CYBER THREAT INTELLIGENCE
College of Engineering & Computer Science
Florida Atlantic University
ABL
ASSESSING INTERNET-WIDE CYBER
SITUATIONAL AWARENESS OF
CRITICAL SECTORS
Thursday 30th
August, 2018
Martin Husák
Nataliia Neshenko
Morteza Safaei Pour
Elias Bou-Harb
Pavel Čeleda
Motivation
Sector-specific malware
Rise of IoT and CPS paradigms in critical sectors,
Stuxnet, Havex, Industroyer, . . .
Wide-area cyber situational awareness
Global remediation objectives.
It is too laborious to obtain network traffic traces from
various sectors, even on a smaller scale.
Unwillingness of certain sectors to share cyber security
information (banking sector – fear of brand damage).
Page 2 / 17
Research Questions
Question I.
Given the lack of empirical data that can be analyzed from within
various sectors, including critical infrastructure, in addition to the
complementary logistics and privacy issues, how can one assess the
Internet-scale cyber security posture of such sectors?
Question II.
What insights and inferences can one generate by analyzing and
characterizing sector-related empirical data, which could be used for
effective cyber threat intelligence
Page 3 / 17
Proposed Approach
Page 4 / 17
Collecting Darknet Data
Darknet
CAIDA /8 darknet.
Macroscopic – 1/256 of the total IP address range.
Data Processing
Darknet flow – series of consecutive packets
from the same source IP address.
Other characteristics – IP protocol, port number, TCP flags.
Threshold-based methods of scan and DDoS backscatter
detection (64 packets per event).
Page 5 / 17
Sector Attribution
Manual attribution
DNS and WHOIS querying,
too laborious and time-consuming.
Automated attribution
Collaborative effort to access and collect
private information on IP blocks.
Database of sector information per IP blocks,
similar to geolocation databases.
Limited public access as of today.
Page 6 / 17
Identifying Critical Sectors
Manual identification of critical sectors using DHS and EU lists.
EU Council Directive 2008/114/EC defines European Critical
Infrastructure covering mostly Energy and Transport.
Department of Homeland Security defines 16 critical sectors:
Chemical Financial Services
Commercial Facilities Food and Agriculture
Communications Government Facilities
Critical Manufacturing Healthcare and Public Health
Dams Information Technology
Defense Industrial Base Nuclear Reactors, Materials, and Waste
Emergency Services Transportation Systems
Energy Water and Wastewater Systems
Page 7 / 17
Data Analysis
Scan-to-DDoS Ratio
Ratio of network scanning to DDoS attacks, computed
from the share of a given sector’s scan and DDoS attacks.
Network scanning indicates infected hosts.
DDoS attack indicate highly interesting targets.
Interpretation
Below-average ratio – many infected hosts of less significance.
Above-average ratio – better secured (critical?) hosts, more likely
to be DDoS targets.
Page 8 / 17
Empirical Evaluation
Page 9 / 17
Collected Data
Measurement
16.8 TB of darknet data,
1 week of measurement.
Inferred events
8M network scanning events per day,
1.8M distinct scanning IPs per day,
30k DDoS attacks per day,
7k distinct DDoS victim IPs per day.
Page 10 / 17
Critical Sector Attribution
Sector attribution
Successful for 86.73% of events – 92.08% distinct IP addresses,
Discrepancy between unknown sectors:
scans – 13.14%, DDoS backscatter – 31.70%.
Large share of Telecommunications and ISP sectors.
Critical sectors
Manual scrutinization of critical sectors.
No available machine-readable lists.
49 different sectors, 6 of them critical.
Share of critical sectors is less than 1%
(both scans and DDoS backscatter).
Page 11 / 17
Scan to DDoS Ratio
Illustrative Examples
Telecommunications and ISPs – above average.
Internet hosting service – bellow average.
Critical Sectors
Should be similar to Internet hosting services.
Financial sector, Manufacturing, and Utilities conform to this.
Government, Health, Transportation – around-average ratio!
No critical sector with significantly higher ratio.
Page 12 / 17
Scanners and DDoS victims per sector
1"
10"
100"
1,000"
10,000"
100,000"
1,000,000"
10,000,000"
BUSINESS"CONGLOMERATE"
EDUCATION"
FINANCE"
GOVERNMENT"
HEALTH"
INTERNET"COLOCATION"SERVICES"
INTERNET"HOSTING"SERVICES"
INTERNET"SERVICE"PROVIDER"
MANUFACTURING"
MEMBER"ORGANIZATION"
PRIVATE"SERVICE"
PROFESSIONAL"SERVICE"
RESEARCH"AND"DEVELOPMENT"
RETAIL"
TELECOMMUNICATIONS"
TRANSPORTATION"
UTILITIES"
WHOLESALE"
(BLANK)"
OTHER"
ICT"
PROFESSIONAL"SERVICES"
Scanner"
DDoS"vicEm"
(UNKNOWN)"
Page 13 / 17
Scan to DDoS share ratio of top-10 sectors
Sector Scans (%) DDoS (%) Ratio
Telecommunications 47.668 33.049 1.442
Internet Service Provider 43.404 40.583 1.069
(unknown) 7.717 22.505 0.343
Private Service 0.224 0.134 1.671
Internet Colocation Services 0.157 0.292 0.538
Education 0.154 0.388 0.397
Internet Hosting Services 0.135 1.351 0.100
Other 0.137 0.341 0.402
Professional Service 0.059 0.314 0.187
ICT 0.053 0.085 0.623
Average ratio (all sectors) 0.681
Page 14 / 17
Scan to DDoS share ratio of critical sectors
Sector Scans (%) DDoS (%) Ratio
Manufacturing 0.053 0.139 0.383
Government 0.044 0.064 0.693
Health 0.024 0.032 0.736
Finance 0.014 0.056 0.247
Transportation 0.004 0.005 0.684
Utilities 0.002 0.010 0.219
All critical sectors combined 0.140 0.306 0.460
Average ratio (all sectors) 0.681
Page 15 / 17
Conclusion and Future Work
Conclusion
Week-long measurements of darknet traffic (global scope).
Attribution of IP addresses of scanners and DDoS victims with
their corresponding sectors.
Identification of critical sectors.
Scan-to-DDoS ratio characterizing sectors.
Future Work
Characteristics of (critical) sectors – device types and network
services unique to a given sector,
Long-term monitoring and trend analysis.
Page 16 / 17
CYBER THREAT INTELLIGENCE
College of Engineering & Computer Science
Florida Atlantic University
ABL
THANK YOU FOR YOUR ATTENTION!
csirt.muni.cz Martin Husák
@csirtmu husakm@ics.muni.cz