Disciplines

Information Security | OS and Networks | Theory and Algorithms

Abstract (300 words maximum)

The financial and national security impacts of cybercrime globally are well documented. According to the 2020 FBI Internet Crime Report, financially motivated threat actors committed 86% of reported breaches, resulting in a total loss of approximately $4.1 billion in the United States alone. In order to combat this, our research seeks to determine if threat actors change their tactics, techniques, and procedures (TTPs) based on the geolocation of their target’s IP address. We will construct a honeypot network distributed across multiple continents to collect attack data from geographically separate locations concurrently to answer this research question. We will configure the honeypots to offer vulnerable services and collect log data from the services for analysis. This approach will allow us to aggregate log data about attacks against specific services commonly targeted by threat actors. After we complete data collection, we will analyze the data to gain insight into the TTPs used by the threat actors. The analysis will use collected attack data attributes such as IP origin, service type, and executables delivered along with other transport layer analysis techniques to provide metadata on threat actor TTPs. Once the analysis is complete, we will have a greater insight into threat actor activities and produce a list of items that firms can use to monitor, protect, and maintain their environments and to detect attacks earlier, along with taking appropriate defensive action to lessen or eliminate the risk associated with these attacks.

Academic department under which the project should be listed

CCOB - Information Systems and Securty

Primary Investigator (PI) Name

Andy Green

Share

COinS
 

Analysis of Honeypots in detecting Tactics, Techniques, and Procedure (TTP) changes in Threat Actors based on Source IP Address

The financial and national security impacts of cybercrime globally are well documented. According to the 2020 FBI Internet Crime Report, financially motivated threat actors committed 86% of reported breaches, resulting in a total loss of approximately $4.1 billion in the United States alone. In order to combat this, our research seeks to determine if threat actors change their tactics, techniques, and procedures (TTPs) based on the geolocation of their target’s IP address. We will construct a honeypot network distributed across multiple continents to collect attack data from geographically separate locations concurrently to answer this research question. We will configure the honeypots to offer vulnerable services and collect log data from the services for analysis. This approach will allow us to aggregate log data about attacks against specific services commonly targeted by threat actors. After we complete data collection, we will analyze the data to gain insight into the TTPs used by the threat actors. The analysis will use collected attack data attributes such as IP origin, service type, and executables delivered along with other transport layer analysis techniques to provide metadata on threat actor TTPs. Once the analysis is complete, we will have a greater insight into threat actor activities and produce a list of items that firms can use to monitor, protect, and maintain their environments and to detect attacks earlier, along with taking appropriate defensive action to lessen or eliminate the risk associated with these attacks.