The increasing degree of connectivity in factory of the future (FoF) environments, with systems that were never designed for a networked environment in terms of their technical security nature, is ...accompanied by a number of security risks that must be considered. This leads to the necessity of relying on risk assessment-based approaches to reach a sufficiently mature cyber security management level. However, the lack of common definitions of cyber threat actors (CTA) poses challenges in untested environments such as the FoF. This paper analyses policy papers and reports from expert organizations to identify common definitions of CTAs. A significant consensus exists only on two common CTAs, while other CTAs are often either ignored or overestimated in their importance. The identified motivations of CTAs are contrasted with the specific characteristics of FoF environments to determine the most likely CTAs targeting FoF environments. Special emphasis is given to corporate competitors, as FoF environments probably provide better opportunities than ever for industrial espionage if they are not sufficiently secured. In this context, the study aims to draw attention to the research gaps in this area.
In an advanced and dynamic cyber threat environment, organizations need to yield more proactive methods to handle their cyber defenses. Cyber threat data known as Cyber Threat Intelligence (CTI) of ...previous incidents plays an important role by helping security analysts understand recent cyber threats and their mitigations. The mass of CTI is exponentially increasing, most of the content is textual which makes it difficult to analyze. The current CTI visualization tools do not provide effective visualizations. To address this issue, an exploratory data analysis of CTI reports is performed to dig-out and visualize interesting patterns of cyber threats which help security analysts to proactively mitigate vulnerabilities and timely predict cyber threats in their networks.
When a security incident by an attacker occurs in the cyber world, an analyst analyzes the artifacts collected in the incident area. The findings from the analysis of this incident utilize to track ...hackers or create security plans for the organization. However, if an analyst analyzes fabricated traces from an incident, he or she is not only fooled by the attacker's false flags but also makes it difficult to track the attacker. As a result, inappropriate responses can lead to a waste of limited resources and financial damage to the organization. Considering the incorporation of false flag operations, the collection of artifacts from intrusion incidents and their development into new Indicators of Compromise (IOCs) or Indicators of Attack (IOAs) can significantly enhance the accuracy of entity identification. This study is an exploratory research that aims to uncover valuable artifacts for false flag operations based on qualitative research targeting cybersecurity experts who have direct experience or extensive knowledge in the field. Specifically, through the participation of researchers knowledgeable about both defensive and offensive techniques, this study employed Delphi and AHP analyses to apply experts' knowledge and experience. Ultimately, the goal is to select artifacts related to the attacker's false flag operations and utilize the identified indicators in the analysis of intrusion incidents stemming from false flag tactics.
With the rapid technological development, identifying the attackers behind cyber-attacks is getting more sophisticated. To cope with this phenomenon, the current process of cyber-threat attribution ...includes features like tactics techniques and procedures (TTP), tools, target country/ company and application. They do not include attacker context and motives; thus, they demand more refined traits. Adding behavioral features to this process is essential to better understand the attacker’s context, motivations and goals. This research study accentuates the impact of adding behavioral features with existing technical features in determining the actual actor. The behavioral features are extracted from Threat actor encyclopedia, a dataset published by Thai CERT. This research investigation also analyzes the impact of hybrid features (technical & and behavioral). For this procedure, the best features are chosen by implementing feature selection techniques. For empirical results, we use the threat actor encyclopedia, a data set published by Thai Cert, for extraction of behavioral attributes. With this augmentation, we achieve elevated results of 97%, 98.8%, 97%, and 97.2% in terms of accuracy, precision, recall and F1-measure using machine/deep learning algorithms.
Cyber-threat attribution is the identification of attacker responsible for a cyber-attack. It is a challenging task as attacker uses different obfuscation and deception techniques to hide its ...identity. After an attack has occurred, digital forensic investigation is conducted to collect evidence from network/system logs. After investigation and collecting evidence reports are published in multiple formats such as text and PDF. There is no standard format for publishing these reports, so extracting meaningful information from these reports is a challenging task. Manual extraction of features from unstructured cyber-threat intelligence (CTI) is a difficult task. There is a need for an automated mechanism to extract features from unstructured reports and attribute cyber-threat actor (CTA). The aim of this research is to develop a mechanism to attribute or profile cyber threat actors (CTA) by extracting features from CTI reports. Moreover define a methodology to extract features from unstructured CTI reports by using natural language processing (NLP) techniques and then attributing cyber threat actor by using machine learning algorithms. Extracting features i.e., tactics, techniques, tools, malware, target organization/country and application by using novel embedding model known as” Attack2vec” which is trained on domain specific embeddings. Training model on domain specific embedding produces high results as compared to model train on general embeddings specially in the field of cyber security. Results of this novel model is compared with different methods. Machine learning algorithms such as decision tree, random forest, support vector machine is used for classification of CTA. This novel model produces high results as compared to other models with Accuracy of 96%, Precision of 96.4%, Recall of 95.58% and F1-measure of 95.75%.
Tactics Techniques and Procedures (TTPs) in cyber domain is an important threat information that describes the behavior and attack patterns of an adversary. Timely identification of associations ...between TTPs can lead to effective strategy for diagnosing the Cyber Threat Actors (CTAs) and their attack vectors. This study profiles the prevalence and regularities in the TTPs of CTAs. We developed a machine learning-based framework that takes as input Cyber Threat Intelligence (CTI) documents, selects the most prevalent TTPs with high information gain as features and based on them mine interesting regularities between TTPs using Association Rule Mining (ARM). We evaluated the proposed framework with publicly available TTPbased CTI documents. The results show that there are 28 TTPs more prevalent than the other TTPs. Our system identified 155 interesting association rules among the TTPs of CTAs. A summary of these rules is given to effectively investigate threats in the network.