Plataformas de Compartición de Incidentes de Ciberseguridad

PROJECTE FINAL DE CARRERA

Plataformas de Compartición de

Incidentes de Ciberseguridad

(Cybersecurity Incident Sharing Platforms)

Estudis: Enginyeria de Telecomunicació

Autor: Jenifer Jiménez Gallardo

Director: Manel Medina

Any: 2016

2

3

Table of Contents 1. Acknowledgements............................................................................................................ 9

2. Summary .......................................................................................................................... 10

2.1 Resum del Projecte ................................................................................................... 10

2.2 Resumen del Proyecto .............................................................................................. 11

2.3 Abstract ..................................................................................................................... 12

3. Introduction ..................................................................................................................... 13

3.1 Background ................................................................................................................ 13

3.2 Objectives .................................................................................................................. 13

3.3 Thesis Structure ......................................................................................................... 13

4. Methodology Used........................................................................................................... 14

4.1 Cyber Threat Sources Research................................................................................. 14

4.2 Cyber Threat Sources Selection ................................................................................ 14

4.3 Quality Assessment Methodology for Data Sources ................................................ 14

4.3.1 Coverage ............................................................................................................ 14

4.3.2 Data Frequency .................................................................................................. 15

4.3.3 Accuracy of Results ............................................................................................ 16

4.4 Data Quality assessment formula ............................................................................. 17

5. Inventory and Description of Identified Sources ............................................................. 18

5.1 Abuse.ch .................................................................................................................... 18

5.2 AlienVault Open Threat Exchange ............................................................................ 20

5.3 ATLAS ........................................................................................................................... 2

5.4 Anti Phishing Working Group ...................................................................................... 4

5.5 Autoshun ..................................................................................................................... 6

5.6 Blocklist ....................................................................................................................... 8

5.7 BotScout .................................................................................................................... 10

5.8 BruteForceBlocker ..................................................................................................... 11

5.9 CI Army ...................................................................................................................... 13

5.10 Cisco IronPort SenderBase .................................................................................... 14

4

5.11 Clean MX ................................................................................................................ 16

5.12 Composite Blocking List ......................................................................................... 17

5.13 CyberCrime Tracker ............................................................................................... 20

5.14 DNS-BH Malware Domain Blocklist ....................................................................... 21

5.15 Dr Web ................................................................................................................... 23

5.16 Dragon Research Group ........................................................................................ 25

5.17 Dshield ................................................................................................................... 27

5.18 Emerging Threats ................................................................................................... 29

5.19 hpHosts .................................................................................................................. 31

5.20 ImproWare AG ....................................................................................................... 33

5.21 Kaspersky ............................................................................................................... 35

5.22 Malc0de ................................................................................................................. 37

5.23 Malware Domain List ............................................................................................. 38

5.24 NoThink! ................................................................................................................ 40

5.25 PhisTank ................................................................................................................. 42

5.26 Project Honey Pot .................................................................................................. 43

5.27 Shadowserver ........................................................................................................ 45

5.28 Spamhaus .............................................................................................................. 48

5.29 Team Cymru ........................................................................................................... 50

5.30 Zone H .................................................................................................................... 52

6. Information Sources Analysis........................................................................................... 55

6.1 Summary of the evaluations ..................................................................................... 55

6.2 Data Uniqueness ....................................................................................................... 57

6.2.1 Phishing .............................................................................................................. 57

6.2.2 Malware ............................................................................................................. 58

6.2.3 Spam .................................................................................................................. 59

6.3 Timeliness .................................................................................................................. 60

6.3.1 Phishing .............................................................................................................. 60

6.3.2 Malware ............................................................................................................. 61

6.3.3 Spam .................................................................................................................. 61

5

7. Conclusions ...................................................................................................................... 62

8. Annex I: Abbreviations ..................................................................................................... 63

9. Bibliography ....................................................................................................................... 1

6

List of Figures Figure 1: Abuse.ch geographical distribution .......................................................................... 19

Figure 2: AlienVault geographical distribution ........................................................................ 21

Figure 3: ATLAS geographical distribution ................................................................................. 2

Figure 4: ATLAS Intelligence Feed .............................................................................................. 3

Figure 5: APWG geographical distribution................................................................................. 5

Figure 6: Autoshun geographical distribution ........................................................................... 7

Figure 7: Blocklist geographical distribution ............................................................................. 8

Figure 8: BotScout geographical distribution .......................................................................... 10

Figure 9: BruteForceBlocker geographical distribution ........................................................... 12

Figure 10: CI Army geographical distribution .......................................................................... 13

Figure 11: Cisco IronPort SenderBase geographical distribution ............................................ 15

Figure 12: Clean MX geographical distribution ....................................................................... 16

Figure 13: Composite Blocking List geographical distribution................................................. 19

Figure 14: CyberCrime Tracker geographical distribution ....................................................... 20

Figure 15: DNS-BH Malware Domain Blocklist geographical distribution ............................... 22

Figure 16: Dr Web geographical distribution........................................................................... 24

Figure 17: Dragon Research Group geographical distribution ................................................ 25

Figure 18: Dshield geographical distribution ........................................................................... 28

Figure 19: Emerging Threats geographical distribution .......................................................... 30

Figure 20: hpHost geographical distribution ........................................................................... 32

Figure 21: ImproWare AG geographical distribution............................................................... 34

Figure 22: Kaspersky geographical distribution ....................................................................... 36

Figure 23: Malc0de geographical distribution ......................................................................... 37

Figure 24: Malware Domain List geographical distribution .................................................... 39

Figure 25: NoThink! geographical distribution ........................................................................ 41

Figure 26: PhishTank geographical distribution ...................................................................... 42

Figure 27: Project Honey Pot geographical distribution .......................................................... 44

Figure 28: Spamhaus geographical distribution ...................................................................... 49

Figure 29: Zone H geographical distribution ........................................................................... 53

Figure 30: Phishing Venn diagram ........................................................................................... 58

Figure 31: Malware Venn diagram .......................................................................................... 59

Figure 32: Spam Venn diagram ................................................................................................ 60

7

List of Tables

Table 1: Abuse.ch evaluation ................................................................................................... 20

Table 2: AlienVault evaluation ................................................................................................... 2

Table 3: ATLAS evaluation .......................................................................................................... 4

Table 4: APWG evaluation ......................................................................................................... 6

Table 5: Autoshun evaluation .................................................................................................... 7

Table 6: Blocklist evaluation ...................................................................................................... 9

Table 7: BotScout evaluation ................................................................................................... 11

Table 8: BruteForceBlocker evaluation .................................................................................... 12

Table 9: CI Army evaluation ..................................................................................................... 14

Table 10: Cisco IronPort SenderBase evaluation ..................................................................... 16

Table 11: Clean MX evaluation ................................................................................................ 17

Table 12: Composite Blocking List evaluation ......................................................................... 19

Table 13: CyberCrime Tracker evaluation ................................................................................ 21

Table 14: DNS-BH Malware Domain Blocklist evaluation ........................................................ 23

Table 15: Dr Web evaluation ................................................................................................... 25

Table 16: Dragon Research Group evaluation ......................................................................... 26

Table 17: Dshield evaluation .................................................................................................... 29

Table 18: Emerging Threats evaluation ................................................................................... 31

Table 19: hpHost evaluation .................................................................................................... 33

Table 20: ImproWare AG evaluation ....................................................................................... 35

Table 21: Kaspersky evaluation ............................................................................................... 37

Table 22: Malc0de evaluation .................................................................................................. 38

Table 23: Malware Domain List ............................................................................................... 40

Table 24: NoThink! evaluation ................................................................................................. 42

Table 25: PhishTank evaluation ............................................................................................... 43

Table 26: Project Honey Pot evaluation .................................................................................. 45

Table 27: Shadowserver evaluation ......................................................................................... 48

Table 28: Spamhaus evaluation ............................................................................................... 50

Table 29: Team Cyrmu evaluation ........................................................................................... 52

Table 30: Zone-H evaluation .................................................................................................... 54

Table 31: Qualitative evaluation summary .............................................................................. 55

Table 32: Quantitative evaluation summary ........................................................................... 56

Table 33: Phishing timeliness (I) .............................................................................................. 60

Table 34: Phishing timeliness (II) ............................................................................................. 61

Table 35: Malware timeliness .................................................................................................. 61

Table 36: Spam timeliness ....................................................................................................... 61

8

9

1. Acknowledgements Firstly, I would like to express my sincere gratitude to my advisor Professor Manel Medina for the continuous support of my Ph.D study and related research, for his patience, motivation, and immense knowledge. His guidance helped me in all the time of research and writing of this thesis. I could not have imagined having a better advisor and mentor for my Ph.D study.

I also would like to thank my partner for his endless love and encouragement throughout this entire journey. Without whom I would have struggled to find the inspiration and motivation needed to complete this dissertation.

Last but not the least, I would like to thank my family: my parents and to my brother for supporting me spiritually throughout writing this thesis and my life in general.

10

2. Summary

2.1 Resum del Projecte

Per tal de posar en pràctica mesures preventives contra les amenaces informàtiques, hi ha diverses fonts d'informació que proporcionen dades d'incidents en forma d'adreces IP, adreces URL, dominis o malware associat amb una activitat maliciosa en particular, com un bot, servidor de C & C, URL maliciosa o escaneig .

Els objectius d'aquest estudi són:

Definir una metodologia per avaluar les fonts de compartició d'informació d'incidents. Aquesta metodologia identifica el següent criteri per avaluar la qualitat de les fonts de dades:

o Cobertura: infraestructura de detecció d'incidents, tipus d'incidents lliurats. o Freqüència de dades: Periodicitat de escaneig, la latència entre l'observació dels

esdeveniments i el lliurament de les dades. o Exactitud de la informació: Qualitat de les fonts de dades (falsos positius), anàlisi

(validació) dels resultats de l'escaneig.

Avaluar els següents criteri: cobertura, freqüència de les dades i l'exactitud de la informació.

Per aconseguir aquests objectius es van dur a terme les següents activitats:

Recerca de fonts d'amenaça cibernètica.

Anàlisi de les fonts d'amenaça cibernètica identificades.

En aquesta activitat, es va recollir informació sobre les fonts d'informació (pública, tancada, comercial, etc.) disponibles per a la detecció proactiva d'incidents de seguretat de la xarxa. La investigació es va dur a terme en tres fases:

1. Durant la primera fase s'ha creat una llista de fonts, de la qual s’ha escollit un subconjunt amb les fonts més interessants que han estat investigades amb més profunditat.

2. La segona fase destinada a la definició de la metodologia, la identificació dels paràmetres significatius i la definició dels criteris de qualificació.

3. La tercera fase destinats a comprovar la metodologia, la recerca i el resum de les característiques més importants dels propis serveis. Per tal de proporcionar una descripció el més fidel possible de les característiques clau més importants que poden impactar directament en els paràmetres de qualitat anteriorment descrits.

El resultat de la investigació és un inventari de fonts que es poden utilitzar com a base per millorar o ampliar les operacions d'un CERT.

11

2.2 Resumen del Proyecto

Para poner en práctica medidas preventivas contra las amenazas informáticas, hay varias fuentes de información que proporcionan datos de incidentes en forma de direcciones IP, direcciones URL, dominios o malware asociado con una actividad maliciosa en particular, como un bote , servidor de C & C, URL maliciosa o escaneo.

Los objetivos de este estudio son:

Definir una metodología para evaluar las fuentes de compartición de información de incidentes. Esta metodología identifica los siguientes criterios para evaluar la calidad de las fuentes de datos:

o Cobertura: infraestructura de detección de incidentes, tipo de incidentes entregados.

o Frecuencia de datos: Periodicidad de escaneo, la latencia entre la observación de los acontecimientos y la entrega de los datos.

o Exactitud de la información: Calidad de las fuentes de datos (falsos positivos), análisis (validación) de los resultados del escaneo.

Evaluar los siguientes criterios: cobertura, frecuencia de los datos y la exactitud de la información.

Para conseguir estos objetivos se llevaron a cabo las siguientes actividades:

Búsqueda de fuentes de amenaza cibernética.

Análisis de las fuentes de amenaza cibernética identificadas.

En esta actividad, se recogió información sobre las fuentes de información (pública, cerrada, comercial, etc.) disponibles para la detección proactiva de incidentes de seguridad de la red. La investigación se llevó a cabo en tres fases:

1. Durante la primera fase se ha creado una lista de fuentes, de la que se ha elegido un subconjunto con las fuentes más interesantes que han sido investigadas en mayor profundidad.

2. La segunda fase destinada a la definición de la metodología, la identificación de los parámetros significativos y la definición de los criterios de calificación.

3. La tercera fase destinada a comprobar la metodología, la investigación y el resumen de las características más importantes de los propios servicios. Para proporcionar una descripción lo más fiel posible de las características clave más importantes que pueden impactar directamente en los parámetros de calidad anteriormente descritos.

El resultado de la investigación es un inventario de fuentes que se pueden utilizar como base para mejorar o ampliar las operaciones de un CERT.

12

2.3 Abstract

In order to implement proactive measures against cyber threats, there are several information sources that provide incident data in the form of IP addresses, URLs, domains or malware associated with a particular malicious activity, such as a bot, C&C server, malicious URL or scanning.

The objectives of this study are:

Define a methodology to evaluate incident information sharing sources. This methodology identifies the following criterion to assess the quality of the data sources:

o Coverage: Incident detection infrastructure, types of incidents delivered. o Data frequency: periodicity of scanning, latency between the observation of

events and delivery of data. o Accuracy of the information: Quality of data feeds (false positives), analysis

(validation) of scanning results.

Evaluate the following criterion: coverage, data frequency and accuracy of the information.

To achieve these objectives following activities were performed:

Cyber Threat Sources Research

Analysis of the Cyber Threat Sources Identified

In this activity, information was gathered about information sources (public, closed, commercial, etc.) available for the proactive detection of network security incidents. The research was conducted in three phases:

1. During the first phase a list of services was created. A subset of the list was compiled, with the most interesting ones, which would be deeply investigated.

2. The second phase aimed at definition of the methodology, identification of the meaningful parameters and definition of its qualification criteria.

3. The third phase aimed at testing the methodology, finding and summarising the most important characteristics of the services themselves. In order to provide as accurate as possible descriptions of important key features that can directly impact on the quality parameters above described.

The outcome of the research is an inventory of sources that can be used as a basis to improve or extend the operations of a CERT.

13

3. Introduction

3.1 Background

In order to implement proactive measures against cyber threats, there are several information sources that provide incident data in the form of IP addresses, URLs, domains or malware associated with a particular malicious activity, such as a bot, C&C server, malicious URL or scanning.

3.2 Objectives

The objectives of this study are:

● Provide an inventory of available information sources for proactive detection of network security incidents, which are used already or could potentially be used by national/governmental and other CERTs.

● Define the data quality assessment methodology, based on the following concepts: coverage, data frequency and accuracy of the information.

● Evaluate the quality of a selected subset of data sources, following the above defined methodology.

More details on the performed activities are provided in Chapter 2 Methodology Used.

3.3 Thesis Structure

The document is structured as follows:

● Chapter 3 Introduction explains in more detail the research objectives of the study.

● Chapter 4 Methodology Used is a description of work carried out as part of the study, together with an analysis of a survey carried out amongst CERTs primarily in the European Union Member States and the setting up of an expert group.

● Chapter 5 Inventory and Description of Identified Sources is an inventory of existing cyber threat sources that can be used by CERTs for proactive detection, along with subjective ratings.

Chapter 6

14

● Information Sources Analysis is an analysis of the data provided by the identified sources in order to compare the information provided by each of them and their timeliness.

4. Methodology Used

4.1 Cyber Threat Sources Research

In this activity, information was gathered from information sources (public, closed, commercial, etc.) available for the proactive detection of network security incidents. The research was conducted in two phases:

1. During the first phase a list of services was created. The list of services was completed, with the most promising ones investigated in more detail.

2. The second phase aimed at extracting the most important characteristics among services them-selves. In order to provide as accurate as possible descriptions of important key features that can directly impact the proactive detection and incident handling processes, the following criteria was used: coverage, frequency and accuracy of results.

The sources selected for the present study were those from which enough information could be gathered.

The outcome of the research is an inventory of sources that can be used as a basis to improve or extend the operations of a CERT.

4.2 Cyber Threat Sources Selection

For this part of the study a selection of the most known sources of each category has been done. This activity included analysis of all the information gathered during the study. The research was conducted in two phases:

1. Data comparative: Evaluates the singularity of the information provided by each source. In addition to discover whether a source provides unique information, this criterion allows determining if the information of one source is included in another or not.

2. Timeliness: Evaluates the delay between the observation of the events and delivery of data by the service. The time of event is taken from the data feed as delivered by the source and compared to the time of data retrieval.

4.3 Quality Assessment Methodology for Data Sources

The services described in the inventory are evaluated based on the following three criterions: coverage, data frequency and accuracy of results.

15

4.3.1 Coverage

Evaluation based on this criterion takes two aspects into consideration:

a) Geographical coverage: Incident detection infrastructure (e.g. are all data collected from one sensor or is there a large network of sensors used or perhaps the whole Internet is being crawled for malicious URLs rather than specific regions).

b) Threats coverage: Whether the service delivers different types of incidents counts (for instance, it collects just spam, or specific botnet C&C servers, or malicious URLs or all of these).

There are four proposed classifications for the coverage criteria:

10: Excellent

The source gathers the information from a large infrastructure and provides information from more than two types of risks.

8: Good

The source gathers the information from a large infrastructure, but provides information from up to two types of risks.

5: Fair (Default)

The source gathers the information from a small infrastructure and provides information from more than two types of risks.

2: Poor

The source gathers the information from a small infrastructure, but provides information from up to two types of risks.

4.3.2 Data Frequency

Data frequency criterion describes periodicity of scanning at which the source provides the information. In addition, the latency between the observation of the events and delivery of data by the service has been also considered. There are four proposed classifications for the data frequency or latency criteria: Real-time, <24h, 24h<T<3days, >3days.

10: Excellent

Data are received from service in near real time manner. Such information sources allow best responsiveness to incidents occurring on network and are potentially of high value to any CERT.

16

8: Good

Data are received during the first 24 hours after detection. Services assigned this classification deliver data with little delay from the time of actual incident occurrence and are potentially very useful for incident handling purposes.

6: Fair (Default)

Data frequency is higher than 1 day and lower than 3 days. Services in this group provide data mostly on a daily basis, but report incidents from the previous day or before. The data source with such a rank for timeliness is somewhat useful for incident handling, but cannot be an exclusive source of information.

3: Poor

Data frequency is higher than 3 days. The poor classification is assigned to services that provide mostly historical data, not suitable for incident handling but useful for statistical analysis.

0: Not applicable

The `N/A' rank is assigned only when there is no possibility to measure timeliness of a service and assign objective classification, or in case such information is not available or not important in context of the data that the service provides.

4.3.3 Accuracy of Results

The accuracy of results criterion describes the quality of the service data feed:

a) Analysis of scanning results: The more “false positive” results are delivered by the service, the poorer the quality of data and therefore the rank is lowered.

b) Granularity of reported nodes: full IP address, domain/subnet, ASN/Country

c) Data integrity: Hash

d) Time accuracy: Timestamp, last seen, persistency of nodes in the list.

10: Excellent

Data received from a service can be fully trusted as it is analysed before sharing. Services with this rank produce almost no false information and can be used as one of the main information sources for incident handling operations. In addition temporal context information is provided, so events could be discarded based on aging.

8: Good

Data delivered by the service in most cases are ready to be used for incident handling purposes. The information is provided with no temporal context; therefore, information received in alerts can contain few false positive classifications mainly due to data aging. The

17

service can be used as one of main information sources for CERTs, though with minimal human supervision required to recheck received data occasionally.

5: Fair (Default)

As data delivered by the service is not analysed before sharing, should not be used as a sole source of information about incidents but rather as an enrichment of existing ones.

2: Poor

Data delivered by the service are of very poor quality and are almost unusable for effective incident handling process. Such services do not perform any data filtering, enrichment or correlation to filter-out false positive classifications.

4.4 Data Quality assessment formula

In the assessment of the quality we can apply 2 criteria:

- Factor: DataQuality = Coverage * DataFrequency * Accuracy - Added: 4* Coverage + 2 * DataFrequency + 4 * Accuracy

The Factor formula penalizes the sources with Poor qualifications more than the Added, if we want to use the assessed quality as weighting factor, for combining data from several sources.

The Added formula assigns larger values to the Fair and Poor sources. It has the inconvenient that we have to decide the weight of every parameter we are analysing. In a first approach, for the interests of CyberGreen [1], the Coverage and the Accuracy are more relevant than the timeliness, for this reason, in this example we have chosen 4/2/4 as weights, but for remediation purposes it would not be the case, and they maybe would prefer something like 3/5/2, because, in most of the cases, they will make a deep analysis to validate the sources.

Considering that in CyberGreen we will focus on few and good sources, probably the best choice will be the Factor formula, for both, its simplicity and also because it gives more relevance to the best sources if we have to weight them for the same threat.

18

5. Inventory and Description of Identified Sources

5.1 Abuse.ch

Description

Description of the service is based on information presented on the service website.

Abuse.ch [2] is a Swiss security blog where you can find information related to crimeware such as ZeuS, Feodo and several ransomware malwares.

The financial malware tracked at the time of the study are:

● ZeuS (also known as Zbot / WSNPoem): A crimeware kit, which steals credentials from various online services like social networks, online banking accounts, ftp accounts, email accounts and other (phishing).

● Ransomware: A type of malware that can be covertly installed on a computer without knowledge or intention of the user that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction.

● Feodo (also known as Cridex or Bugat): A Trojan used to commit e-banking fraud and steal sensitive information from the victims’ computer, such as credit card details or credentials.

The information is publicly available.

Evaluation of Service

Coverage

The service provides information that is not focused on a specific world region (country or network). As services are focused on tracking only few malware families, only about one up to forty of new incidents are generated daily. However, no detailed information about the collection infrastructure is available. The following map shows the distribution of the data retrieved over the evaluated period.

19

Figure 1: Abuse.ch geographical distribution

The information provided for each category is as follows:

● ZeuS: ZeuS C&C servers, ZeuS configs, ZeuS binaries, ZeuS dropzones and fake URLs.

● Ransomware: Each entry in Ransomware Tracker is tagged to a malware and a threat. Currently, the following Ransomware families are tracked: TeslaCrypt, CryptoWall, TorrentLocker, PadCrypt, Locky, CTB-Locker, FAKBEN and PayCrypt. And distinguishes between the following threats: Ransomware botnet C&C servers, ransomware payment sites and ransomware distribution sites.

● Feodo: Botnet C&C servers related to four versions of Feodo. They are labelled as version A, version B, version C and version D.

Data Frequency

Each tracker has two ways of serving the information: a feed, providing full information of detections; and various blocklists, providing information about either compromised domains or IPs.

The information gathered using the feed is updated in real time, but not regularly. It depends on present on-going analysis or results of bot snooping. On the other hand, the information on the blocklists is updated every certain time depending on the tracker. Ransomware blocklist is updated every five minutes, while the other blocklists update frequency is unclear.

Accuracy of Results

The information is gathered from analysis and spying on real malware samples. Lists contain only active IP addresses or URLs. Additionally separate lists of removed addresses are

20

provided (hosts which were removed from the tracker). An entry from the list may be removed if organization contacts the list administrator.

Information available when using the feed is as follows:

● Zeus tracker: Date added, Malware, Host, IP address, Level Status, Files Online, SBL, Country, AS number, Uptime.

● Ransomware tracker: Date added, Threat, Malware, Host, Domain Registrar, IP address (ASN, Country).

● Feodo tracker: Date added, Threat, Malware, Host, Domain Registrar, IP address (ASN, Country).

Blocklists, however, provide only domains or IPs with no context information.

Evaluation Table

Criterion Evaluation Reason Coverage Poor Infrastructure is unknown, but based on the

volume of incidents generated daily, a small infrastructure is assumed. In addition, only information related to few malwares is provided.

Data Frequency Excellent The database is updated in real time. Frequency depends on on-going analysis or snooping of infected bots.

Accuracy of Results

Excellent The information is gathered from analysis and snooping on real malware samples. This makes the quality of the information quite good.

Table 1: Abuse.ch evaluation

5.2 AlienVault Open Threat Exchange

Description


AlienVault Open Threat Exchange [3] provides open access to a global community of threat researchers and security professionals. It delivers community-generated threat data, enables collaborative research, and automates the process of updating security infrastructures with threat data from any source.

The OTX DirectConnect API allows you to easily synchronize the Threat Intelligence available in OTX to the tools used to monitor the network. The service is available under subscription.

21


Coverage

Alien Vault OTX has more than 37,000 participants in 140 countries, who contribute over 3 million threat indicators daily. The following map shows the distribution of the data retrieved over the evaluated period.

Figure 2: AlienVault geographical distribution

At the heart of Open Threat Exchange is the pulse, an investigation of an online threat. Pulses describe any type of online threat including known malicious IPs, malware, C&C servers, fraud campaigns, and even state sponsored hacking.

Data frequency

AlienVault provides two different ways to retrieve the information: via API, having the information in real-time; and via file, having the information updated every 30 minutes.

Accuracy of Results

OTX database comprises threat data sourced from private partnerships, public sources worldwide and a proven algorithm that helps validate sources and threats. If malicious activity is observed the OTX analysis systems will actively confirm the reported data. As long as the activity can be confirmed the domain or IP will be marked as malicious in Open Threat Exchange. If the analysis systems cannot confirm the malicious activity for a period of time (30 days), a historical record of the malicious activity will be shown, but the IP or domain will no longer be marked as malicious.

2

Administrators of AlienVault OSSIM and USM deployments can voluntarily contribute IP reputation data from a broad range of devices in their environment (firewalls, proxies, web servers, anti-virus systems, and intrusion detection/prevention systems). They can also contribute Indicators of Compromise (IoCs) to OTX pulses that contain more details. Pulses are comprised of indicators of compromise (or IoCs), which describe the infrastructure of that threat (including IPs, file hashes, e-mail addresses affiliated with the threat, etc.) IoCs include:

● IP addresses

● Domains

● Hostnames (subdomains)

● Email

● URL

● URI

● CIDR Rules

● File Paths

● MUTEX name

● CVE number

● File Hashes: MD5, SHA1, SHA256, PEHASH, IMPHASH

It is noteworthy that IoCs can be retrieved only by using the API. If the reputation list is used instead, only the following information is provided: IP address, attack type, country code, city, latitude, longitude.

Evaluation Table

Criterion Evaluation Reason

Coverage Good Large infrastructure and several types of risk.

Data Frequency Excellent/Good When using the API the information is provided on real-time basis. The file is updated every 30 minutes.

Accuracy of Results

Excellent Data in Open Threat Exchange is reported as observed by contributors and confirmed by their analysis systems.

Table 2: AlienVault evaluation

5.3 ATLAS

Description


ATLAS [4], which stands for Active Threat Level Analysis System, collectively analyses the data traversing different ‘darknets’ to develop a globally scoped view of malicious traffic traversing the backbone networks that form the Internet’s core.

2

The ATLAS portal is a public resource that delivers a subset of the intelligence derived from the ATLAS sensor network on host/port scanning activity, zero-day exploits and worm propagation.

In order to benefit from all ATLAS’s services, registration is required. Accounts are currently only given to ATLAS partners, but they hope to open them up to everyone in the future.

A summary of each category is available on free basis


Coverage

The information provided by ATLAS comes from either a distributed network of more than 330+ ISP customers which have agreed to share the information gathered by sensors running a number of data capture and analysis tools, or a network of honeypots Arbor has deployed around the world. The following map shows the distribution of the data retrieved over the evaluated period.

Figure 3: ATLAS geographical distribution

Once the information is analysed, it’s categorized as attack, scans, DoS attack, botnet, phishing and fast flux bots.

Data Frequency

ATLAS maintains a real-time database of malicious botnet C&C servers that is continuously updated. This information comes from malware analysis, botnet infiltration, and other sources of data.

3

Accuracy of Results

ATLAS uses a variety of tools and processes to collect and analyse threat data. The team focuses on the capabilities and potential of attacks, pulling out multiple indicators of an attack campaign. These indicators are delivered to Arbor products via the ATLAS Intelligence Feed.

Figure 4: ATLAS Intelligence Feed

In addition, ATLAS classifies traffic into several different types, including random packets, scans and attacks. Scans are distilled using a host scan algorithm. Attacks are classified using payload signatures of known attacks and known attack characteristics. If ATLAS cannot classify a packet into one of these types, it does not say that the packet was part of an attack.

● Attacks: IP address, cumulative bytes.

● Scans: IP address, cumulative bytes.

● DoS: start, end, destination CIDR, destination ASN, destination C&C, maximum BPS and maximum PPS.

● Botnet C&C servers: Country code, ASN, IP address, port.

● Phishing servers: Country code, ASN, IP address, port, URL

● Malicious links: timestamp, country code, ASN, IP address and URL

Evaluation Table


Coverage Excellent It has a big infrastructure that provides information related to wide range of threats.

Data Frequency Excellent Charts updated in real time and feed is updated daily. However, sometimes information seems to be delayed.

Accuracy of Results

Excellent Delivered data are attributed to real threats.

4

Table 3: ATLAS evaluation

5.4 Anti Phishing Working Group

Description


The APWG's eCrime Exchange (eCX) [5] [6] is a platform whose role and imperative is the unification of ecrime investigators and managers, and fusion of the data they possess, to animate forensic applications through provision of a data-sharing data logistics infrastructure purpose-built for tasks essential to these investigative and forensic artisans.

Membership is open to qualified financial institutions, retailers, ISPs, solutions providers, the law enforcement community, government agencies, university-based researchers active in the topic space, multi-lateral treaty organizations, and NGOs. Organizations engaged in counter-phishing research, outreach, education, law enforcement or government administration are eligible for membership at no cost.


Coverage

No detailed information about the collection infrastructure is available. However, as APWG has more than 3200+ members from more than 1700 companies and agencies worldwide, a large infrastructure is assumed. Member companies include leading security companies such as BitDefender, Symantec, McAfee, VeriSign, IronKey and Internet Identity. Financial Industry members include the ING Group, VISA, Mastercard and the American Bankers Association. The following map shows the distribution of the data retrieved over the evaluated period.

5

Figure 5: APWG geographical distribution

In order to achieve that provides to its member with three applications:

● Block List: records URLs or domains that are known to exist for purposes of phishing, malware distribution, and related activities.

● White List: the White List records URLs or domains that are known to be legitimate or "trusted."

● AMDoS Domain Suspension: enables accredited users to submit suspected or known malicious domain names for investigation and suspension by global registry operators.

For the present study only the Block List has been analysed.

Data frequency

Anti Phishing Working Group reports in real time to the APWG’s UBL to inform security applications and forensic programs. The UBL is housed on the eCX which currently eCX supports four different access points into the UBL data: Web-based application; internal eCX downloads; external downloads; and the UBL API.

Accuracy of results

The APWG collects, analyses, and exchanges lists of verified credential collection sites, like those used in phishing.

Information available when using the feed is as follows: Discovered, brand, confidence percentage, URL, IP address, groups and tags.

6

Evaluation Table


Coverage Excellent No detailed information about the collection infrastructure is available. However, as APWG has more than 3200+ members from more than 1700 companies and agencies worldwide, a large infrastructure is assumed. In addition, several types of risk are provided.

Data Frequency Excellent Data is provided in real-time basis.

Accuracy of Results

Excellent Information is analysed before sharing. In addition, it is provided with context, which can help analysts determine whether information is useful or not.

Table 4: APWG evaluation

5.5 Autoshun

Description


AutoShun [6] is a Snort plugin that sends Snort IDS logs to a centralized server that will correlate attacks from your sensor logs with other snort sensors, honeypots, and mail filters from around the world. The input from those logs is used to identify hostile addresses that are bots, worms, spam engines, which are used to build a freely available, shun list.


Coverage

The system utilises information from IDS devices distributed around the world (hence a large network collection infrastructure); therefore information about attacks considers a wide range of networks. The following map shows the distribution of the data retrieved over the evaluated period.

7

Figure 6: Autoshun geographical distribution

The input from those logs is used to identify hostile addresses that are bots, worms, spam engines or zombies, which are used to build a freely available, shun list.

Data Frequency

Shunlist is updated every two hours.

Accuracy of Results

Service uses IDS/IPS logs to build its data feed and because of this false positive may occur. The information provided is as follows: Attacker IP address, time of shun CDT and description of event.

Evaluation Table


Coverage Excellent System uses information from IDS devices logs distributed around the globe. In addition, several types of risk are provided.

Data Frequency Good Shunlist is updated every two hours.

Accuracy of Results Fair Service uses IDS/IPS logs to build its data feed and because of this false positive may occur.

Table 5: Autoshun evaluation

8

5.6 Blocklist

Description


Blocklist [7] is a free and voluntary service provided by a fraud/abuse-specialist, whose servers are often attacked on SSH, mail-login, FTP, web-server and other services. The mission is to report all attacks to the abuse departments of the infected PCs/servers to ensure that the responsible provider can inform the customer about the infection and disable them.

Fail2Ban users can report attacks on their servers by registering an account and adding their servers. The open source application alters the firewall rules on your system in reaction to authentication or usage patterns.


Coverage

Blocklist has more than 3104 participants all over the world who report more than 70,000 attacks in 12 hours in real time. The following map shows the distribution of the data retrieved over the evaluated period.

Figure 7: Blocklist geographical distribution

The service reports all IP addresses, which have been reported within the last 48 hours as having run any of the following attacks on his servers:

● Apache: Attacks on service Apache, Apache-DDOS, RFI-Attacks.

9

● Bots: Attacks on the RFI-Attacks, REG-Bots, IRC-Bots or BadBots (a Spam-Comment on a open Forum or Wiki posted).

● Brute force: Attacks on Joomlas, Wordpress and other Web-Logins with Brute-Force Logins.

● FTP: Attacks on the Service FTP.

● Imap: attacks on the Service imap, sasl, pop3, etc.

● Mail: Attacks on the service Mail, Postfix.

● SIP: All IP addresses that tried to login in a SIP, VOIP or Asterisk Server and are included in the IPs list from infiltrated.net

● SSH: Attacks on the service SSH.

In addition, there is also a list with all IPs that are older than 2 month and have more than 5.000 attacks.

Data frequency

Blocklist provides real-time threat data.

Accuracy of results

In order to enrich the information provided, the Whois, the Ripe-Abuse-Finder and the contact-database from abusix.org to find the abuse-address assigned to the attacking host. In addition the Whitelist from www.dnswl.org, www.spamhauswhitelist.org and the Blacklist from torproject.org are used to reduce false-positives.

The time to live of an IP address of the attacker is up to 14 days, which is automatically extended to 14 days if another attack from that IP is detected.

The list provides only the IP address with no context.

Evaluation Table

Criterion Evaluation Reason Coverage Good Big infrastructure. However, only one type of

risk is provided. Data Frequency Excellent Data is provided in real-time basis.

Accuracy of Results Good Information is analysed, but it is provided with no context.

Table 6: Blocklist evaluation

10

5.7 BotScout

Description


BotScout [8] helps prevent automated web scripts, known as "bots", from registering on forums, polluting databases, spreading spam, and abusing forms on web sites. They do this by tracking the names, IPs, and email addresses that bots use and logging them as unique signatures for future reference.

BotScout provides its services and permits access subject to the terms and conditions set on their website.


Coverage

Besides having a large infrastructure of bot honeypots, information is submitted to their database by collaborators. The following map shows the distribution of the data retrieved over the evaluated period.

Figure 8: BotScout geographical distribution

Their database contains bot 'signatures'. A signature is composed of a unique combination of the name the bot used when trying to register, the bot's email address, and the bot's IP address. These three items are used separately to identify bots whenever they use an already-seen name, email, or IP address.

11

Data frequency

There is no information available about the update frequency policy.

Accuracy of results

The BotScout database is scrubbed regularly to help make sure that it contains only unique signatures. The information provided is as follows: Bot name, bot email and bot IP from.

Evaluation Table


Coverage Good Big infrastructure, but only malware provided.

Data Frequency N/A No information available.

Accuracy of Results Fair Information is provided with no temporal context, and it is not analysed. Thus, false positives are possible.

Table 7: BotScout evaluation

5.8 BruteForceBlocker

Description


BruteForceBlocker [9] list includes SSH brute force attacks detected by the script developed by the Slovak security analyst Daniel Geržo. The script, written in perl, works along with pf – firewall developed by OpenBSD team. When the script is running, it checks sshd logs from syslog and looks for Failed Login attempts – mostly some annoying script attacks, and counts number of such attempts. When the given IP reaches configured limit of fails, script puts this IP to the pf’s table and block any further traffic from the given IP. Access to the list is free of charge.


Coverage

No detailed information about the collection infrastructure is available. The following map shows the distribution of the data retrieved over the evaluated period.

12

Figure 9: BruteForceBlocker geographical distribution

The service provides information about SSH brute force attacks.

Data frequency


Accuracy of results

This is an automatically generated list from users reporting failed authentication attempts. An IP seems to be included if three or more users report it. Its retention policy seems 30 days. The information provided is as follows: IP address, last reported, count and ID.

Evaluation Table

Criterion Evaluation Reason Coverage Poor Based on events generated per day a small

infrastructure is assumed. In addition only one type of risk is provided.


Accuracy of Results Fair Information is not analysed before sharing, thus false positive are possible. Information is provided with context, which can help analysts determine whether information is useful or not.

Table 8: BruteForceBlocker evaluation

13

5.9 CI Army

Description


The CI Army list [10] is a subset of the CINS Active Threat Intelligence ruleset, and consists of IP addresses that meet two basic criteria: 1) The IPs recent Rogue Packet score factor is very poor, and 2) The InfoSec community has not yet identified the IP as malicious. Access to the list is free of charge.


Coverage

CI Army gathers the alerts from a diverse network of Sentinel devices, deployed around the world, and other trusted InfoSec sources. The following map shows the distribution of the data retrieved over the evaluated period.

Figure 10: CI Army geographical distribution

The CI Army list is a subset of the CINS Active Threat Intelligence ruleset, and consists of IP addresses that meet two basic criteria: 1) The IPs recent Rogue Packet score factor is very poor, and 2) The InfoSec community has not yet identified the IP as malicious.

Data frequency


14

Accuracy of results

Attack data is combined with information from most popular and respected sources to provide a more accurate overall assessment of an IP than a single source alone.


Evaluation Table


Coverage Excellent Alerts are gathered from a diverse network of Sentinel devices, deployed around the world, and other trusted InfoSec sources. In addition, several types of risk are provided.


Accuracy of Results Poor Information is provided with no context at all, and it is not analysed. Thus, false positives are possible.

Table 9: CI Army evaluation

5.10 Cisco IronPort SenderBase

Description


SenderBase [11] is an email and web traffic monitoring network. It examines different parameters about email traffic and web traffic, including global sending volume, complaint levels, "spamtrap" accounts, whether a sender's DNS resolves properly and accepts return mail, country of origin, blacklist information, probability that URLs are appearing as part of a spam or virus attack, open proxy status, use of hijacked IP space, valid and invalid recipients, and other parameters. Then uses these parameters to provide comprehensive data to differentiate legitimate senders from spammers and other attackers.

The searching is available only via web page and is free for everyone. No additional channels are available (RSS or email).


Coverage

The data is made up of over 100TB of daily security intelligence across over 1.6 million deployed web, email, firewall and IPS appliances all over the world. The following map

15

shows the distribution of the data retrieved over the evaluated period.

Figure 11: Cisco IronPort SenderBase geographical distribution

The information is segregated in three different categories: spam, email and malware.

Data frequency

Cisco IronPort SenderBase detects and correlates threats in real time.

Accuracy of results

Every item on the list has a ‘reputation’ score ranging from -10 (for the worst) to +10 (for the very best). The score is grouped into Good (little or no threat activity), Neutral (IP or domain is within acceptable parameters; however, email or web traffic may still be filtered or blocked) and Poor (problematic level of threat activity has been observed, email or web traffic is likely to be filtered or blocked) for simplicity reasons. In addition Cisco is a recognised corporation and has a good reputation among information security experts. All this makes results reliable.

The information provided is as follows:

● Spam and email: IP address, hostname, network owner, email reputation

● Malware: IP address, hostname

Evaluation Table


Coverage Excellent The coverage is globally distributed. In addition, several types of risk are provided.

Data Frequency Excellent Database is updated in real time.

16

Accuracy of Results Good Information is analysed before sharing. A reputation scoring is assigned to each item. In addition information is provided with context, which can help analysts determine whether information is useful or not.

Table 10: Cisco IronPort SenderBase evaluation

5.11 Clean MX

Description


Clean MX [12] is an anti-spam and anti-virus protection for businesses, which through a four-phase system provides unmatched good recognition rate for unwanted advertising, fraud and viruses in e-mail. Previous subscription, information about viruses and worms that are detected is provided.


Coverage

Clean MX is designed for companies with their own mail server. However, no detailed information about the collection infrastructure is available. The following map shows the distribution of the data retrieved over the evaluated period.

Figure 12: Clean MX geographical distribution

Clean MX have two different threat lists: phishing and malware.

17

Data frequency

The information can be gathered from their website which is updated in real time, or received through a mailing list which is updated hourly. In addition the site gives the possibility to subscribe to several RSS feeds, which provide all the incoming information related to the selected filter in real time.

Accuracy of results

The information provided is from an anti-spam and anti-virus protection for businesses, which through a four-phase system provides a low false positive rate. According to the information on the website, the rate is so low that only one email is not detected correctly on 10.000 emails.


● Virus: Date, Closed, hours, contributor, virus name, URL, IP state, response, IP initial, AS#, IP review, URL, Domain, country, source, email, inetnum, netname, description, ns1, ns2, ns3, ns4, ns5, URL.

● Phishing: Dated, Closed, hours, PhishTank, PTUser, target, URL, IP state, response, IP initial, AS#, IP review, Domain, country, source, email, inetnum, netname, description, ns1, ns2, ns3, ns4, ns5, URL

Evaluation Table


Coverage Excellent The coverage is globally distributed. In addition, several types of risk are provided.


Accuracy of Results Excellent Information provided is from an anti-spam and anti-virus protection for businesses, which through a four-phase system provides a low false positive rate. In addition, information is provided with full context, which can help analysts determine whether information is useful or not.

Table 11: Clean MX evaluation

5.12 Composite Blocking List

Description


Composite Blocking List [13] is a DNS-based blackhole list of suspected email spam senders.

18

The CBL takes its source data from very large spamtraps/mail infrastructures, and only lists IP addresses exhibiting characteristics which are specific to open proxies of various sorts (HTTP, socks, AnalogX, wingate, etc.) and dedicated Spam bots which have been used to send spam, worms/viruses that do their own direct mail transmission, or some types of trojan horse or ‘stealth’ spamware, dictionary mail harvesters, etc.

As stated on CBL’s website, they ‘prefer users to use the SpamHaus DNSBL system to get access to the CBL, instead of the CBL directly. This has a number of benefits including more DNS servers answering queries (hence less chance of overload/delay on queries) as well as being able to query all of their DNSBLs in one query. The CBL is wholly included in (and in fact is the largest part of) the Spamhaus XBL subzone.

To qualify for free access to the CBL/XBL, you must fall in one of the following categories:

● Public education institutions.

● Public/non-profit Internet access networks.

● Research groups doing useful work in anti-spam or anti-malware where the results are useful to them or the public in general and are non-commercial in nature.

● Organizations who can provide their significant quantities of useful data in exchange for access.

● Public law enforcement or related organizations that work in the field of Internet abuse.


Coverage

Service provides information regardless of its origin. However, no detailed information about the collection infrastructure is available. The following map shows the distribution of the data retrieved over the evaluated period.

19

Figure 13: Composite Blocking List geographical distribution

Spamming hosts are covered.

Data frequency

Spam emails are collected in real time from spamtraps.

Accuracy of results

Service is widely used and has a good reputation among experts. However, as access could not be granted further analysis could not be done. Data aging policies are unclear.

Evaluation Table


Coverage Good Based on events generated per day a big infrastructure is assumed. However, only one type of risk is provided.

Data Frequency Excellent Information is provided on real time basis.

Accuracy of Results Poor Service is widely used and has a good reputation among experts. However, as access could not be granted further analysis could not be done.

Table 12: Composite Blocking List evaluation

20

5.13 CyberCrime Tracker

Description


CyberCrime [14] is a C&C panel tracker of certain in-the-wild botnets. As such, its URL database is inherently smaller than other datasets integrated in VirusTotal.



Coverage


Figure 14: CyberCrime Tracker geographical distribution

CyberCrime tracker shows information related to malware C&C.

Data frequency

Cybercrime tracker updates information about C&C panels after being reported.

Accuracy of results

Submissions are verified before the C&C is added to CyberCrime Tracker. Therefore, the information is quite reliable.

21

Tracker shows the following C&C panel information: Detection date, panel URL, panel IP and malware type.

Evaluation Table

Criterion Evaluation Reason Coverage Fair Based on events generated per day a small

infrastructure is assumed. In addition only one type of risk is provided.

Data Frequency Excellent Database is updated in real time. Accuracy of Results Excellent Submissions are verified before the C&C is

added to CyberCrime Tracker. Therefore, the information is quite reliable. In addition, information is provided with full context, which can help analysts determine whether information is useful or not.

Table 13: CyberCrime Tracker evaluation

5.14 DNS-BH Malware Domain Blocklist

Description


The DNS-BH Malware Domain Blocklist [15] service provides information about malicious domain names responsible for propagating malware on the Internet. The project maintains lists of known malicious domains and provides DNS operators with zone files allowing fast and easy deployment on their networks.

Service also provides information about classification source of each blacklisted domain. The data shared by the service can be used to create long-term filters allowing monitoring of the traffic and creating alerts when users try to access blacklisted content.


Evaluation of service

Coverage

No detailed information about the collection infrastructure is available. However, as the service integrates many information sources, its incident-collecting infrastructure can be considered large and coverage of the observed malicious domains is not limited to any specific region. The following map shows the distribution of the data retrieved over the evaluated period.

22

Figure 15: DNS-BH Malware Domain Blocklist geographical distribution

The database contains information about phishing, ransomware and malware in two different ways: a daily list of the security threats detected in conjunction with a removed domain list; a list with all domains detected over the time, each line shows all detection times for domain.

Data frequency

The DNS-BH Malware Domain Blocklist service does not update the information about malicious domain names with a regular frequency. Frequency can vary from one day up to 5 days, and thus has limited monitoring functionality.

Accuracy of Results

The service gathers information about malicious domains from sources such as Google Safe Browsing, malc0de.com database, PhishTank and many others. Because the service aggregates information, the quality of provided data depends strictly on information sources. The accuracy of results can be weakened because of a three-day delay between updates and may sometimes lead to false positive classification of a domain. The service provides information on dates when the threat was first observed and of last verification. Nevertheless, data receivers ought to verify the data, which are considered out-dated.

The service does not differentiate malicious domains, but provides information on classification reason, which puts incident in proper context, which can be used by data receiver to create different incident types. The information provided is as follows: URL, risk type (Phishing, Ransomware, Malware Family), source and detection date.

23

Evaluation Table


Coverage Excellent Service provides different data feed, thus its collecting infrastructure can be considered large and distributed worldwide. In addition, several risk types are provided.

Data Frequency Poor Frequency can vary from one day up to 5 days, and thus has limited monitoring functionality.

Accuracy of Results Good The accuracy of data depends on external sources. In addition, information is provided with full context, which can help analysts determine whether information is useful or not.

Table 14: DNS-BH Malware Domain Blocklist evaluation

5.15 Dr Web

Description


Dr.Web [16] is a Russian anti-malware company that can provide C&C information. Its global monitoring network collects samples of new viruses from all over the world. Updates to the virus database are released as soon as new entries are added–up to several times per hour. "Hot" add-ons are released as soon as a new threat is captured and analysed.

The service is available under subscription.


Coverage

A global monitoring network collects samples of new viruses from all over the world. The following map shows the distribution of the data retrieved over the evaluated period.

24

Figure 16: Dr Web geographical distribution

The Virus Monitoring Service provides full information related to malware.

Data frequency

Virus database is updated as soon as a new threat is captured and analysed.

Accuracy of results

The information is gathered from analysis and spying on the real malware samples. This makes the quality of the information quite high. The information provided is as follows: Danger, virus name, date, detection date and details.

Evaluation Table

Criterion Evaluation Reason Coverage Good Its global monitoring network collects

samples of new viruses from all over the world. However, only one type of risk is provided.

Data Frequency Excellent Virus database is updated as soon as a new threat is captured and analysed.

Accuracy of Results Excellent The information is gathered from analysis and spying on the real malware samples. This makes the quality of the information quite high. In addition, information is provided with full context, which can help

25

analysts determine whether information is useful or not.

Table 15: Dr Web evaluation

5.16 Dragon Research Group

Description


The Dragon Research Group [17] is a volunteer research organization dedicated to further the understanding of online criminality and to provide actionable intelligence for the benefit of the entire Internet community.

Reports are for free for non-commercial use only. If you wish to discuss commercial use of this service, please contact the Dragon Research Group (DRG) for more information. Redistribution of the http report is prohibited without the express permission of the Dragon Research Group (DRG).


Coverage


Figure 17: Dragon Research Group geographical distribution

The service provides the following information:

26

● HTTP report: Entries consist of fields with identifying characteristics of a source IP address that has been seen sending HTTP requests to Dragon Research Pods. This report lists hosts that are highly suspicious and are likely conducting malicious HTTP attacks.

● sshpwauth report: Entries consist of fields with identifying characteristics of a source IP address that has been seen attempting to remotely login to a host using SSH password authentication. This report lists hosts that are highly suspicious and are likely conducting malicious SSH password authentication attacks.

● vncprobe report: Entries consist of fields with identifying characteristics of a source IP address that has been seen attempting to remotely connect to a host running the VNC application service. This report lists hosts that are highly suspicious and are likely conducting malicious VNC probes or VNC brute force attacks.

Data frequency

The frequency update policy varies depending on the report: HTTP report, updated daily; sshpwauth report, updated hourly; and vncprobe report, updated hourly.

Accuracy of results

The data is provided on an as-is basis with no expressed warranty or guarantee of accuracy. Use of this data is at your own risk.


● HTTP report: ASN, ASname, netblock, last seen timestamp (UTC), category

● sshpwauth report: ASN, ASname, source IP, last seen timestamp (UTC), category

● vncprobe report: ASN, ASname, source IP, last seen timestamp (UTC), category

Evaluation Table

Criterion Evaluation Reason Coverage Good Based on events generated per day a big

infrastructure is assumed. However, only one type of risk is provided.

Data Frequency Excellent Database is updated in real time. Accuracy of Results Fair The data is provided on an as-is basis with

no expressed warranty or guarantee of accuracy. However, information is provided with full context, which can help analysts determine whether information is useful or not.

Table 16: Dragon Research Group evaluation

27

5.17 Dshield

Description


Dshield [18] is a free and open service that provides a platform for users of firewalls to share intrusion detection information. Any party can submit firewall logs to DShield database.

In addition they collect data from the following open external threat feeds to supplement their data: Abuse.ch, Blocklist.de, CI Army List, Emerging Threats, Errata Security, Forumspam, John Bambenek, Malc0de, Malware Domain List, Malware Traffic Analysis, Malware Domains, OpenBL, Project Blindferret, Project Sonar, Scans.io, Shadowserver, ShodanHQ Project, TechHelpList and Tor Project.

The services relies on an all-volunteer effort to detect problems, analyse the threat, and disseminate both technical as well as procedural information to the general public.


Coverage

Thousands of sensors that work with most firewalls, intrusion detection systems, home broadband devices, and nearly all operating systems around the world are constantly collecting information about unwanted traffic arriving from the Internet. Dshield gathers millions of intrusion detection log entries every day, from sensors covering over 500.000 IP addresses in over 50 countries. Therefore information about attacks considers a wide range of networks. The following map shows the distribution of the data retrieved over the evaluated period.

28

Figure 18: Dshield geographical distribution

The services provides an API REST with several output formats include xml (default), json, text and php which lets retrieve the following information:

● Top ports: Information about top ports for a particular date with return limit (max: 1.000). Information can be sorted by the options: records, targets or sources.

● Top IPs: Information about top IPs for a particular date with return limit (max: 1.000). Information can be sorted by the options: records or attacks.

● Sources: Information summary from the last 30 days about source IPs with return limit (max: 10.000). Information can be sorted by the options: IP, count, attacks, firstseen or lastseen.

In addition, there is also a feed that can be used to retrieve a list that summarizes the top 20 attacking class C (/24) subnets from the last three days.

Data frequency

The time between updates of the data feeds delivered by the service differs depending on the type of feed.

● Top ports list is updated in real time.

● Top IPs list is updated every hour.

● Source list is updated every hour.

● The blocklist of subnets is updated every hour.

Accuracy of results

False positive classifications occasionally occur in data feeds. Because of that the Dshield service is meant to be used as an additional source of information about already observed malicious traffic and cannot be regarded as a sole source of information about them.


● Top ports: rank, target port, records, targets and sources.

● Top IPs: rank, source, reports and targets.

● Sources: IP address, attacks, count, first seen and last seen.

● Top 20 attacking class C (/24): start of netblock, end of netblock, subnet (/24 for class C), number of targets scanned, name of Network, Country and contact email address.

Evaluation table


29

Coverage Good System uses information from volunteers posting data from their firewalls distributed around the globe. However, only one type of risk is provided.

Data Frequency Excellent Data frequency depends on the data feed used and varies from three days to real time.

Accuracy of Results Fair Service uses firewall logs to build its data feed and because of this, false classifications may occur. However, information is provided with full context, which can help analysts determine whether information is useful or not.

Table 17: Dshield evaluation

5.18 Emerging Threats

Description


Emerging Threats [19] is a collection point for a number of security projects, mostly related to Intrusion Detection and network Traffic Analysis. Their primary project is the Emerging Threats Snort Ruleset, which produce data feeds regarding new threats. Emerging Threats brings together the most experienced, and the least experienced security professionals.

Emerging Threats rules are free, as in BSD licensed.


Coverage

Besides using highly reliable data sources, Emerging Threats have a global sensor network that provides information about threats detected. The following map shows the distribution of the data retrieved over the evaluated period.

30

Figure 19: Emerging Threats geographical distribution

Emerging Threats provides several rules that can be implemented on IDS/IPS devices or firewalls to prevent malicious behaviour.

● DROP Rules: This ruleset takes a daily list of known spammers and spam networks as researched by Spamhaus and converts them into Snort signatures, Bro Signatures, and Firewall rules.

● Compromised Rules: This is a list of known compromised servers, confirmed of hosting bots, phishing sites, etc. This is a compilation of several private data sources. Sources include: Brute Force Blocker, OpenBL.org (formerly sshbl.org), and the Emerging Threats Sandnet and SidReporter Projects.

● DShield Rules: This ruleset takes a daily list of the top attackers reported to Dshield and converts them into Snort signatures, Bro Signatures, and Firewall rules.

● BotCC Rules: These are auto-generated from several sources of known and confirmed active Botnet and other C&C hosts. Sources include: Shadow Server, Spyeye Tracker, Palevo Tracker and Zeus Tracker.

● RBN Rules: IP address ranges from which the former customers of the RBN ISP, their malware marketing affiliate networks, emulators, and other organized crime groups exploit consumers. Block at will. Test for your production environment prior to utilization. In cases where a malicious domain occupies an IP address used by many domains, the IP address is not included in this list (due to false positives in Snort and Suricata). Those domains are included in the DNS Blackhole for Smoothwall.

31

● Tor Exit Nodes Rules: These rules are compiled from several lists of known Tor Exit nodes. You may want to block traffic from these. Their use of Tor isn't necessarily a hostile act, but in some environments that would be a very suspicious way to communicate.

There is also the possibility to get all rules together.

Data frequency

Most of the rules provided are updated on daily basis. RBN Rules, however, are updated whenever information changes and Tor Exit Nodes Rules update frequency policy is unclear.

Accuracy of Results

The information provided by Emerging Threats is a compilation of other sources, hence they do not verify

For blocking purposes there is a list of raw IPs for the firewall block lists.

Evaluation Table


Coverage Excellent Besides using highly reliable data sources, Emerging Threats have a global sensor network that provides information about threats detected. In addition, they provide several types of risks.

Data Frequency Fair Most of the rules provided are updated on daily basis.

Accuracy of Results Poor Information is not verified before sharing. In addition, In addition, no temporal context information is provided, so events could be discarded based on aging.

Table 18: Emerging Threats evaluation

5.19 hpHosts

Description


hpHosts [20] is a community which manages and maintains a hosts file for Windows that allows protection against access to spammer, scammer, pornographic, spoofed and malicious websites.

32

The service is free to use, however, any and all automated use is strictly forbidden without express permission from them. Persons found to be using automation will be immediately and permanently banned.


Coverage

hpHost Computer Emergency Response Teams (CERT) are spread around the world. The following map shows the distribution of the data retrieved over the evaluated period.

Figure 20: hpHost geographical distribution

The following classifications are used to determine the reason for inclusion into hpHosts and have been published here for those wondering what the classification means when viewing the domain's information on the hpHosts online website.

● ATS: Sites being used for advert or tracking purposes.

● EMD: Sites engaged in malware distribution.

● EXP: Sites engaged in the housing, development or distribution of exploits, including but not limited to exploitation of browser, software, operating system exploits as well as those engaged in exploits via social engineering.

● FSA: Sites engaged in the selling or distribution of bogus or fraudulent applications and/or provision of fraudulent services.

● GRM: Sites engaged in astroturfing (otherwise known as grass roots marketing) or spamming.

33

● HFS: Special classification for persons caught spamming the hpHosts forums.

● HJK: Sites engaged in browser hijacking or other forms of hijacking.

● MMT: Sites engaged in the use of misleading marketing tactics.

● PHA: Sites engaged in illegal pharmacy activities.

● PSH: Sites engaged in Phishing.

● WRZ: Sites engaged in the selling, distribution or provision of warez, where such provisions do not contain malware.

Data Frequency

Information is provided via an RSS feed in real-time.

Accuracy of Results

Sites submitted for inclusion are only included in the host file if they match one or more conditions included in the inclusion policy [21]. In addition, all sites within hpHosts are validated 4 times per day, every 6 hours, over a 4 days period, to allow for late DNS propagation, and servers going down for whatever reason. When a hostname has failed resolution 4 days in a row, it is removed from the database, and placed into a monitoring pile. Should the site ever return to life, it is checked and if required, re-included.

The information provided is as follows: Website, IP address, classification, date added and added by.

Evaluation Table

Criterion Evaluation Reason Coverage Excellent hpHost CERTs are spread around the world.

Hence, infrastructure is big. In addition, several types of risk are provided.

Data Frequency Excellent Information is provided in real-time. Accuracy of Results Excellent Information is verified before sharing. In

addition, information is provided with full context, which can help analysts determine whether information is useful or not.

Table 19: hpHost evaluation

5.20 ImproWare AG

Description


34

ImproWare AG [22] is a Swiss company that provides spam and worm information detected on their anti-spam solution. Access to those lists is free of charge.


Coverage

No detailed information about the collection infrastructure is available. The infrastructure depends on the amount of clients the company has. The following map shows the distribution of the data retrieved over the evaluated period.

Figure 21: ImproWare AG geographical distribution

ImproWare AG provides in two different lists all host IPs from catch spam mails and worms over the last three days.

Data Frequency

Although, the lists are updated in real-time, they may have up to 15 minutes delay.

Accuracy of Results

The information provided is from an anti-spam and anti-virus protection, which through a four-phase system provides a low false positive rate. According to the information on the website, 99.95% of all spam mails are catched and 99.9% of all known viruses are rejected.


● Spamlist: Count, IP address, Unix time, local time, hits, hostname (not always present)

35

● Wormlist: Count, IP address, Unix time, local time, name, hostname (not always present)

Evaluation Table

Criterion Evaluation Reason Coverage Fair Infrastructure is unknown, but based on the

volume of incidents generated daily, a small infrastructure is assumed. In addition, several types of risks are provided.

Data Frequency Excellent The lists are updated in real-time. They may have up to 15 minutes delay.

Accuracy of Results Fair Table 20: ImproWare AG evaluation

5.21 Kaspersky

Description


Kaspersky Intelligence service [23] provides current and full information about any software known to Kaspersky Lab.

The service is available under subscription.


Coverage

No detailed information about the collection infrastructure is available. However, as Kaspersky has been positioned in the "Leaders" quadrant of the 2016 Gartner Magic Quadrant for Endpoint Protection Platforms, a large infrastructure is assumed. The following map shows the distribution of the data retrieved over the evaluated period.

36

Figure 22: Kaspersky geographical distribution

Kaspersky Lab offers two types of Threat Data Feed:

● Phishing URL Feed: A set of URLs with context covering phishing websites and web pages. Masked and non-masked records are available.

● Botnet C&C URL Feed: A set of URLs and hashes with context covering desktop botnet C&C servers and related malicious objects.

Data Frequency

Kaspersky Application Advisor service provides all the information in real-time.

Accuracy of Results

The information provided is from analysis performed on Kaspersky lab, as well as their anti-spam and anti-virus protection for businesses. Therefore, data feed have a low false positive rate.

The information provided by each feed is as follows:

Phishing URL Feed: ID, mask, type, first seen, last seen, IP address, popularity, country.

Botnet C&C URL Feed: Targeted URL, botnet type, attack type, attack rules, C&C server address, MD5 hashes, decrypted configuration file and sample.

Evaluation Table


37

Coverage Excellent Based on events generated per day a big infrastructure is assumed. In addition, several types of risk are provided.

Data Frequency Excellent Data feeds provide the information on real time basis.

Accuracy of Results Excellent Information is analysed before sharing. Information is provided with context, which can help analysts determine whether information is useful or not.

Table 21: Kaspersky evaluation

5.22 Malc0de

Description


Malc0de [24] database delivers information about URLs, which distribute malware, i.e. malicious executable. The information is publicly available.

Coverage

Information about data collecting infrastructure is undisclosed. The following map shows the distribution of the data retrieved over the evaluated period.

Figure 23: Malc0de geographical distribution

38

Data presented on the website present URLs along with malware that was delivered through them. There is an IP address and AS number associated with every URL as well as MD5 hash of binary with hyperlink to report from ThreatExpert service.

Data Frequency

URLs with malicious binaries are updated in real time. It may happen that websites are removed by hosting providers; thus binaries are not available for download. There is also a file populated with the last 30 days of malicious IP addresses, which is automatically updated.

Accuracy of Results

Samples in malc0de database are published based on ThreatExpert classification. Since domain names/IP addresses of servers distributing malware change rather often it happens that URL provided by database could lead to nowhere – but malware hashes remain present.

The information provided is as follows: Date, domain, IP address, country, ASN, Autonomous System Name and hash (in md5).

Evaluation Table


Coverage Good Based on events generated per day a big infrastructure is assumed. However, only one type of risk is provided.


Accuracy of Results Excellent Samples in database are published based on ThreatExpert classification. In addition, information is provided with full context, which can help analysts determine whether information is useful or not.

Table 22: Malc0de evaluation

5.23 Malware Domain List

Description


Malware Domain List [25] is a service that provides a list of URLs that are dangerous (involved in infection process, botnet management or drop zone, malware hosting, etc.). Additionally a list of IP addresses of web servers is provided. It is a non-commercial community project and can be used for free by anyone.

39

Coverage

No detailed information is available about the collection infrastructure. The following map shows the distribution of the data retrieved over the evaluated period.

Figure 24: Malware Domain List geographical distribution

Lists are sorted in many ways:

● Complete database (all fields) – full or only updates

● Only URLs – full list or only updates

● ZeuS URLs – full list or only updates

● Sites which are offline or have been cleaned – full list

● List of active IP addresses

Complete database lists have additional fields, which are useful in the parsing/filtering process, like IP address of the server hosting site, AS number, country code, registrant or reverse DNS lookup.

Data Frequency

The database is updated in real time, but not regularly. It depends on a present ongoing analysis or bots snooping.

40

Accuracy of Results

The information is gathered from analysis and spying on the real malware samples. This makes the quality of the information quite high. However there is no guarantee that there would be no false positives.

The service provides both a full list and updates lists. However, the full lists are not cleaned and contain both obsolete and up-to-date data.


Evaluation Table


Coverage Poor Infrastructure is unknown, but based on the volume of incidents generated daily, a small infrastructure is assumed. In addition, only information related to few malwares is provided.

Data Frequency Excellent The database is updated in real time, but not regularly. It depends on a present ongoing analysis or infected bots spying.

Accuracy of Results Excellent The information is gathered from analysis and spying the real malware samples. This makes the quality of the information quite good. In addition, information is provided with full context, which can help analysts determine whether information is useful or not.

Table 23: Malware Domain List

5.24 NoThink!

Description


NoThink! [26] is a blog where Matteo Cantoni, ICT senior security analyst and penetration tester shows free statistics of his honeypot systems.

Coverage

The infrastructure is not big, as a security analyst maintains the blog. The following map shows the distribution of the data retrieved over the evaluated period.

41

Figure 25: NoThink! geographical distribution

Several list are available at NoThink!:

● Malware http

● Malware DNS

● Malware IRC

Data Frequency

Lists are updated every 24 hours.

Accuracy of Results

Lists are automatically created based on the attacks on low-interaction honeypots. Therefore, a number of false positives are possible.


Evaluation Table


Coverage Poor The infrastructure is not big, as a security analyst maintains the blog. Information about several types of risk is provided.

Data Frequency Fair The list is updated daily.

Accuracy of Results Poor Lists are automatically created based on the attacks on low-interaction honeypots.

42

Therefore, a number of false positives are possible. In addition, the information is provided with no context.

Table 24: NoThink! evaluation

5.25 PhisTank

Description


PhishTank [27] is a collaborative clearing house for data and information about phishing on the Internet. It is operated by OpenDNS, a company founded in 2005 to improve the Internet through safer, faster, and smarter DNS.

Information is provided via an open API for developers and researchers at no charge.


Coverage

Information is gathered from registered users and some external feeds. Despite not having information related to the infrastructure, a big coverage can be assumed based on the volume of incidents generated daily. The following map shows the distribution of the data retrieved over the evaluated period.

Figure 26: PhishTank geographical distribution

This source only provides information related to phishing.

43

Data Frequency

The information is updated every hour on the hour.

Accuracy of Results

Information is verified before sharing by PhishTank members. The number of people required to verify a phish depends on the history of those voting. It will always be more than one. In addition, OpenDNS uses its network analysis to help identify and confirm phishing sites. As that information becomes richer, OpenDNS will provide a feed to PhishTank. That feed's quality will be up to the PhishTank community to judge, just as other submissions and submitters are.

The information provided is as follows: Phish ID, Phish detail URL, URL, Submission time, Verified, Verification time, Online and Target.

Evaluation Table


Coverage Good Despite not having information related to the infrastructure, a big coverage can be assumed based on the volume of incidents generated daily. However, only one type of risk are provided.

Data Frequency Good The information is updated every hour on the hour.

Accuracy of Results Excellent Information is analysed before sharing. In addition, it is provided with context, which can help analysts determine whether information is useful or not.

Table 25: PhishTank evaluation

5.26 Project Honey Pot

Description


Project Honey Pot [28] is an open source initiative to track abuse, fraud, and other malicious behaviour that occurs online. The Project tracks more than a million IP addresses engaged in suspicious behaviour each day and reports on them through their website.

Non-members have only limited access to information produced by the service (the data feeds are shortened to contain only the top 25 abusing IP addresses). Becoming a member is free previous registration. To participate in Project Honey Pot, webmasters need only install the Project Honey Pot software somewhere on their website.

44

Project Honey Pot was created by Unspam Technologies Inc, an anti-spam company with the singular mission of helping design and enforce effective anti-spam laws.



Coverage

The service monitors spam traffic with almost 68 million spam traps scattered over the world. The following map shows the distribution of the data retrieved over the evaluated period.

Figure 27: Project Honey Pot geographical distribution

Currently the service provides a variety of statistical information and a number of data feeds concerning IP addresses separated in groups depending on type of malicious behaviour (email harvesters, spam servers, dictionary attackers, comment spammers, rule breakers, search engines).

Data Frequency

The service sends an email every 24 hours containing a summary report on IP addresses detected as spam servers. There is also the possibility to define an RSS channel based on filtered information, which provides the information on real time basis.

Additionally, for anti-spam filter developers and companies assessing the reputation of IP addresses Project Honey Pot offers a spam feed in real time. Access to the feed and carefully vet those companies who are provided access in order to preserve the quality of our spamtrap addresses.

45

Accuracy of Results

The service produces ratings for detected IP addresses sending spam messages. The ratings are based on the number of emails sent to the honeypot, performed dictionary attacks, harvested addresses, posted spam comments to web forms, hosted bad web pages (phishing sites, etc.), and broken no-follow or certain robot.txt rules. The service has a disclaimer stating that lists may contain false positive classifications due to the potential theft of IP address or taking control over server.

The information provided is as follows: IP address, Type, date, event, total, first seen, last seen.

Evaluation Table


Coverage Excellent Worldwide coverage of 68 million spam traps assures great discovery capabilities. In addition, several types of risk are provided.

Data Frequency Excellent / Good

Information is provided on real time basis via its RSS channel, or every 24 hours via email as a summary report.

Accuracy of Results Fair The service has a disclaimer stating that lists may contain false positive classifications. However, information is provided with full context, which can help analysts determine whether information is useful or not.

Table 26: Project Honey Pot evaluation

5.27 Shadowserver

Description


The Shadowserver Foundation [29] is an organization comprised of volunteer security professionals from around the world that gathers, tracks, and reports on malicious software, botnet activity, and electronic fraud on the darker side of the Internet.

The reporting service is provided free-of-charge and is designed for ISPs, enterprises, hosting providers, and other organizations that directly own or control network space.

46


Coverage

The Shadowserver Foundation filters data received from its worldwide sensor and monitoring networks. Data inserted into database are not limited to the specific region or network. However, no detailed information about the collection infrastructure is available. As access could not be granted, neither geographical distribution nor further analysis could be done.

The reporting service monitors and alerts the following activity: Botnet C&C servers, infected systems (drones), DDoS attacks (source and victim), Scans, Clickfraud, Compromised hosts, Compromised websites, Proxies, Spam relays, Open DNS Resolvers, Malicious software droppers and other related information.

The relevant reports for the present study are:

● Blacklist Report: IP addresses that have been Blacklisted by one of the many Blacklist services on the Internet. Aggregated from Blacklist providers.

● This report is the aggregation of a variety of different Blacklist providers. Note that all timestamps are in UTC+0.

● Botnet-URL Report: Any URL that was seen in a botnet channel is reported. The URL could be an update, complaint, or information related to the criminals. Everything is included in case there is something of value in the URL. Botnet monitoring.

● This report is the result of different URL's captured from botnet communications. These URL's could up updates for a botnet, a link to something that the criminals thought was interesting, or even vacation pictures of the criminals. Note that all timestamps are in UTC+0.

● Compromised Host Report: Specific hosts that were seen to be compromised from a botnet. These are usually seen when another infected system reports on each host that had been compromised. Botnet Monitoring

● The Compromised Host Report has an unusual combination of information. There are many times three IP's listed in the report because we will have the C&C and Control that is controlling the systems, the Attacking IP address, and finally the Compromised IP address. Note that all timestamps are GMT+0.

● Compromised-Website Report: Websites that were seen to be compromised, and hence are likely to be abused for various types of attacks.

● This report is a list of all the websites that either Shadowserver or any of its partners have been able to identify and verify to be compromised. These websites might be used for sending spam, participating in DDoS attacks, redirecting users to exploit kits etc.

47

● Click-Fraud Report: This is used as a source of fraud and possible revenue when a botnet is used to select links that are used for tracking or monetary purposes. The specific URL's are targeted are listed.

● Command and Control Report: A list of all the currently known active C&Cs.

● Honeypot URL Report: This is a report of the source URL's of where malware was downloaded from by the Honeypot systems.

● Spam-URL Report: A list of the URL's and relays for Spam that was received.

Data frequency

Shadowserver runs the reports starting every morning for the previous 24 hours (UTC time-based).

Accuracy of results

The Shadowserver Foundation filters data received from its worldwide sensor and monitoring networks and employs an analysis engine to classify the attacks. It then sorts this data according to ASN, netblock, and even geo-location. Reports are only sent upon detection of malicious activity and contain only up-to-date data (no out-dated information). However, there is guarantee there would be no false positives.

● Blacklist: Timestamp, IP address, hostname, source, reason, ASN, country, region, city, naics and sic.

● Botnet-URL: Date, time, C&C IP address, C&C port, C&C ASN, C&C country, channel, URL, URL ASN, ASN country, MD5.

● Compromised Host Report: Date, time, C&C IP address, C&C port, C&C ASN, C&C country, C&C DNS, attacking host IP address, attacking host ASN, attacking host country, attacking host DNS, target IP address, target ASN, target country and target DNS.

● Compromised-Website: Timestamp, IP address, port, hostname, tag, application, ASN, country, region, city, URL, domain, category, system, detected since and server.

● Click-Fraud: Date, time, C&C IP address, C&C Port, C&C ASN, C&C country, channel, command, target IP address, target ASN, target country and URL.

● Command and Control: IP address, port, channel, country, region, state, domain, ASN, AS Name and AS Description.

● Honeypot URL: md5 hash, URL, URL ASN and URL country.

● Spam-URL: Timestamp, URL, host, IP address, ASN, country, region, city, subject, source IP address, source ASN, source country, source region, source city and sender.

48

Evaluation Table


Coverage Excellent Shadowserver uses worldwide sensor and monitoring networks. In addition, several types of risk are provided.

Data Frequency Fair Shadowserver runs the reports starting every morning for the previous 24 hours (UTC time-based).

Accuracy of Results Excellent The service is maintained by an international team of investigators and forensics specialists. In addition, temporal context information is provided, so events could be discarded based on aging.

Table 27: Shadowserver evaluation

5.28 Spamhaus

Description


The Spamhaus Project [30] is an international non-profit organization that tracks spam and related cyber threats such as phishing, malware and botnets, provides real-time actionable threat intelligence to the Internet's major networks, corporations and security vendors, and works with law enforcement agencies to identify and pursue spam and malware sources worldwide.

The Spamhaus DROP List and the Spamhaus extended DROP List (EDROP) are available for free in text format. BCL, however, is exclusively available for free for Small - and Home Office (SOHO) users.

Coverage

Spamhaus is an established initiative and as such has a wide network of distributed sources for gathering of data. The following map shows the distribution of the data retrieved over the evaluated period.

49

Figure 28: Spamhaus geographical distribution

Spamhaus offers a Border Gateway Protocol feed of three of its lists, which Spamhaus refers to as the BGPf, which is comprised of the following three datasets: the Spamhaus Botnet Controller List (BCL), the DROP List, and the extended DROP List (EDROP).

The DROP list will not include any IP address space under the control of any legitimate network - even if being used by "the spammers from hell". DROP will only include netblocks allocated directly by an established Regional Internet Registry (RIR) or National Internet Registry (NIR) such as ARIN, RIPE, AFRINIC, APNIC, LACNIC or KRNIC or direct RIR allocations.

EDROP is an extension of the DROP list that includes suballocated netblocks controlled by spammers or cyber criminals. EDROP is meant to be used in addition to the direct allocations on the DROP list.

Data Frequency

The DROP list changes quite slowly. There is no need to update cached data more than once per hour, in fact once per day is more than enough in most cases. Excessive downloads may result in your IP being firewalled from the Spamhaus website.

The EDROP list changes even slower, being updated every four days.

Accuracy of Results

A dedicated international team of investigators and forensics specialists maintains DROP and EDROP lists. In order to mitigate the possible false positives due to its aggressive rules in blacklisting spam bots, a time to live is set for each list (1 day for DROP list and 4 days for EDROP list). This makes quite Spamhaus reliable.

50

The information provided is as follows: Last modified, expiration, netblock, SBL.

Evaluation Table


Coverage Excellent Spamhaus is an established initiative and as such has a wide network of distributed sources for gathering of data.

Data Frequency Fair DROP is updated not more than once an hour (probably once per day). EDROP is updated every 4 days.

Accuracy of Results Excellent A dedicated international team of investigators and forensics specialists maintains DROP and EDROP. However, false positives are possible. In addition, In addition, temporal context information is provided, so events could be discarded based on aging.

Table 28: Spamhaus evaluation

5.29 Team Cymru

Description


Team Cymru [31] provides daily lists of compromised or abused devices for the ASNs and/or netblocks with a CSIRT's jurisdiction. This includes such information as bot infected hosts, C&C systems, open resolvers, malware URLs, phishing URLs, and brute force attacks.

The service is free for any verifiable regional or national CSIRT is welcome to join the program. A short memorandum of understanding is required for participation.

For non-eligible CSIRTs there is also the commercial solution Threat Intelligence.


Coverage

Team Cymru is a geographically-dispersed group of security professionals who are able to collaborate due to the benefits of the Internet. Thanks to that and to the fact of having pods of gear all over the globe, they can provide nearly 24x7 coverage. As access could not be granted, neither geographical distribution nor further analysis could be done.

Threat Intelligence provides the information with three different feeds:

51

● Team Reputation Feed: Provides rich categorical reputation information based on IP addresses. Entries included that indicate the type of malicious behaviour observed:

- Controller: IP used to control botnets

- Bot: IP was observed talking with a known botnet C&C

- Darknet: IP was observed scanning dark IP space for vulnerable hosts

- Proxy: IP was observed being used as a proxy to connect to the public Internet

- Router: IP is a router that was observed being used as a proxy

● Controller Data Feed: The Controller Feed contains all botnet controller data from the Botnet Analysis and Reporting System (BARS), a system that enables visibility into botnets that normally evade monitoring, plus other sources for more comprehensive view of C&C for IRC-based, HTTP-based, and P2P-based botnets. Contains all confirmed, active botnet, warez, underground economy and other malware distribution command points.

● Malware Data Feed: Delivered information includes bot-infected hosts, C&C systems, open resolvers, malware URLs, phishing URLs, and brute force attacks. There are two primary malware feeds:

- Malicious URLs: List of URLs we have seen in our malware analysis that have been confirmed by at least one AV package as being involved in infection or the distribution of malware. Manually reviewed phishing URLs are also included.

- Malware Binaries: Malware samples that has been collected in the last 24 hours.

Data frequency

Update frequency policy depends on the feed:

● Reputation Data Feed: XML file is generated hourly but 24-hour aggregate file is also available.

● Controller Data Feed: The report is updated every 60 minutes.

● Malware Data Feed: Both malicious URLs and malware binaries are provided daily.

Accuracy of results

All the information provided by each feed is gathered through a number of methods, including malware analysis, observation of botnet C&C botnets that we have uniquely decoded, and monitoring of dark IP space (darknets). In addition, as part of the XML schema for this report, each controller and bot has been assigned a “confidence” value, which is a range of 0-100, with 100 being the highest confidence rating. The confidence value entry depends on the method of collection and analysis.

52

In order to improve the information provided, entries of controller data feed are check as follows: IRC-based entries are manually verified every 7 days and HTTP-based entries are mechanically verified every 60 minutes. Those entries that no longer respond on given IP and port are removed. Besides malware data feed combine the results of scans from a number of commercial sandbox tools and some 35 different anti-virus engines, along with our own proprietary run time analysis system.


● Reputation Feed: This dataset includes an event timestamp along with supporting detail for a number of categories of reputation affecting activities.

● Controller Data Feed: Multiple IP addresses for a single botnet, Domain name and HTTP URL, First seen time, Last checked time, Recent up and down times, Family, sub-family and version details, Protocol and port, Whether currently resolves or active in DNS, Confidence value, SHA1 and MD5 for malware samples, SSL and request type for HTTP C2s, Password and channel and key for IRC servers.

● Malware Data Feed: This dataset includes malware samples available as binaries, hashes, malicious URL sources, or Anti-Virus signature tags as well as first and last seen timestamps.

Evaluation Table


Coverage Excellent Delivers information about multiple types of incidents concerning networks owned by the organisation. Large infrastructure is needed for the collection of such information

Data Frequency Good Updated daily.

Accuracy of Results Excellent Delivered data are attributed to real threats. Table 29: Team Cyrmu evaluation

5.30 Zone H

Description


Zone-H [32] is an archive of defaced websites. All the information contained in Zone-H's cybercrime archive is either collected online from public sources or directly notified by Zone-H’s community (everyone can anonymously notify about defaced sites).

Zone-H’s data are under Creative Commons: Attribution-Noncommercial-No Derivative (CC BY-NC- ND) licence. This translates to: for non-commercial usage.

53


Coverage

The dataset depends only on activity of the community. However, defacers tend to brag, meaning that coverage may be quite good. The following map shows the distribution of the data retrieved over the evaluated period.

Figure 29: Zone H geographical distribution

Zone-H provides three lists:

● List with non-confirmed defacements.

● A special defacements list (for example important websites, like governmental, known companies, military, etc.)

● A ‘normal’ sites list.

Data frequency

All lists except ‘Onhold’ are available via RSS feed (last 20 defacements published, updated every 5 minutes). Additionally one can receive all the special defacements per mail everyday by subscribing to the mailing list (registration is free).

All Zone-H’s lists are updated in almost real time.

Accuracy of results

All submitted sites are verified (probably by experts). There is an ‘Onhold’ list, where submitted incidents wait to be checked (‘Onhold’ list is publicly available). The assumption is

54

that false positives should be eliminated when verified during the ‘Onhold list’ stage. Time (date) of a website notification is present. The database contains an historic of defaced websites. Therefore, information received in alerts can contain some false positive classifications mainly due to data aging.

The information provided is as follows: time, notifier, type of defacement (Homepage defacement, Mass defacement, Re-defacement), IP address location, domain, OS and view.

Evaluation Table

Criterion Evaluation Reason Coverage Poor The dataset depends only on activity of the

community. However, defacers tend to brag, meaning that coverage may be quite good.

Data Frequency Excellent All Zone-H’s lists are updated in almost real time.

Accuracy of Results Excellent All submitted sites are verified by hand. In addition, information is provided with full context, which can help analysts determine whether information is useful or not.

Table 30: Zone-H evaluation

55

6. Information Sources Analysis

6.1 Summary of the evaluations

This section presents summarized results of the quality assessment.

Service Coverage Data Frequency Accuracy of Results

Abuse.ch Poor Excellent Excellent

AlienVault Good Excellent / Good Excellent Anti Phishing Working Group Excellent Excellent Excellent

ATLAS Excellent Excellent Excellent

Autoshun Excellent Good Fair

Blocklist Good Excellent Good BotScout Good N/A Fair

BruteForceBlocker Poor N/A Fair

CI Army Excellent N/A Poor

Cisco IronPort SenderBase Excellent Excellent Good

Clean MX Excellent Excellent Excellent

Composite Blocking List Good Excellent Poor

CyberCrime Tracker Fair Excellent Excellent

DNS-BH Malware Domain Blocklist Excellent Poor Good Dr Web Good Excellent Excellent

Dragon Research Group Good Excellent Fair

Dshield Good Excellent Fair

Emerging Threats Excellent Fair Poor hpHosts Excellent Excellent Excellent

ImproWare AG Fair Excellent Fair

Kaspersky Excellent Excellent Excellent

Malc0de Good Excellent Excellent Malware Domain List Poor Excellent Excellent

NoThink! Poor Fair Poor

PhishTank Good Good Excellent

Project Honey Pot Excellent Excellent/ Good Fair

Shadowserver Excellent Fair Excellent

Spamhaus Excellent Fair Excellent

Team Cymru Excellent Good Excellent Zone H Poor Excellent Excellent

Table 31: Qualitative evaluation summary

56

The quantitative estimation of the quality of the sources based on the previous evaluation is shown in the following table:

Service Coverage Frequency Accuracy Factor Data

Quality

Added Data

Quality

Abuse.ch 2 10 10 20 68 AlienVault 10 9 10 90 98 Anti Phishing Working Group 10 10 10 100 100 ATLAS 10 10 10 100 100 Autoshun 10 8 5 40 76 Blocklist 8 10 8 64 84 BotScout 8 6 5 24 64 BruteForceBlocker 2 6 5 6 40 CI Army 10 6 2 12 60 Cisco IronPort SenderBase 10 10 8 80 92

Clean MX 10 10 10 100 100 Composite Blocking List 8 10 2 16 60 CyberCrime Tracker 5 10 10 50 80 DNS-BH Malware Domain Blocklist 10 3 8 24 78 Dr Web 8 10 10 80 92 Dragon Research Group 8 10 5 40 72 Dshield 8 10 5 40 72 Emerging Threats 10 6 2 12 60 hpHosts 10 10 10 100 100 ImproWare AG 5 10 5 25 60

Kaspersky 10 10 10 100 100 Malc0de 8 10 10 80 92 Malware Domain List 2 10 10 20 68 NoThink! 2 6 2 2 28 PhishTank 8 8 10 64 88 Project Honey Pot 10 9 5 45 78

Shadowserver 10 6 10 60 92 Spamhaus 10 6 10 60 92 Team Cymru 10 8 10 80 96 Zone H 2 10 10 20 68

Table 32: Quantitative evaluation summary

57

6.2 Data Uniqueness

In this chapter to attempt to answer the following questions:

● Is a list a derivative of other lists?

● Is the list included in any other list?

● Does the list share IPs/domains with other lists?

In order to make data comparison more comprehensive, a selection of three sources of each type has been done. Selection has been done based on the following criteria:

1. The source has an average evaluation of Excellent/ Good. 2. The source provides timestamp, so timeliness can be analysed. 3. All selected sources for each type have a common field.

6.2.1 Phishing

In this case, it is important that each source provides the phishing URL, as it is the most significant field. Based on that and the previous evaluation, selected sources are:

● Anti Phishing Working Group

● Clean MX

● PhishTank

58

Figure 30: Phishing Venn diagram

6.2.2 Malware

In this case, it is important that each source provides the malware domain, as it is the most significant field. Based on that and the previous evaluation, selected sources are:

Malware selected sources for this analysis are:

● hpHost

● Kaspersky

● Malc0de

59

Figure 31: Malware Venn diagram

6.2.3 Spam

There are few sources with an average evaluation of Excellent/Good and timestamp which provide information about spam. Therefore, in this case accuracy of result has been re-evaluated. Sources providing information related to spam, determine whether a host is sending spam or not on the number of hits theirs systems received. Hence, in this section, spam sources with context information will be considered to have an ‘Excellent’ accuracy of result as far as they are provided with a timestamp.

Based on that the sources selected are:

AlienVault

BotScout

Project Honey Pot

60

Figure 32: Spam Venn diagram

6.3 Timeliness

In this section common information between sources is compare in order to know what source provides more information first. This evaluation could help analyst to determine whether a source contribute anyhow or can be discarded.

6.3.1 Phishing

The following table shows which source provides more information first and in what percentage.

Source 1st

APWG ∩ Clean MX 57,68% APWG

APWG ∩ PhishTank 52,78% APWG Clean MX ∩ PhishTank 50,31% Clean MX

Table 33: Phishing timeliness (I)

In this case none of the sources stands out especially. Few information is common for the three sources evaluated. The following table shows what percentage of each of them is received either first, second or third.

61

Source 1st 2nd 3rd

APWG 20,29% 31,88% 47,83% Clean MX 56,52% 21,74% 21,74%

PhishTank 23,19% 46,38% 30,43% Table 34: Phishing timeliness (II)

6.3.2 Malware


Source 1st

hpHost ∩ Kaspersky 100% hpHost

hpHost ∩ Malc0de 100% hpHost

Kaspersky ∩ Malc0de 50% Malc0de Table 35: Malware timeliness

As there were few samples, results are not relevant to determine which of them provides the information sooner.

6.3.3 Spam


Source 1st

BotScout ∩ Project HoneyPot 90,91% Project Honey Pot Table 36: Spam timeliness

In this case only two of the sources have common information, where Project Honey Pot is clearly providing such events before.

62

7. Conclusions Proactive threat detection can help security analysts to improve perimeter security. Fortunately, there are multiple data feeds that use different methods and technologies to monitor different types of attacks, most often affecting multiple constituencies. It is very important then determine the quality of the information provided for each of them, so threats can be blocked at the perimeter. This study has determine that to active that a low rate of false positives is essential. For that reason, sources which obtain the information from analysis of samples, or those which verify the information before sharing are an excellent choice in order to avoid blocking non malicious host.

Since domain names/IP addresses of servers where security threats are hosted change rather often, it is recommended that security analysts implement a time to live based on the last time seen. For that reason, it is important that such information is provided.

In addition to that, as many systems are limited when including IP addresses or domains to block, it is important to determine whether there is redundant information or not. Once redundant information is identify, timeliness study can help to choose the source which provides the threat information first.

After analyzing the information, we conclude that phishing sources have more information in common than other type of sources. This is due to the different methods used to collect such information.

63

8. Annex I: Abbreviations

Abbreviation 1st

API Application Programming Interface

APWG Anti Phishing Working Group

ASN Autonomous System Number AV Anti-virus

BARS Botnet Analysis and Reporting System

BPS Bytes per second

BSD Berkeley Software Distribution C&C Command and Control

CBL Composite Blocking List

CDT Central Daylight Time

CERT Computer Emergency Response Team CIDR Classless Inter-Domain Routing

CINS Collective Intelligence Network Security

CVE Common Vulnerabilities and Exposures

DNS Domain Name System DoS Denial of Service

FTP File Transfer Protocol

GMT Greenwich Mean Time

HTTP Hypertext Transfer Protocol

ICT Information and Communications Technology

IDS Intrusion Detection System

IMAP Internet Message Access Protocol

IOC Indicator of compromise IP Internet Protocol

IPS Intrusion Prevention System

IRC Internet Relay Chat

ISP Internet Service Provider

NAICS North American Industry Classification System

NGO Non-Governmental Organization

OTX Open Threat Exchange PPS Packets per second

RBN Russian Business Network

64

RSS Really Simple Syndication

SBL Spamhaus Block List SIC Standard Industrial Classification

SIP Session Initiation Protocol

SSH Secure Shell

TB Terabyte UBL Universal Business Language

URI Uniform Resource Identifier

URL Uniform Resource Locator

USM Unified Security Management UTC Coordinated Universal Time

VNC Virtual Network Computing

XML Extensible Markup Language

9. Bibliography

[1] The CyberGreen Initiative, “CyberGreen,” [Online]. Available: https://www.cybergreen.net.

[2] “abuse.ch | The Swiss Security Blog,” [Online]. Available: https://www.abuse.ch.

[3] AlienVault, Inc., “AlienVault Open Threat Exchange,” [Online]. Available: https://otx.alienvault.com.

[4] Arbor Networs, “Arbor Networs | ATLAS Dashboard: Global,” [Online]. Available: https://atlas.arbor.net.

[5] Anti Phishing Working Group, “eCrime Exchange,” [Online]. Available: https://www.ecrimex.net.

[6] RiskAnalytics, LLC., “Autoshung,” [Online]. Available: https://www.autoshun.org.

[7] M. Schiftan, “Blocklist | Fail2Ban Reporting Service,” [Online]. Available: http://www.blocklist.de.

[8] BotScout, “BotScout | Proactive Bot Detection & Tracking,” [Online]. Available: http://botscout.com.

[9] D. Geržo, “BruteForceBlocker,” [Online]. Available: http://danger.rulez.sk.

[10] CINS Score, “The CI Army List,” [Online]. Available: http://cinsscore.com.

[11] Cisco Systems, INC., “SenderBase,” [Online]. Available: http://www.senderbase.org.

[12] Clean MX, “Clean MX anti_spam_solution!,” [Online]. Available: http://clean-mx.de.

[13] Spamhaus, “The CBL | Composite Blocking List,” [Online]. Available: http://www.abuseat.org.

[14] “CyberCrime,” [Online]. Available: http://cybercrime-tracker.net.

[15] “DNS-BH | Malware Domain Blocklist,” [Online]. Available: http://www.malwaredomains.com.

[16] Dr.Web, “Dr.WebDr.Web® Anti-virus,” [Online]. Available: https://www.drweb.com/?lng=en.

[17] “Dragon Research Group (DRG),” [Online]. Available: http://dragonresearchgroup.org.

[18] SANS Internet Storm Center, “Internet Security | DShield,” [Online]. Available: http://www.dshield.org.

[19] “Emerging Threats,” [Online]. Available: http://doc.emergingthreats.net.

[20] Malwarebytes, “hpHost,” [Online]. Available: https://hosts-file.net.

2

[21] “Official hpHost File Support Forum,” [Online]. Available: https://forum.hosts-file.net/viewtopic.php?f=9&t=12.

[22] Improware AG, “Improware AG,” [Online]. Available: http://antispam.imp.ch.

[23] Kaspersky Lab., “Intelligence Service: Threat Data Feeds,” [Online]. Available: http://media.kaspersky.com/en/business-security/IS%20%20datasheets_FEEDS.pdf.

[24] “Malc0de Database,” [Online]. Available: http://malc0de.com/database.

[25] “Malware Domain List,” [Online]. Available: http://www.malwaredomainlist.com.

[26] M. Cantoni, “NoThink!,” [Online]. Available: http://www.nothink.org.

[27] OpenDNS, LLC, “PhishTank,” [Online]. Available: https://www.phishtank.com.

[28] UNspam, “Project Honey Pot,” [Online]. Available: http://www.projecthoneypot.org.

[29] “Shadowsserver Foundation,” [Online]. Available: http://www.shadowserver.org.

[30] The Spamhaus Project Ltd, “The Spamhaus Project,” [Online]. Available: https://www.spamhaus.org.

[31] Team Cymru, Inc., “CSIRT Assistance Program (CAP) - Team Cymru,” [Online]. Available: http://www.team-cymru.org/CSIRT-AP.html.

[32] “Zone-H | Unrestricted Information,” [Online]. Available: http://www.zone-h.org.

Documents

Plataformas de Compartición de Incidentes de Ciberseguridad