Assessing Internet-wide Cyber Situational Awareness of Critical Sectors

In this short paper, we take a first step towards empirically assessing Internet-wide malicious activities generated from and targeted towards Internet-scale business sectors (i.e., financial, health, education, etc.) and critical infrastructure (i.e., utilities, manufacturing, government, etc.). Facilitated by an innovative and a collaborative large-scale effort, we have conducted discussions with numerous Internet entities to obtain rare and private information related to allocated IP blocks pertaining to the aforementioned sectors and critical infrastructure. To this end, we employ such information to attribute Internet-scale maliciousness to such sectors and realms, in an attempt to provide an in-depth analysis of the global cyber situational posture. We draw upon close to 16.8 TB of darknet data to infer probing activities (typically generated by malicious/infected hosts) and DDoS backscatter, from which we distill IP addresses of victims. By executing week-long measurements, we observed an alarming number of more than 11,000 probing machines and 300 DDoS attack victims hosted by critical sectors. We also generate rare insights related to the maliciousness of various business sectors, including financial, which typically do not report their hosted and targeted illicit activities for reputation-preservation purposes. While we treat the obtained results with strict confidence due to obvious sensitivity reasons, we postulate that such generated cyber threat intelligence could be shared with sector/critical infrastructure operators, backbone networks and Internet service providers to contribute to the overall threat remediation objective.

[1]  Tsutomu Matsumoto,et al.  IoTPOT: Analysing the Rise of IoT Compromises , 2015, WOOT.

[2]  Lukas Krämer,et al.  AmpPot: Monitoring and Defending Against Amplification DDoS Attacks , 2015, RAID.

[3]  A. Nur Zincir-Heywood,et al.  On the analysis of backscatter traffic , 2014, 39th Annual IEEE Conference on Local Computer Networks Workshops.

[4]  Mourad Debbabi,et al.  Big Data Sanitization and Cyber Situational Awareness: A Network Telescope Perspective , 2019, IEEE Transactions on Big Data.

[5]  Mourad Debbabi,et al.  Darknet as a Source of Cyber Intelligence: Survey, Taxonomy, and Characterization , 2016, IEEE Communications Surveys & Tutorials.

[6]  Nasir Ghani,et al.  A first empirical look on internet-scale exploitations of IoT devices , 2017, 2017 IEEE 28th Annual International Symposium on Personal, Indoor, and Mobile Radio Communications (PIMRC).

[7]  Salvatore J. Stolfo,et al.  A quantitative analysis of the insecurity of embedded network devices: results of a wide-area scan , 2010, ACSAC '10.

[8]  Max Mühlhäuser,et al.  Did you really hack a nuclear power plant? An industrial control mobile honeypot , 2015, 2015 IEEE Conference on Communications and Network Security (CNS).

[9]  Jesse M. Ehrenfeld WannaCry, Cybersecurity and Health Information Technology: A Time to Act , 2017, Journal of Medical Systems.

[10]  Eric Wustrow,et al.  Internet background radiation revisited , 2010, IMC '10.

[11]  Sherali Zeadally,et al.  Critical infrastructure protection: Requirements and challenges for the 21st century , 2015, Int. J. Crit. Infrastructure Prot..

[12]  Yuval Elovici,et al.  SIPHON: Towards Scalable High-Interaction Physical Honeypots , 2017, CPSS@AsiaCCS.

[13]  J. Alex Halderman,et al.  A Search Engine Backed by Internet-Wide Scanning , 2015, CCS.

[14]  Mourad Debbabi,et al.  Cyber Scanning: A Comprehensive Survey , 2014, IEEE Communications Surveys & Tutorials.

[15]  Thomas M. Chen,et al.  Lessons from Stuxnet , 2011, Computer.

[16]  Max Mühlhäuser,et al.  Multi-stage attack detection and signature generation with ICS honeypots , 2016, NOMS 2016 - 2016 IEEE/IFIP Network Operations and Management Symposium.

[17]  Michael Chertoff Department of Homeland Security. , 2007, Disaster medicine and public health preparedness.

[18]  Nasir D. Memon,et al.  Internet-scale Probing of CPS: Inference, Characterization and Orchestration Analysis , 2017, NDSS.

[19]  Barry E. Mullins,et al.  Evaluation of the ability of the Shodan search engine to identify Internet-facing industrial control devices , 2014, Int. J. Crit. Infrastructure Prot..

[20]  Christian Doerr,et al.  Quantifying the Spectrum of Denial-of-Service Attacks through Internet Backscatter , 2017, ARES.