ATAL FDP on cyber threat detection through incorporating digital technologies

9th to 14th December 2024

Organized by
School of Computing
Department of Computer Science

Fundamentals of Cyber threat detection

Dr. J. Sheeba Rani
Professor/Department of Avionics
Indian Institute of Space Science and Technology
Thiruvananthapuram

Fundamentals of Cyber threat detection 9th , December

1
2024
Content
• Introduction
• Importance of Cyber Threat detection
• Types of Cyber Threat
• Basic Cyber Threat detection techniques
• Cyber Hunting
• Challenges
• Conclusion

Fundamentals of Cyber threat detection 9th , December

2
2024
Introduction
• Information Communication Technologies (ICT)- are technologies that allow for the
collection, storage, processing, transmission, and dissemination of information.
• Cyberspace is a virtual world created by the internet and other digital technologies
that allows people to interact, share information, and conduct business.
• Cyber Physical System- integrate the computation with physical processes.

• Cybersecurity -a set of technical, legal, and organizational measures that protect

computer systems, networks, and personal data. It aims to ensure the confidentiality,
integrity, and availability of digital data.
• Cyberethics is a code of shared rules and ethics that individuals on cyberspace are
believed to follow.
• Cyberlaw-Governments have introduced cyber laws to curb illegal activities that occur in
cyberspace, such as money laundering, identity theft, and illegal trade

Fundamentals of Cyber threat detection 9th , December

3
2024
Intruders/Hackers
• “intruders”- are unauthorized individuals or entities who want to obtain access to a
network or system to breach its security.
• hacker is anyone who utilizes their abilities to investigate, modify, or upgrade technology
systems, regardless of authority.
• They have immense knowledge and an in-depth understanding of technology and
security.
Types of Intruders
Masquerader: The category of individuals that are not authorized to use the system but
still exploit users’ privacy and confidential information by possessing techniques that give
them control over the system
Misfeasor: The category of individuals that are authorized to use the system, but misuse
the granted access and privilege.
Clandestine User: The category of individuals who have supervision/administrative control
over the system and misuse the authoritative power given to them.

Fundamentals of Cyber threat detection 9th , December 2024 4

Cyber crimes
• Cyber crimes have turned out to be a low-investment, low-risk
business with huge returns.

Fundamentals of Cyber threat detection 9th , December

5
2024
Motivation of the adversaries

Figure taken from the paper ;COMPREHENSIVE_REVIEW_ON_CYBERSECURITY_MODERN_THREA.pdf

Fundamentals of Cyber threat detection 9th , December
6
2024
Recent Cyber Attacks & Data Breaches In
2024

• Conti Costa Rica Ransomware Attack Explained. ...

• Data Of More Than 200 Million Twitter Users Is Leaked. ...
• Inside Slack's GitHub Account Hack. ...
• Cisco Suffers Cyber Attack By UNC2447, Lapsus$, & Yanluowang. ...
• 2.4 TB Data Leak Caused By Microsoft's Misconfiguration.

Fundamentals of Cyber threat detection 9th , December

7
2024
Reported Cyber crimes in India
• February 2024: Roughly 190 megabytes of data from May 2023: India’s Insurance Information Bureau
a Chinese cybersecurity company were exposed fell victim to a ransomware attack. Hackers
online, revealing the company’s espionage efforts encrypted nearly 30 server systems and
on the governments of the United Kingdom, India,
Indonesia, and Taiwan. demanded $250,000 in bitcoin. The bureau relied
on its data backup system to maintain operations
• September 2023: Indian hacktivists targeted
Canada’s military and Parliament websites with and did not pay the ransom.
DDoS attacks that slowed system operations for
several hours.
November 2022. Hackers disrupted operations at
• September 2023: An Indian cybersecurity firm an Indian hospital by cutting off access to its
uncovered plans from Pakistani and Indonesian
hacking groups to disrupt the G20 summit in India. online networks and patient records. It took
The hacktivists are expected to use DDoS attacks hospital officials and federal authorities nearly
and mass defacement in their attacks, which are two weeks to regain access to hospital servers
presumed to be the latest development in the and recover lost data
hacktivist battle between these nations according
to the firm’s research.
December 2021. A breach of Prime Minster Modi’s Twitter
allowed hackers to Tweet from the account that India
officially adopted bitcoin as legal tender. The Tweet also
included a scam link promising a bitcoin giveaway
Fundamentals of Cyber threat detection 9th , December
8
2024
• May 2024: Pakistani cyber spies deployed malware against India’s
government, aerospace, and defense sectors. The group sent
phishing emails masquerading as Indian defense officials to infect
their targets' devices and access sensitive information.
• March 2024: India’s government and energy sectors was breached
in a cyber espionage campaign. Hackers sent a malicious file
disguised as a letter from India’s Royal Air Force to offices
responsible for India’s electronic communications, IT governance,
and national defense. Researchers have not yet determined who
conducted the attack.

https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents

Fundamentals of Cyber threat detection 9th , December

9
2024
Cybercrimes in India- Statistical view

• The number of cybercrime complaints increased from 9.7 lakh in

2022 to 11.5 lakh in 2023
• The number of cybercrime complaints increased from 9.7 lakh in
2022 to 11.5 lakh in 2023.
• Financial frauds accounted for about 60% of all complaints. Between
January and October 2023, financial frauds were worth Rs 5,574
crore, which is significantly higher than 2022.

Fundamentals of Cyber threat detection 9th , December

10
2024
Type of Attackers-Adversaries
• Insider Attack: An attack to the network or the computer system by
some person with authorized system access is known as insider
attack.
Defense: Internal intrusion detection systems (IDS) in the organization
• External Attack: When the attacker is either hired by an insider or an
external entity to the organization, it is known as external attack.
• An experienced network/security administrator keeps regual eye on the
log generated by the firewalls as external attacks can be traced out by
carefully analysinig these firewall logs.
Also, Intrusion Detection Systems are installed to keep an eye on
external attacks.

Fundamentals of Cyber threat detection 9th , December

11
2024
Cyber Security techniques
• AUTHENTICATION
• ENCRYPTION
• DIGITAL SIGNATURES
• ANTIVIRUS
• FIREWALL
• STEGANOGRAPHY

Fundamentals of Cyber threat detection 9th , December

12
2024
 Cyber Threats
Classifications

Figure taken from the paper

;COMPREHENSIVE_REVIEW_ON_CYBERSECURITY_MODERN_THREA.pdf

Fundamentals of Cyber threat detection 9th , December

13
2024
MALWARE
• Malware—Malicious software”—is software code that is written
intentionally to harm a computer system or its users.
• Malware is constantly evolving and presents significant threat to
computer systems
• Forces security analysts to keep pace by improving cyber defenses

Fundamentals of Cyber threat detection 9th , December

14
2024
Malware types
• Depending on the purposes, malware can be divided into various
categories
• Virus: attaches itself to a program and infects a device
• Worm: self-replicates and propagates copies of itself to other devices over a
network
• Adware: generates/displays unsolicited online advertisements on user’s screen
• Ransomware: locks down an infected device, and demands payment to unlock it
• Backdoor: allows unauthorized access to functionality
• Trojan: a class of backdoor malware disguised as legitimate software, to trick
users into installing it
• Bot: distributes malware to other devices, and it is typically part of a network
(botnet)
• Keyloggers: captures keystrokes
• Rootkit: gains root-level access to conceal the existence of other malware
• Logic bomb: explodes when a condition occurs

Fundamentals of Cyber threat detection 9th , December

15
2024
Malware..
• Automated malware detection versus classification
• Malware detection systems: predict whether an executable file is
malware or not a malware
• Output: 1 or 0
• Malware classification systems: predict the malware type of an
executable
• Output: 1 to N, where N is the number of different malware families
• I.e., malware classification systems differentiate between different kinds of malware
(virus, adware, or Trojan), in order to provide a better understanding of their
capabilities

Fundamentals of Cyber threat detection 9th , December

16
2024
SOCIAL ENGINEERING
• Social engineering attacks manipulate people into sharing information that they
shouldn’t share, downloading software that they shouldn’t download, visiting
websites they shouldn’t visit, sending money to criminals or making other
mistakes that compromise their personal or organizational security.

• It is the leading cause of network compromise today according to ISACA's State

of Cybersecurity 2022 report (link resides outside ibm.com). According to
IBM's Cost of a Data Breach report, breaches caused by social engineering
tactics (such as phishing and business email compromise) were among the most
costly.

Fundamentals of Cyber threat detection 9th , December

18
2024
Phishing

• Phishing attacks are digital or voice messages that try to

manipulate recipients into sharing sensitive information,
downloading malicious software, transferring money or assets
to the wrong people or taking some other damaging actions.
• Bulk phishing emails, Spear phishing, Voice phishing or
vishing,.
• Phishing is the initial attack vector leading to the most
costly data breaches. smishing, Search engine phishing,
Angler phishing

Fundamentals of Cyber threat detection 9th , December

19
2024
Baiting

• Baiting lures (no pun intended) victims into knowingly or unwittingly

giving up sensitive information or downloading malicious code by
tempting them with a valuable offer or even a valuable object.
• Tailgating
In tailgating, also called "piggybacking", an unauthorized person
closely follows an authorized person into an area containing sensitive
information or valuable assets.
• Quid pro quo
In a quid pro quo scam, hackers dangle a desirable good or service in
exchange for the victim’s sensitive information.
Fundamentals of Cyber threat detection 9th , December
20
2024
Cyber Threats..
• Scareware- scareware is software that uses fear to manipulate
people into sharing confidential information or downloading
malware- fake law enforcement.
• Watering hole attack- somebody poisoned the watering hole",
hackers inject malicious code into a legitimate web page that is
frequented by their targets.

Fundamentals of Cyber threat detection 9th , December

21
2024
Social Engineering Defense
• Social engineering attacks are notoriously difficult to prevent because
they rely on human psychology rather than technological pathways.
The attack surface is also significant:
• Security awareness training, Access control policies:-multi-
factor authentication, adaptive authentication and a zero
trust security approach

https://www.ibm.com/topics/social-engineering
Fundamentals of Cyber threat detection 9th , December
22
2024
Advance Persistent Threats
• Advanced Persistent Threats (APTs) represent a
sophisticated and prolonged form of cyber attack
often associated with nation-state actors
APT attacks differ from traditional
web application threats, in that:

• They’re significantly more complex.

• They’re not hit and run attacks—once a network is infiltrated,
the perpetrator remains in order to attain as much
information as possible.
• They’re manually executed (not automated) against a
specific mark and indiscriminately launched against a large
pool of targets.
• They often aim to infiltrate an entire network, as opposed to
one specific part.

https://www.imperva.com/learn/application-security/apt-advanced-persistent-threat/
Fundamentals of Cyber threat detection 9th , December
23
2024
IoT
• Insecure IoT devices, ranging from smart home appliances to
industrial sensors, provide entry points for cybercriminals to
compromise networks.
• As IoT ecosystems continue to grow, addressing security
vulnerabilities in device design, deployment, and maintenance
becomes paramount to preventing large-scale attacks.

Fundamentals of Cyber threat detection 9th , December

24
2024
Supply Chain attacks
• A supply chain attack uses third-party tools or services — collectively
referred to as a ‘supply chain’ — to infiltrate a target’s system or
network. These attacks are sometimes called “value-chain attacks” or
“third-party attacks.”
• In a supply chain attack, an attacker might target a cybersecurity
vendor and add malicious code (or ‘malware’) to their software,
which is then sent out in a system update to that vendor’s clients.

• Eg Solarwind attacks

Fundamentals of Cyber threat detection 9th , December

25
2024
Supply chain attacks types
• Browser-based attacks
• Software attacks
• Open-source attacks
• JavaScript attacks
• Magecart attacks
• Watering hole attacks
• Cryptojacking

Fundamentals of Cyber threat detection 9th , December

26
2024
How to defend against supply chain attacks

• Run a third-party risk assessment:

• Implement Zero Trust:
• Use malware prevention:
• Adopt browser isolation
• Detect shadow IT:
• Enable patching and vulnerability detection:
• Prevent zero-day exploits*:

Fundamentals of Cyber threat detection 9th , December

27
2024
Advance threat detection techniques
• Advanced threat detection Sand code - run in a virtual environment to analyze it
solutions use for behavior and traits.
Sandbox test -detect and analyze zero-day malware
• sandboxing technique, and stealthy threats.
Network Behavior Analysis -r unusual events using
• network behavioral anti-threat applications such as firewalls, intrusion
analysis, detection systems, antivirus software, and spyware-
detection software.
• automated mitigation. Automated secure upgrade your network-based
security defense systems, implement firewalls and
unified threat management, enforce infrastructure
protection strategy toward email and web content, and
apply best practices to all technical control layers.

Fundamentals of Cyber threat detection 9th , December

28
2024
Basic Block Diagram of Threat detection

Threat detection is the practice of

identifying any malicious activity that
could compromise the network

composing a proper response to mitigate or neutralize the

threat before it can exploit any present vulnerabilities.

Fundamentals of Cyber threat detection 9th , December

29
2024
• The first segment of threat detection requires understanding your
environment and the potential threats it faces whether to the
confidentiality, integrity or availability of data within a given system
and monitoring continuously to identify the threat,

Fundamentals of Cyber threat detection 9th , December

30
2024
Intrusion Detection Systems

Fundamentals of Cyber threat detection 9th , December

31
2024
Types of IDS
• Anomaly Detection approaches:
Anomaly detection is the process
of analyzing a dataset and identifying single
occurrences or patterns that deviate
significantly from baseline activity.

• Misuse or Signature detection

approaches:
Patterns of well-known attacks are
used to identify intrusions.
Figure taken from internet
Fundamentals of Cyber threat detection 9th , December
32
2024
Anomaly Detection
• These anomalies, or outliers, can often be an early warning sign of a
malicious event, such as a data breach, cyberattack or system failure.
• Integrating anomaly detection into a comprehensive cybersecurity
strategy enhances an organization's ability to protect sensitive data
and systems from malicious attacks, proactively address threats, and
maintain the integrity of critical information and systems.

Fundamentals of Cyber threat detection 9th , December

33
2024
 Types of Anomalies
• Point anomalies: an individual data point significantly deviates from the rest of
the data set and the so-called “norm”.
• An example of a point anomaly may be a sudden spike in network traffic.
• Contextual anomalies: A contextual anomaly is an individual data point that
differs from the rest of a data set, but only within a specific context.
For example, if a user logs into a system during non-business hours or from
an IP address that does not match their geographic location, that may be a
contextual anomaly.
• Collective anomalies: A collective anomaly is when a group of related data points
collectively deviate from the expected pattern, even though individual data
points may fall within normal and acceptable use.
For example, a sudden surge in network traffic from a variety of IP addresses may
indicate a coordinated attack and would be an example of a collective anomaly.
https://www.crowdstrike.com/en-us/cybersecurity-101/next-gen-siem/anomaly-
detection/#:~:text=By%20leveraging%20advanced%20technologies%20such,or%20a%20cyberattack%20that%20is
Fundamentals of Cyber threat detection 9th , December
34
2024
 Principle of anomaly-based intrusion
detection

Fundamentals of Cyber threat detection 9th , December

35
https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6942184 2024
 Anomaly detection system
• General Steps
• Build a profile of the “normal” behavior
• Profile can be patterns or summary statistics for the overall
population
• Use the “normal” profile to detect anomalies
• Anomalies are observations whose characteristics Three main parts in anomaly
differ significantly from the normal profile detection system are:
1. Feature selection
2. Model of normal behavior
• Types of anomaly detection 3. Comparison
schemes
• Graphical & Statistical-based
• Distance-based
• Model-based
Fundamentals of Cyber threat detection 9th , December
36
2024
 Graphical Approaches
• Boxplot (1-D), Scatter plot (2-D), Spin
plot (3-D)

• Limitations
• Time consuming
• Subjective

Fundamentals of Cyber threat detection 9th , December

37
2024
 Statistical Approaches Statistical-based – Likelihood Approach

• Assume a parametric model describing the • Assume the data set D contains samples from a
distribution of the data (e.g., normal distribution) mixture of two probability distributions:
• M (majority distribution)
• A (anomalous distribution)
• Apply a statistical test that depends on
• Data distribution • General Approach:
• Parameter of distribution (e.g., mean, variance) • Initially, assume all the data points belong
to M
• Number of expected outliers (confidence limit)
• Let Lt(D) be the log likelihood of D at time t
• For each point xt that belongs to M, move it
to A
• Let Lt+1 (D) be the new log likelihood.
• Compute the difference,  = Lt(D) – Lt+1
(D)
• If  > c (some threshold), then xt is
declared as an anomaly and moved
permanently from M to A

Fundamentals of Cyber threat detection 9th , December

38
2024
• Statistical techniques are probably the most widely used in this
area, which can be divided into two types:
• 1) parametric and
• 2) nonparametric.

Fundamentals of Cyber threat detection 9th , December

39
2024
 Limitations of Statistical
Approaches Distance-based Approaches
• Most of the tests are for a single
attribute • Data is represented as a vector of
features

• In many cases, data distribution may • Three major approaches

• Nearest-neighbor based-
not be known Compute the distance between every
pair of data points
• For multi-dimensional data, it may be • Density based
difficult to estimate the true
• Clustering based
distribution

Fundamentals of Cyber threat detection 9th , December

40
2024
 Density-based: LOF approach LOF
• For each point, compute the density of its local The local outlier factor LOF, is defined as
neighborhood follows:
lrd k (o)
• Compute local outlier factor (LOF) of a sample p
as the average of the ratios of the density of
oNk ( p) lrd ( p)
LOFk ( p) = k
sample p and the density of its nearest neighbors | N k ( p) |
• Outliers are points with largest LOF value
where Nk(p) is the set of k-nearest neighbors to p

and

| N k ( p) |
lrd k ( p) =
In the NN approach, p2 is not
considered as outlier, while

oN k ( p)
reach − dist ( p, o)
LOF approach find both p1 reach − distk ( p) = max{k − dist (o), dist ( p, o)}
and p2 as outliers
p2
 p1


Fundamentals of Cyber threat detection 9th , December

41
2024
 Clustering-Based
• Basic idea:
• Cluster the data into groups of
different density
• Choose points in small cluster as
candidate outliers
• Compute the distance between
candidate points and non-
candidate clusters.
• If candidate points are far
from all other non-candidate
points, they are outliers

Fundamentals of Cyber threat detection 9th , December

42
2024
Importance of Anomaly detection
• Enable the early identification of potential security incidents,
including hard-to-detect threats and attacks, such as insider threats
• allowing the organization to minimize losses and improve remediation
time;
• Maintain the integrity of critical information and systems;
• Optimize resources by focusing efforts on critical, high-priority events;
and
• Improve decision-making by leveraging clear and actionable insights
to initiate response efforts.

Fundamentals of Cyber threat detection 9th , December

43
2024
 Network Detection System (NDS)
• The Evolution of NDS: From IDS to Advanced Threat Detection

Threat Hunting
• Threat hunting is an active information security process and strategy
used by security analysts. It consists of searching iteratively through
network, cloud, and endpoint system logs to detect indicators of
compromise (IoCs); threat actor tactics, techniques, and procedures
(TTPs); and threats such as advanced persistent threats (APTs) that
are evading your existing security system.
Fundamentals of Cyber threat detection 9th , December
44
2024
Threat Hunting
• 1. Hypothesis-driven investigation
• Investigation based on known Indicators of Compromise or
Indicators of Attack.
• Advanced analytics and machine learning investigations

Fundamentals of Cyber threat detection 9th , December

45
2024
Threat Intelligence
• It is the collection, analysis, and dissemination of information about
potential or existing cyberthreats, vulnerabilities, and risks. This
information is typically gathered from a variety of sources, such as
open-source intelligence (OSINT), Open Worldwide Application
Security Project (OWASP), industry-specific threat feeds, and internal
network and monitoring data. The primary goal of threat intelligence
is to provide organizations with actionable insights that can help them
make informed decisions about their cybersecurity posture and
response strategies.

Fundamentals of Cyber threat detection 9th , December

46
2024
Machine Learning
• To reduce false alarm rate [1] and increase threat detection
accuracy [2], different approaches of machine learning (ML) have
been used in NIDS. The advanced type of ML that is deep learning
(DL) is also used in developing a more advanced field of NIDS.

Fundamentals of Cyber threat detection 9th , December

47
2024
Threat detection using AI/ML techniques
• NIDS is useful to detect different kinds of network threats,
including distributed denial-of-service (DDoS) attacks, worms,
and viruses. Reliability, accuracy, and detection speed are the
success factors of NIDS.
• To reduce false alarm rate and increase threat detection accuracy
deep learning (DL) is used in developing a more advanced field of
NIDS.

Fundamentals of Cyber threat detection 9th , December

48
2024
Conclusion
• The intruders are more intelligent and have indepth knowledge of
the security environment.
• The state of the art cyber threat detection is in the process of
deploying AI/ML for detection
• Intruders are also using machine learning techniques to intrude
to get the details of the environment
• More sophisticated tools and technology path ways are essential
to provide threat detection system there by suitable response can
be made which helps in heavy damage/deadlocks of network
functioning/Cyber physical system function etc.
Fundamentals of Cyber threat detection 9th , December
49
2024
 Thank You

Fundamentals of Cyber threat detection 9th , December

50
2024