The motivation behind the research at the Cybersecurity and Enterprise Security Group at HPI is to get to know more details about adversaries. From information about the identity of the adversary or the way an attack was done researchers can derive the most relevant ways of attacks and come up with tailored protection against those. In reality, it is not always the most helpful protection which is recommended in the field of cybersecurity. Typical tools like firewalls and virus scanners are not the most efficient tools. If we look at the adversarial kill chain in Figure 1, the most used tools try to tackle attacks in the late stages of the kill chain. But adversaries can be detected and mitigated earlier, even before the malware is installed on a machine. A mail containing malware, or a phishing link could be prevented from getting to the recipient. To have a reliable defence, organizations should utilize as many stages of the adversarial kill chain as possible. Hence, if one of the earlier tools fail, other ones can mitigate the attack later in the chain.

To build such a complete defence, several questions must be answered. In the beginning it is crucial to know who is even targeted by the attacks and what kind of attack is used in the first hand. Further, it is to be answered how the payload was delivered and which vulnerabilities where used. By answering those questions behind the first four stages of the kill chain, we can build proactive defences instead of only reacting on attacks.

Research in the field of cybersecurity is driven by empirical data. To identify, what a real threat is, tools like honeypots (vulnerable machines), or network telescopes (unused IP addresses) are used. Usually, big attacks are planned in advance. By investigating those empirically researchers can learn something about the attacks before they are actually happening.
One general learning from analyzing cyberattacks is, that the attack resilience of machines is getting better every year. On the other hand, the speed attacks are conducted with also gets faster. In fact, the attack speed grows faster than the attack resilience, leaving the attackers an advantage over the defenders.
Another advantage the attackers gain is due to their global distribution of IP addresses and hosts. Most defending mechanism block attacks from the same IP address or subnet. But good adversaries invest in the costs and complexity of distributing multiple hosts and IP addresses globally and synchronize them for a single attack. Therefore, current IPS does not handle the attacks of more ambitious attackers with lots of resources. Attacks from those actors are also referred to as APT (Advanced Persistent Threats). Because of the distribution of resources over space, they can afford to also distribute their attacks over time. The research challenge in defending against these kinds of attackers is in developing algorithms that can identify unspecific patterns across an unspecific number of hosts. One possible solution is to fingerprint the software or the tooling the attackers use and reuse on all their machines. This is a scalable and efficient operation on hard- and software and real implementations showed that many new and unknown adversaries could get identified by this procedure.

Combating Malware with Community-Driven Tarpits

Mirai Architecture:

Compared to previous bot-net architectures that leverage a few very powerful machines to conduct their ddos attacks, Mirai variants take over a lot of low compute vulnerable IoT devices to achieve capacities that overshadowed previous attacks by a factor of 4. This is done via a technique called stateless scanning.
The adversary sets up a server that scans the internet for vulnerable devices. Once a vulnerable device is found, the server logs in and installs the malware. Now the infected device starts randomly searching the internet to find other vulnerable devices. Unlike previous malware, which sequentially scans and waits for responses, Mirai uses stateless scanning. This method scans without waiting for responses, significantly speeding up the scanning process. Since a small IoT device cannot keep a list of all IP addresses it previously messaged, it recovers the IP address from a vunlerables’s device SYN ACK and can start brute forcing access. Once a vulnerable device is hacked the original IoT device reports it back to the loader which then installs the newest Mirai version on the target device.

Tracking Mirai:

The random number generator does not work properly and allows for tracking for the different Mirai variants. This tracking reveals that the market shares of bot masters fluctuate significantly over time. Since the total number of vulnerable IoT devices remains nearly constant, bot creators must improve their algorithms to maintain control over their own IoT devices while also stealing those controlled by competitors. Another observation that was made is that the reproduction rate of Mirai is very low and barely above one. This means even a small decrease in Mirais infection capabilities would lead to a collapse.

Countermeasures:

To reduce the infection-rate of Mirai, the stateless scanning can be abused with so-called “tarpits”. A tarpit keeps responding to the initial request over and over again, luring the device into brute forcing, wasting its resources in the process. 100 SYN ACKs pre second can keep the internal buffer of a device infected by Mirai full so that it disregards any new incoming responses from actual potential victims.
In a pilot study with a single old PC with 50 Mbps 202,000 devices were trapped and around 100 billion attacks per month were wasted. During the pilot study Mirai declined by 21% globally.
Using the initial setup, only 48% of all the infected devices can be directly reached and stopped from infecting others, as the rest is behind NATs. NATs shut of the connection if there was no outgoing traffic from the device behind the NAT after a very short timeframe. Simulations show that only an additional 1000 devices/tarpits with very low system requirements are necessary to reach the other 52% devices, as then the number of tarpits globally is high enough that eventually infected IoT devices will reach out to one of the tarpits and they can pass through the NAT to occupy them.
To reach this critical threshold the group around Professor Dörr has started a crowdsourced initiative where anyone can host their own tarpits under malwaretarpit.com.