Researchers showcase automated cyber threat anticipation system

A group of researchers is trying to develop an automatic early warning system that should help defenders take preventative action before specific cyber attacks start unfolding.

How does their system work?

Their approach leverages the fact that preparation of cyber attacks often occurs in plain sight, discussed on online platforms and publicly accessible discussion forums.

“The system monitors social media feeds of a number of prominent security researchers, analysts, and white-hat hackers, scanning for posts (tweets) related to exploits, vulnerabilities, and other relevant cyber-security topics. Afterwards, it applies text mining techniques to identify important terms and remove irrelevant ones. Then, the system verifies whether the terms that were identified during the filtering stage have ever been used in dark web hacking forums, and eventually reports the volume of mentions as well as the content of posts,” the researchers explained.

Relative success

During the system’s initial testing period (September 2016 – January 2017), some 84% of the alerts it generated were relevant to current or imminent cyber threats.

(One of the attacks that unfolded during the testing period is Mirai’s hit on Dyn. Among the data breaches uncovered by leaks on dark web forums were the AdultFriendFinder and BrazzersForum breaches. Malware that reared its head during that time includes the Gooligan (Ghost Push) Android malware.)

The researchers have discovered that some types of cyber attacks are more predictable than others, namely exploitation of vulnerabilities vs. data breaches.

After the test period, their system also showed alerts about Wannacry/WannaCrypt/Wcry and Petya/Petrwrap/NotPetya months before those massive attacks happened.

But how helpful could those early alerts be?

“Our method is still being improved with the aim to generate more detailed and informative warnings. Future versions of the algorithm will include a Natural Language Processing (NLP) stage aimed at extracting knowledge and insights from the dark web posts mentioning the discovered terms. In particular, we are developing NLP methods to recognize entities such as actors (hackers or groups), targets (organizations, specific sectors, etc.), source codes, etc.,” they noted.

They are also thinking about:

• Extending their monitored keyword lists to layman terms (e.g.,out-of-service, unavailable, etc., instead of DDoS),
• Monitoring communities of open source software developers as well as other data sources (e.g., cybersecurity-related blogs) to timely identify new bugs and vulnerabilities as they become publicly known.

“We plan to leverage computational linguistic methods to investigate personality traits and socio-cultural traits of users mentioning the discovered words on dark web forums: this will allow us to determine the credibility of a threat based on the expertise and the intents demonstrated by the actors associated to it,” they concluded.