Economic Factors of Vulnerability Trade and Exploitation

Allodi, Luca

doi:10.1145/3133956.3133960

Cited by 64 publications

(52 citation statements)

References 45 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Hacking community on D2web.. While the hacking community in D2web sites has been widely investigated in the existing literature for applications such as analyzing the economics of D2web forums/markets [13], [14] and identifying future cyberthreats to mitigate risks [2], [15], none of these studies identify threats related to specific corporations or identify when in the future the predicted events may occur. DARKMENTION specifically predicts enterprise-targeted attacks and the periods in which those threats are predicted.…”

Section: Resultsmentioning

confidence: 99%

DARKMENTION: A Deployed System to Predict Enterprise-Targeted External Cyberattacks

Almukaynizi

Marin

Nunes

et al. 2018

2018 IEEE International Conference on Intelligence and Security Informatics (ISI)

View full text Add to dashboard Cite

Recent incidents of data breaches call for organizations to proactively identify cyber attacks on their systems. Darkweb/Deepweb (D2web) forums and marketplaces provide environments where hackers anonymously discuss existing vulnerabilities and commercialize malicious software to exploit those vulnerabilities. These platforms offer security practitioners a threat intelligence environment that allows to mine for patterns related to organization-targeted cyber attacks. In this paper, we describe a system (called DARKMENTION) that learns association rules correlating indicators of attacks from D2web to realworld cyber incidents. Using the learned rules, DARKMENTION generates and submits warnings to a Security Operations Center (SOC) prior to attacks. Our goal was to design a system that automatically generates enterprise-targeted warnings that are timely, actionable, accurate, and transparent. We show that DARKMENTION meets our goal. In particular, we show that it outperforms baseline systems that attempt to generate warnings of cyber attacks related to two enterprises with an average increase in F1 score of about 45% and 57%. Additionally, DARKMENTION was deployed as part of a larger system that is built under a contract with the IARPA Cyber-attack Automated Unconventional Sensor Environment (CAUSE) program. It is actively producing warnings that precede attacks by an average of 3 days.• timely: indicates the exact time-point in which a predicted attack will occur,• actionable: provides metadata/warning details, i.e., the target enterprise, type of attack, volume, and the software vulnerabilities/threat actor identified from the D2web discussions,• accurate: predicted unseen real-world attacks with an average increase in F1 of over 45% for one enterprise and 57% for the other, and• transparent: allows analysts to easily trace the warnings back to the rules that were triggered, discussions that fired the rules, etc.

show abstract

Section: Resultsmentioning

confidence: 99%

DARKMENTION: A Deployed System to Predict Enterprise-Targeted External Cyberattacks

Almukaynizi

Marin

Nunes

et al. 2018

2018 IEEE International Conference on Intelligence and Security Informatics (ISI)

View full text Add to dashboard Cite

show abstract

“…In this work, we discuss some of the past and ongoing research in the domain of cyber security analytics that also caters to the general area of predicting future cyber breach incidents in real world systems. Most of the work on vulnerability discussions on trading, exploitation in the underground forums [10,11,28] and related social media platforms like Twitter [14,13,12] have focused on two aspects: (1) analyzing the dynamics of the underground forums and the markets that drive it, thereby focusing on mechanisms that enable the market activity, and giving rise to the belief that the "lifecycle of vulnerabilities" in these forums and marketplaces have significant impact on real world cyber attacks [21,9] (2) prioritization of vulnerabilities using these social media platforms or binary file appearance logs of machines and using them to predict the risk state of machines or systems through exploitation of these vulnerabilities [8]. So, the two components in majority of these studies that have been repeatedly worked upon in silos are analysis of vulnerabilities and their likelihood of exploitation in these forums or platforms and, then vulnerability exploitation severity based prediction to associate them to real world cyber breach incidents [5,12].…”

Section: Related Work and Motivationmentioning

confidence: 99%

“…The rapid expansion of the cyber-threat landscape is augmented by the presence of underground platforms that support the discussion, proliferation of exploit awareness, deployment and monetization of such exploits leading Table 1: Table of notations to cyber-attacks [15,16,17,10]. However, despite the existing literature that studies the economies of these underground forums and markets present in the darkweb, there has been very few studies that focus on filtering the markets and forums that actually contribute to the threat scenario [18,19,20].…”

Section: Related Work and Motivationmentioning

confidence: 99%

“…As mentioned earlier, this streaming nature of feature generation ensures we engineer the features relevant to the timeframe of attack prediction. For choosing the experts with an in-degree threshold, we select a threshold of 10 (we tried the values in the list [5,10,15,20]) to filter out users having in-degree less than 10 in G Hτ from exp τ . We obtain this threshold by manually investigating a few experts in terms of their content of posts and we find that beyond a threshold of 10, a lot of users get included whose posts are not relevant to any malicious information or signals.…”

Section: Parameter Settingsmentioning

confidence: 99%

See 1 more Smart Citation

Mining user interaction patterns in the darkweb to predict enterprise cyber incidents

Sarkar

Almukaynizi

Shakarian³

et al. 2019

Soc. Netw. Anal. Min.

View full text Add to dashboard Cite

With rise in security breaches over the past few years, there has been an increasing need to mine insights from social media platforms to raise alerts of possible attacks in an attempt to defend conflict during competition. In this study, we attempt to build a framework that utilizes unconventional signals from the darkweb forums by leveraging the reply network structure of user interactions with the goal of predicting enterprise related external cyber attacks. We use both unsupervised and supervised learning models that address the challenges that come with the lack of enterprise attack metadata for ground truth validation as well as insufficient data for training the models. We validate our models on a binary classification problem that attempts to predict cyber attacks on a daily basis for an organization. Using several controlled studies on features leveraging the network structure, we measure the extent to which the indicators from the darkweb forums can be successfully used to predict attacks. We use information from 53 forums in the darkweb over a span of 17 months for the task. Our framework to predict real world organization cyber attacks of 3 different security events, suggest that focusing on the reply path structure between groups of users based on random walk transitions and community structures has an advantage in terms of better performance solely relying on forum or user posting statistics prior to attacks.

show abstract

“…The dissemination of stolen credentials and the wider demand for stolen data has resulted in thriving online markets as well as platforms where stolen data are distributed for free (High-Tech Bridge 2014). Previous research on underground markets largely focused on the economy of these markets (e.g., Allodi 2017;Benjamin et al 2015;Franklin et al 2007;Holt, Smirnova, and Chua 2016a;Kigerl 2018) or on how trust issues in these anonymous environments are solved through reputation systems and admission procedures (e.g., Dupont et al 2017;Mell 2012;Motoyama et al 2011).…”

Section: Introductionmentioning

confidence: 99%

Stolen account credentials: an empirical comparison of online dissemination on different platforms

Madarie

Ruiter

Steenbeek

et al. 2019

Journal of Crime and Justice

View full text Add to dashboard Cite

Account hijacking, i.e. illegitimately accessing someone else's personal online account, is on the rise and affects not only financial accounts, but the full spectrum of online accounts. To gain more insight in the illicit act of online dissemination of stolen account credentials, we systematically examined how such credentials were offered on three different types of online platforms where stolen credentials were disseminated and how offers varied by platform. We used web scrapes of these platforms for our comparative analyses. Our results demonstrate variation by platform in the type of information on accounts and account holders offered, the average asking price for credentials, and rules and services following a transaction. We conclude with policy implications and suggestions for future research based on the criminal event perspective.

show abstract

Economic Factors of Vulnerability Trade and Exploitation

Cited by 64 publications

References 45 publications

DARKMENTION: A Deployed System to Predict Enterprise-Targeted External Cyberattacks

DARKMENTION: A Deployed System to Predict Enterprise-Targeted External Cyberattacks

Mining user interaction patterns in the darkweb to predict enterprise cyber incidents

Stolen account credentials: an empirical comparison of online dissemination on different platforms

Contact Info

Product

Resources

About