percepts and action synchronization make it a challenge to design a cognitive agent connector for more complex environments. The leading principle for our design approach to connectors for cognitive agents is that each unit that can be controlled in an environment is mapped onto a single agent. We design a connector for the real-time strategy (RTS) game StarCraft and use it as a case study for establishing a design method for developing connectors for environments. StarCraft is particularly suitable to this end, as AI for an RTS game such as StarCraft requires the design of complicated strategies for coordinating hundreds of units that need to solve a range of challenges including handling both short-term as well as long-term goals. We draw several lessons from how our design evolved and from the use of our connector by over 500 students in two years. Our connector is the first implementation that provides full access for cognitive agents to StarCraft: Brood War.

@en

In SSH brute forcing attacks, adversaries try a lot of different username and password combinations in order to compromise a system. As such activities are easily recognizable in log files, sophisticated adversaries distribute brute forcing attacks over a large number of origins. Effectively finding such distributed campaigns proves however to be a difficult problem. In practice, when adversaries would spread out brute-forcing over multiple sources, they would likely reuse the same kind of software across all of these origins to simplify their operation and reduce cost. This means if we are able to identify the tooling used in these attempts, we could cluster similar tool usage into likely collaborating hosts and thus campaigns. In this paper, we demonstrate that it is possible to utilize cipher suites and SSH version strings to generate a unique fingerprint for a brute-forcing tool used by the attacker. Based on a study using a large honeynet with over 4,500 hosts, which received approximately 35 million compromisation attempts over the period of one month, we are able to identify 49 tools from the collected data, which correspond to off-the-shelf tools, as well as custom implementations. The method is also able to fingerprint individual versions of tools, and by revealing mismatches between advertised and actually implemented features detect hosts that spoof identifying information. Based on the generated fingerprints, we are able to correlate login credentials to distinguish distributed campaigns. We uncovered specific adversarial behaviors, tactics and procedures, frequently exhibiting clear timing patterns and tight coordination.

@en