{"title":"基于威胁的缓解多重勒索软件勒索的数据泄露仿真","authors":"M. Mundt, Harald Baier","doi":"10.1145/3568993","DOIUrl":null,"url":null,"abstract":"Network-based attacks and their mitigation are of increasing importance in our ever-connected world. Often network-based attacks address valuable data, which the attacker either encrypts to extort ransom or steals to make money reselling, or both. After the infamous WannaCry and NotPetya ransomware attacks in 2017, companies stepped up their cyber defenses. More emphasis was placed on backup and recovery processes so that even when files were destroyed, organizations had copies for quick recovery. However, cyber criminals have also adapted their methods. Instead of simply encrypting files, double extortion ransomware now exfiltrates the data first, before encrypting it. As a consequence the early detection and prevention of data exfiltration is one of today’s major challenges of institutions connected to the Internet. If attempts to illegal data exfiltration are successfully detected, the attacked institution should address a probable subsequent encryption attack step, too. In particular, valuable business assets must be checked for unauthorized access and need to be protected. However, due to the bulk of network traffic and persistent data, automation is a key requirement to successfully defend contemporary threats. The main goal of this article is to present a concept and its initial evaluation to achieve automation of data exfiltration mitigation in a targeted manner. Our concept consists of two main steps. Based on recognized international approaches used in Cyber Threat Intelligence (CTI), an automatic procedure on base of the MITRE ATT&CK framework for deriving current threats with respect to data exfiltration is presented in the first place. In the spirit of the DTRAP forum, a practical approach is chosen in addition to the theory in this manner. Our evaluation reveals that we are able to automatically identify the most relevant recent risks of unauthorized data exfiltration. In our second step we present the design of a simulation gear based on the attacks extracted from the MITRE ATT&CK framework. The aim is to simulate the greatest threats before they actually occur in the operational environment. The strict focus on the threats of data exfiltration characterizes our solution and makes our approach an ideal addition to existing solutions. We provide an evaluation of this initial simulation concept and its underlying technology for the implementation to show that we are on the right track.","PeriodicalId":202552,"journal":{"name":"Digital Threats: Research and Practice","volume":"161 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-10-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":"{\"title\":\"Threat-based Simulation of Data Exfiltration Towards Mitigating Multiple Ransomware Extortions\",\"authors\":\"M. Mundt, Harald Baier\",\"doi\":\"10.1145/3568993\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Network-based attacks and their mitigation are of increasing importance in our ever-connected world. Often network-based attacks address valuable data, which the attacker either encrypts to extort ransom or steals to make money reselling, or both. After the infamous WannaCry and NotPetya ransomware attacks in 2017, companies stepped up their cyber defenses. More emphasis was placed on backup and recovery processes so that even when files were destroyed, organizations had copies for quick recovery. However, cyber criminals have also adapted their methods. Instead of simply encrypting files, double extortion ransomware now exfiltrates the data first, before encrypting it. As a consequence the early detection and prevention of data exfiltration is one of today’s major challenges of institutions connected to the Internet. If attempts to illegal data exfiltration are successfully detected, the attacked institution should address a probable subsequent encryption attack step, too. In particular, valuable business assets must be checked for unauthorized access and need to be protected. However, due to the bulk of network traffic and persistent data, automation is a key requirement to successfully defend contemporary threats. The main goal of this article is to present a concept and its initial evaluation to achieve automation of data exfiltration mitigation in a targeted manner. Our concept consists of two main steps. Based on recognized international approaches used in Cyber Threat Intelligence (CTI), an automatic procedure on base of the MITRE ATT&CK framework for deriving current threats with respect to data exfiltration is presented in the first place. In the spirit of the DTRAP forum, a practical approach is chosen in addition to the theory in this manner. Our evaluation reveals that we are able to automatically identify the most relevant recent risks of unauthorized data exfiltration. In our second step we present the design of a simulation gear based on the attacks extracted from the MITRE ATT&CK framework. The aim is to simulate the greatest threats before they actually occur in the operational environment. The strict focus on the threats of data exfiltration characterizes our solution and makes our approach an ideal addition to existing solutions. We provide an evaluation of this initial simulation concept and its underlying technology for the implementation to show that we are on the right track.\",\"PeriodicalId\":202552,\"journal\":{\"name\":\"Digital Threats: Research and Practice\",\"volume\":\"161 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2022-10-29\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"3\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Digital Threats: Research and Practice\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/3568993\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Digital Threats: Research and Practice","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3568993","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Threat-based Simulation of Data Exfiltration Towards Mitigating Multiple Ransomware Extortions
Network-based attacks and their mitigation are of increasing importance in our ever-connected world. Often network-based attacks address valuable data, which the attacker either encrypts to extort ransom or steals to make money reselling, or both. After the infamous WannaCry and NotPetya ransomware attacks in 2017, companies stepped up their cyber defenses. More emphasis was placed on backup and recovery processes so that even when files were destroyed, organizations had copies for quick recovery. However, cyber criminals have also adapted their methods. Instead of simply encrypting files, double extortion ransomware now exfiltrates the data first, before encrypting it. As a consequence the early detection and prevention of data exfiltration is one of today’s major challenges of institutions connected to the Internet. If attempts to illegal data exfiltration are successfully detected, the attacked institution should address a probable subsequent encryption attack step, too. In particular, valuable business assets must be checked for unauthorized access and need to be protected. However, due to the bulk of network traffic and persistent data, automation is a key requirement to successfully defend contemporary threats. The main goal of this article is to present a concept and its initial evaluation to achieve automation of data exfiltration mitigation in a targeted manner. Our concept consists of two main steps. Based on recognized international approaches used in Cyber Threat Intelligence (CTI), an automatic procedure on base of the MITRE ATT&CK framework for deriving current threats with respect to data exfiltration is presented in the first place. In the spirit of the DTRAP forum, a practical approach is chosen in addition to the theory in this manner. Our evaluation reveals that we are able to automatically identify the most relevant recent risks of unauthorized data exfiltration. In our second step we present the design of a simulation gear based on the attacks extracted from the MITRE ATT&CK framework. The aim is to simulate the greatest threats before they actually occur in the operational environment. The strict focus on the threats of data exfiltration characterizes our solution and makes our approach an ideal addition to existing solutions. We provide an evaluation of this initial simulation concept and its underlying technology for the implementation to show that we are on the right track.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
