Intelligent honeypots weaponized against APTs


The financial crisis of the last decade led to a budget reduction in Information Technology infrastructures (IT) [1]. These reductions had a significant impact to the evolution of the cybersecurity related technologies and their ability to compete with modern threats from malicious parties. Concurrently, the development of cyberattacking and data theft technologies has greatly advanced. Some of the most common types are known as Advanced Persistent Threats (APTs). Just to mention some examples: In 2010, Stuxnet, a malicious computer worm that targeted the supervisory control and data acquisition systems is believed to be responsible for causing substantial damage to the nuclear program of Iran. In 2011, Dugu a collection of computer malware, thought to be related to the Stuxnet, looks for information that could be useful in attacking industrial control systems. Although, its purpose is not to be destructive, the known components are trying to gather crucial system information. In 2012, Red October, a cyberespionage malware program was reportedly operating worldwide for up to five years prior to discovery. The purpose of Red October was to transmit information ranging from diplomatic secrets to personal information. The malware was installed to the systems via email attachments that exploited vulnerabilities in Microsoft Word and Excel. Last but not least, APTs made by Cozy Bear, a Russian hacker group that targets commercial entities and government organizations in Germany, Uzbekistan, South Korea and the US, including the US State Department and the White House, is believed to have caused a multitude of attacks. These attacks include the attempt to steal data on vaccines and treatments for COVID-19 being developed in the UK, US, and Canada in July 2020.

Even though the cybersecurity and scientific communities have developed several defensive mechanisms against APTs, there is a number of different challenges that have not been fully addressed. One of these challenges is the distribution of information related to APT campaigns. These types of information are most of the time found in technical reports and scientific publications that have neither been collected nor visualized in order to facilitate a potential exchange of intelligence. These sources often contain lots of valuable information such as: Domain names, IPs and malware hexes, which have been used in each APT campaign. In addition to that, these sources contain useful elements that can lead to the detection of a multitude of social engineering attacks of which their main target is the human factor. This factor is usually being ignored when it comes to augment the capabilities of honeypots. Additionally, malicious parties often reveal information about their activities through social media, which can contribute another valuable source of information. Among the many challenges that conventional incident detection and classification mechanisms have to face is the threat of adversaries who aim to harm defending mechanisms that use machine learning introducing a new field of research called adversarial machine learning. If an attacker becomes aware of the machine learning techniques used in defensive strategies, it is possible to lower the accuracy rate of all detection capabilities. The reported issues are in alignment with the two pillars on which cybersecurity community should depend on: Attribution and cybersecurity situational awareness. These aspects reflect the need to identify the responsible party for the orchestration of a cyber-attack i.e. the cyber attacker. The more efficient this identification is, in terms of detection time, the less impact it will have on the defender’s side. Furthermore, as social engineering attacks take advantage of the human factor cybersecurity situational awareness must increase towards protecting cyber infrastructures. The SPEAR framework aims to address all these challenges that emerge from the aforementioned APTs. The novel honeypot technologies under SPEAR will improve the detection capabilities of zero-day exploits and social engineering attacks. The Game theoretic defences (such as the Honeypot Game) are incorporated into SPEAR with the purpose of mitigating the actions of sophisticated APT attackers. Finally, the network forensics introduced by SPEAR are envisioned to generate evidence that will lead to the attribution of malicious parties by developing individual components such as: APT Collectors & Analysers, incident Identification & Response Recommendation mechanisms and Threat Visualization systems.


[1] Pitropakis, N., Panaousis, E., Giannakoulias, A., Kalpakis, G., Rodriguez, R. D., & Sarigiannidis, P. (2018). An enhanced cyber attack attribution framework. International Conference on Trust and Privacy in Digital Business, 213–228.