A Framework for Generating Malware Threat Intelligence

Ekta Gandotra, Divya Bansal, Sanjeev Sofat
2017 Scalable Computing : Practice and Experience  
Ubiquitous computing devices with network capabilities have become the critical cyber infrastructure for academia, industry and government in day-to-day life. The cyber-attacks being launched on this critical infrastructure have shifted to the pursuit of financial profit and political gains which lead to cyber warfare on various scales. The evolution of new practices like social networking, explosion of mobile devices and cloud computing have given opportunities to attackers for discovering
more » ... erabilities and exploiting these for creating sophisticated attacks. Malware is one of the most dreadful security threats fronting the Internet today. It is evolving and making use of new ways to target computers and mobile devices. Moreover, the exponential escalation in their volume and complexity has increased the damage caused by them. These have the capability to circumvent the earlier developed methods of detection and mitigation which clearly shows the need of shifting from traditional cyber security to cyber security intelligence. This paper purposes a design of a framework for generating Malware Threat Intelligence that can analyze, identify and predict the malware threats and can act as an Early Warning System (EWS). It also presents the real-time testing of the proposed framework which is realized by designing a prototype for providing security-as-a-service. 1. Introduction. Cyberspace comprises of people, services and software linked either directly or indirectly to the Computer Networks, Internet and Telecommunications. The services and products residing on cyberspace have been adopted in almost all the sectors. Moreover, people have become habitual of services being provided by the Internet. The preservation of Confidentiality, Integrity and Availability of information and protection of critical infrastructure is the essence of secure cyberspace. During the past several years, the frequency and complexity of cyber-attacks have been changed. The evolution of new practices like social networking, explosion of mobile devices and cloud computing have given opportunities to attackers for discovering vulnerabilities and exploiting these for creating sophisticated attacks. Moreover, the new generation cyber-attacks have become more targeted, persistent and unknown. Most of these attacks are launched by people who use the Internet with wicked intentions. They make use of malicious programs (also known as malware) for this purpose. A malware is a software program that achieves the damaging intent of an attacker [1]. According to NIST (National Institute of Standards and Technology), it is a program that has the intent of compromising the Confidentiality, Integrity, or Availability of the victim machine and its resources [2] . According to Internet Security Threat Report, Symantec [3], over 430 million new malicious specimens were discovered in the year 2015 which is about 36% more than that in 2014. Malware writers are making use of obfuscation techniques like insertion of dead code, subroutine reordering, instruction substitution etc. for creating polymorphic and metamorphic malware [4] . Moreover, the malware are becoming sophisticated, targeted, persistent, stealthy and unknown day by day. These have the capability to circumvent the earlier developed methods of detection and mitigation which clearly shows the need of shifting from traditional cyber security to Cyber Threat Intelligence (CTI). Popular security organizations providing CTI services include FireEye, LogRhythm, RSA, Symantec, and Verisign etc. 1.1. Cyber Threat Intelligence. According to Gartner, "Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging threat to assets that can be used to take decisions" [5] . It answers the questions like what methods are being used by attackers? What is their motive? What platform they are targeting at? etc. Secureworks [6] identifies CTI as a service, which is intended to help clients by providing them with early warnings on emerging threats, vulnerabilities and consultation with the threat intelligence group to have discussion on the same. Threat
doi:10.12694/scpe.v18i3.1300 fatcat:dhrm6hm33jaz3jcdkwged4g2cu