Abstract

Cyber threat attribution identifies the source of a malicious cyber activity, which in turn informs cyber security mitigation responses and strategies. Such responses and strategies are crucial for deterring future attacks, particularly in the financial and critical infrastructure sectors. However, existing approaches generally rely on manual analysis of attack indicators obtained through approaches such as trace-back, firewalls, intrusion detection and honeypot deployments. These attack indicators, also known as low-level Indicators of Compromise (IOCs), are rarely re-used and can be easily modified and disguised resulting in a deceptive and biased cyber threat attribution. Cyber attackers, particularly financially-motivated actors, can use common high-level attack patterns that evolve less frequently as compared to the low-level IOCs. To attribute cyber threats effectively, it is necessary to identify them based on the high-level adversary’s attack patterns (e.g. tactics, techniques and procedures – TTPs, software tools and malware) employed in different phases of the cyber kill chain. Identification of high-level attack patterns is time-consuming, requiring forensic investigation of the victim network(s) and other resources. In the rare case that attack patterns are reported in cyber threat intelligence (CTI) reports, the format is textual and unstructured typically taking the form of lengthy incident reports prepared for human consumption (e.g. prepared for C-level and senior management executives), which cannot be directly interpreted by machines. Thus, in this paper we propose a framework to automate cyber threat attribution. Specifically, we profile cyber threat actors (CTAs) based on their attack patterns extracted from CTI reports, using the distributional semantics technique of Natural Language Processing. Using these profiles, we train and test five machine learning classifiers on 327 CTI reports collected from publicly available incident reports that cover events from May 2012 to February 2018. It is observed that the CTA profiles obtained attribute cyber threats with a high precision (i.e. 83% as compared to other publicly available CTA profiles, where the precision is 33%). The Deep Learning Neural Network (DLNN) based classifier also attributes cyber threats with a higher accuracy (i.e. 94% as compared to other classifiers).

Introduction

Cyber threat attribution facilitates the identification of an attacker or his/her intermediary. This can be used in subsequent (forensic) investigation by organizations or prosecution by law enforcement and other relevant stakeholders. For example, the U.S. Congress enacted the Cybersecurity Information Sharing Act (CISA) into law in 2015 [1], which mandates organizations (including financial institutions) involved in cyber data breach incidents to share cyber threat intelligence (CTI) with other relevant stakeholders, particularly their customers [2]. The interpretation and practices of cyber attack attribution have evolved with time. In the earlier days, the focus of attribution was to locate the attacker(s) or intermediary(ies) launching distributed denial of service (DDoS) attacks and to help stop malicious traffic via IP traceback. Thus, cyber attack attribution refers to source trace-back techniques that work backwards to geographically locate the origin of IP packets via router traversal record [3,4]. Source trace-back techniques cannot truly attribute cyber attacks, partly due to the intrinsic limitation of IP address spoofing and anonymization. A resourceful attacker can, for example, compound the challenges of attribution by using reflection hosts, small Time To Live (TTL) values, employing botnets as stepping stones, and launching attacks over wider time frames.