1. Introduction: Emerging Threats Call for New Security Paradigms
1.1 Emerging Threats Landscape
Hacking incidents have become so commonplace that no organization seems out of reach for hackers. Even the US National Security Agency (NSA) seemed to have been the victim of successful hacks, as witnessed by recent public document dumps related to sensitive cyber warfare tools and technologies used by this organization. No day passes by without news reports on new hacking incidents. While two decades ago, most hackers were script kiddies motivated primarily by simple curiosity or the need for fame, many hackers, today, are professionals seeking financial gains, or conducting political activism, or involved in state-sponsored cyber espionage.
Todays hackers are emboldened by the unprecedented level of sophistication of the current hacking utilities. There is an underground software industry which develops and licenses malicious software tools and payloads for cybercriminals. The organizations involved in this illicit market provide to their customers the same services as legitimate software companies (e.g., regular updates), except that those customers are criminals.
The pinnacle in the sophistication is the so-called Exploit Kits (EKs) , which federate in automated platforms most of the emerging hacking threats vectors (Eshete et al. ). These kits are professionally developed hacking apparatus, which include sophisticated command and control (C&C) software servers, and fed from constantly updated repositories of malware payload and exploit code. EKs are marketed in the dark web (underground cyber world) and make heavy use of automation by making it possible to install malware payload on remote machines and controlling infected machines from a remote Web site. Infection happens when potential victims visit a compromised site (under control of the criminals) or click on links (sent by spam or instant message) to a Web site with the exploit kit installed. By fingerprinting the victims browser, the kit selects which exploit to use according to the country of origin, browser type and version, operating system type and version, etc. Successful exploitation is then followed by installing malware code and taking control of the victims machine. The scariest aspect of this is that it all happens automatically and transparently in the background without the victims knowledge about it. In a few clicks, your machine is infected with the latest malware and becomes part of a network of zombies controlled remotely.
EKs represent a unifying framework for the latest cyber security attack vectors and tools. Around EKs revolves a nebula of emerging cybersecurity threats, including botnets, ransomware, and banking Trojans. Since its appearance a decade ago, botnet technology has evolved in sophistication, by adopting more complex command and control architecture and communication schemes, and less-prone to disruption domain naming scheme (Zhao et al. ).
Early botnets used centralized architecture for transmitting C&C messages. The most prevalent communication protocol used in those earlier botnets was the Internet Relay Chat (IRC) . However, this type of botnet is easy to detect and disrupt due to the single point of failure embodied by the IRC server, which manages the C&C communications. Once the server is shut down, the botmaster loses control of the network of bots.
The next generation of botnets, which started appearing a decade ago, addressed the aforementioned weakness by using peer-to-peer (P2P) protocols (e.g., eDonkey ) for command and control (Zhao et al. ). Due to its distributed and resilient control structure, P2P botnet is harder to shut down than an IRC -controlled botnet. However, in the last few years , as more knowledge has been acquired about P2P botnets, more effective solutions have been proposed to detect them and mitigate their impact.
As a result, more recently, there have been a shift in the control of many botnets from IRC and P2P channels to Web sites, using HTTP a common protocol. Due to the prevalence of http communications and sites, detecting botnets that use http protocols is much harder (Garasia et al. ). Many organizations host Web sites for regular business activities and as such enable http communications. Hence, it is easy for http-based botnets to evade detection by hiding their command and control messages in legitimate http traffic.
Based on exploitable vulnerabilities, different kinds of payloads can be installed on the victims machines, capable of achieving specific goals. One of the most common and deadliest ones consists of taking remote control of the machine. This allows the hacker to spy on the activities of the victim and steal private information (e.g., photos, credit information, social security numbers, and emails). Such information can be used to blackmail or embarrass the individuals. For instance, in the case of politicians and celebrities, it can be used in a more targeted ways to achieve specific outcomes, such as influencing election results or discrediting the victim.
This may also be used to install specialized Trojans and spy or interfere with the victims online banking transactions. Furthermore, taking remote control of the victims machine provides a pathway to enrolling it in a botnet (which is merely a network of enslaved machines), and using such botnet to conduct large-scale activities such as spreading spams or conducting distributed denial of service (DDOS) against potential targets. Instead of using directly enslaved machines, some hackers specialize in renting them to other scammers through the criminal black market. Those scammers can then use the machines to carry out directly the aforementioned scams.
Another deadliest type of payloads, which appeared in the last few years, is ransomware (Lee et al. ). After infecting the victims machine, the malware collects basic machine identification information (e.g., Mac address, IP address, user account information) and sends those information to the hacker C&C server. The C&C server generates a pair of public/private key (using algorithms such as RSA), stores locally the private key, and sends the public key to the malware client on the victims machine. The malware uses the public key to encrypt selected files (which are in general important data files) and then displays a message for the victim. In general the message will inform the victim that his/her files have been encrypted and that he/she should pay a ransom to be able to recover those files. The message will also contain directions to pay, which most of the time consists of opening a bitcoin account and transferring the ransom payment using such currency. Quite often, the message will include a payment deadline beyond which the amount will increase (e.g., double, triple, and so on). In case, where the ransom is paid, the victim will receive the private key and can then decrypt and restore the files.
To make it harder to trace them, hackers use privacy-preserving networks such as TOR for communications. It is the same line of thought which is behind using bitcoins for payment. While electronic cash such as bitcoins has been designed originally to exhibit the same traits as paper cash (i.e., user and transaction anonymity, payment and cash untraceability, and cash transferability), those same characteristics are turned on its head by criminals to perform illicit cash transactions online. Tracing those transactions is extremely difficult due to the underlying e-coin system design.
