Sorting Through Haystacks to Find CTI Needles


Clouded vision

CTI systems face significant challenges related to the size and variety of their collection networks, which ultimately affect the level of trust they can have in their signals. Can they rely on these signals to avoid false positives or malicious manipulation? Are the signals sufficiently fresh and dependable? Is there a significant difference between making decisions based on old data versus current data? Yes, there is. This difference is important because while a piece of information may assist in making a decision, actionable information can actually be used as a weapon against an aggressor. If raw data are like the fields where hay is grown, then information can be compared to the haystacks containing the hay, and actionable signals are like the needles hidden within them.

To exemplify the vastness and diversity of collection networks without mentioning any specific company, let's consider a significant Content Delivery Network (CDN) provider. Your task is to transmit copious amounts of content through HTTP(s) on a grand scale. This garners numerous notices and indications, but solely on the HTTP layer. Furthermore, any intelligent means It is likely that the attacker will not investigate your IP ranges, as they are publicly available and known within your AS. Therefore, you will only receive random scans or direct attacks through an HTTP layer. The scope of these attacks is quite limited.

If you operate a comprehensive antivirus solution such as EDR/XDR, you may claim that your detection network is vast and covers millions of devices owned by affluent corporations. This is because smaller organizations such as non-profit hospitals and local libraries may not have the means to pay for these expensive tools. As a result, you may only observe risks that are aimed at advanced individuals, specifically those delivered through malicious software on local network devices.

can be fooled by honeypot systems alone. Honeypot technology only serves as a tool to identify and study attacks on specific vulnerabilities or systems. There is no perfect solution to combat cyber crime on this front, just as there is no one-size-fits-all answer in other areas of cybersecurity. The group will utilize valuable resources to attack a honeypot machine. It makes no sense to waste DDoS resources attacking a useless decoy. Why would you risk using an exploit or tool and giving away your IP address on a possible target? Honeypots are used to gather information about automated exploitation attempts. This IP is inquiring about the susceptibility of your system to log4j.

restricted to only simple and easily attainable targets. In addition, your capability to cover a wide range of locations is constrained, thereby restricting the variety of targets you can attract. If you confine all of your honeypots to just a few clouds, you won't be able to detect everything and will only be able to target easy objectives. may still be vulnerable to malicious activity. Rewritten: Criminals have the option to manually avoid being detected by your IP range. Additionally, it is important to properly set up your deployment system for each individual platform, however, you will only be able to monitor the IP address and not whether or not they are avoiding Google Cloud Platform (GCP), Amazon Web Services (AWS), or any other cloud provider. It is important to note that these providers are not non-governmental organizations and therefore, your network may still be at risk of cyber attacks. Additionally, money is a factor that restricts the size of one's operation. If operating a completely automated HP system using XYZ cloud services costs $20 per month, having the financial resources to run thousands of these systems would be necessary.

Establishing a counter-offensive

To bring mass cyber crime under control, we must address a limited resource, or else it cannot be properly regulated. Conti-Leaks revealed the significant problems that a large cyber crime group encounters. Clearly, monetary laundering (especially with cryptocurrency) is one of them. The recruitment process includes expected costs for payrolls. However, upon examination of the company's internal chat system, it is apparent that additional expenses are being incurred. These expenses include IP changes, borrowing and renting equipment, cleaning equipment, installing tools, migrating operations and C2 components. These costs can be quite substantial both in terms of time and money.

There are countless variations of hashes and SHA1 provides a range of 2^160 options. While it may be possible to gather them, it is highly probable that any new variation of malware will have a distinct signature. Currently, most cyber criminal groups have incorporated rigorous CI/CD procedures in their operations. The task involves changing a single byte prior to dispatching the payload to the intended recipient.

registered by others. However, it is important to remain vigilant and keep an eye out for any potential infringements on your brand identity. Remember, the online world is constantly evolving and it's crucial to stay ahead of the game in order to maintain a strong online presence. Recently, there have been more reservations for pre-crime-style systems that can effectively prevent phishing attempts. By adopting such a proactive approach and leveraging these types of tools, individuals can better protect themselves against potential security risks.

taking proactive measures to prevent attacks. While it may be helpful to monitor and categorize harmful software using their hashes, communication with Command and Control centers, or tracking IP addresses attempting to exploit certain vulnerabilities, doing so is simply reacting to threats. Instead of merely knowing where the enemy is coming from or how they operate, it is more effective to take proactive steps towards preventing attacks. fascinating how IP addresses can hinder a system's ability to attack. Despite being around for many years, the system will continue to exist even after our time.

Currently, IPV4 is a resource that is becoming scarce due to its limited availability of around 4 billion IP addresses. To address this issue, it is essential to take proactive measures by burning IP addresses as soon as their usage is recognized. This approach can effectively combat the problem of limited resources. The opponent has changed tactics. The environment for cyber attacks is constantly changing. Tor and residential proxy applications given an opportunity for hackers to use someone else's IP address, and even use those taken from servers already hacked on the dark web.

If you block an IP address, it may no longer be in use the following hour, resulting in a false positive. To solve this issue, a crowdsourcing tool should be developed to protect businesses of all sizes in various locations and on different cloud platforms. network, the more diverse the range of locations and organizations it covers, including private companies, homes, and militarized zones. It also supports various protocols. IP rotation is not an issue for bigger networks as unused IPs can be released while newly reported ones can be added to a blocklist. As the size of the network increases, so does the complexity of managing IP addresses. As the network grows, it becomes increasingly real-time.

observe and oversee nearly all types of protocols, except for those that are based on UDP. These protocols should be excluded because it is effortless to deceive and imitate data packets over UDP. If you rely solely on reports from a UDP-based protocol to prohibit an IP address, it's possible to be misled or fooled. Apart from this limitation, there are no issues with monitoring any other protocol. Additionally, you can also keep a close watch on and examine each protocol meticulously without any problems. It is advisable to search for CVE vulnerabilities, but it is even more effective to observe behavior. This approach can identify aggressive actions that may not necessarily be based on CVE vulnerabilities. An example of such behavior includes scalping, which involves using automated bots to purchase products rapidly. It goes beyond the typical forms of cyber attacks such as L7 DDoS scans and credential stuffing or brute force methods. One can buy software from a website and then sell it for profit on eBay. This is not a security issue but rather a business concern. The open-source platform CrowdSec was created specifically to facilitate this practice.

a relatively new technology that has been anticipated for the past twenty years. Despite having ample time to prepare, it is now officially in use and the implementation of 5G will only cause its usage to increase rapidly. IPV6 introduces a new IP address pool that is incredibly vast with a capacity of 2^128. There are various restrictions in place, particularly since not all of the V6 IP ranges are currently being utilized to their full capacity. Furthermore, there is a significant number of IPV6 addresses being distributed to each user at one time rather than just one address. Nevertheless, there is still an enormous quantity of IPV6 addresses available.

Let's couple AI & Crowdsourcing 

When a huge amount of information begins to come from a network that involves many people contributing their own data, and the thing you are attempting to reduce in size is actually growing larger, it makes sense to consider utilizing AI as a potential solution.

login/password combinations, this is called a credential stuffing attack. This works because people tend to reuse the same login and password combinations across multiple accounts. Therefore, attackers can use a compromised combination to access all of a victim's online accounts if they have been reused across different sites. The network effect is a powerful phenomenon that can have significant implications. One example of this can be seen in credential stuffing attacks, which occur when an IP address attempts to gain access to multiple online accounts by using various combinations of usernames and passwords. Individuals often reuse the same login credentials for different websites, making it easier for cyber criminals to exploit one compromised combination and gain access to all associated accounts. As such, the impact of these attacks can be devastating, even on a large scale. The act of using login credentials is known as credential stuffing, where someone attempts to use stolen login information in multiple locations to check if they work. Seeing the same behavior with the same credentials from various angles provides further evidence of their intentions.

To be truthful, it is not necessary to use AI to distinguish between Credential bruteforce, Credential Reuse, and Credential stuffing. However, there are situations where AI can perform exceptionally well when utilized along with a vast network to gather extensive data.

A different instance could involve conducting an extensive exploration of the internet with the aid of 1024 hosts. Each host would be responsible for scanning just one port, making it less likely to attract attention. However, if multiple mentions of the same IP address scanning the same port within a comparable period are identified in various locations, it may become noticeable. This occurrence would still be insignificant when looked at singularly. It is easy to perceive on a grand scale.

However, artificial intelligence algorithms possess the capability of detecting patterns that may not be perceivable if an individual solely concentrates in a singular area. It becomes noticeably evident when analyzing data on a grander scale within a network.

represented using graphs and embeddings, it is possible to reveal intricate levels of interaction among IP address ranges or AS (Autonomous Systems). This can help in recognizing groups of machines that work together towards a common objective. When multiple IP addresses are involved, this technique can be particularly beneficial. When planning an attack, it is common to divide it into stages such as scanning, exploiting vulnerabilities, installing a backdoor, and then using the compromised server to participate in a DDoS attack. These steps will often appear in logs as a repeated pattern. For example, if the first IP address involved in the attack appears at a certain time and is followed by another IP address 10 minutes later and so on, this pattern will likely repeat itself. If the same IP addresses are being used in multiple locations, you can confidently advise everyone to block all 4 IPs simultaneously.

can provide precise and contextual information to complement the limitations of crowd-sourced signals. The combination of the two enables us to better detect and respond to cyber threats. Typically, models become significant only when they have assimilated massive amounts of data. As a result, these models can aid in improving and scrutinizing these signals by minimizing interference and bringing to light concealed patterns.

Post a Comment

Previous Post Next Post