Download PDF - Codenomicon

Codenomicon whitepaper: 

Proactive Cyber Security: 

Stay Ahead of Advanced 

Persistent Threats (APTs) 

- Anna-Maija Juuso & Ari Takanen - 

1 

12 

3 

4 

5 

6 

7 

8 

9 

Introduction 

Advanced Persistent Threats (APTs) 

Vulnerability Exposure 

Known and Unknown Vulnerabilities 

Fuzzing 

Automating Fuzzing 

Abuse Situation Awareness 

Automating Abuse Situation Awareness 

10 

11 

12 

13 

Cyber Security Risks 

Fuzzing Best Practices 

Abuse Situation Awareness Best Practices 

Conclusion 

Botnet-Inspired Situation Awareness System (AbuseSA) 

Preemptive security and 

robustness testing solutions

CODENOMICON WHITEPAPER - Proactive Cyber Security: Stay Ahead of Advanced Persistent Threats (APTs) 

1 Introduction 

The security landscape is changing: Governments, critical infrastructure providers and defense organizations 

increasingly rely on the Internet to perform mission-critical operations. At the same time, cyber attacks 

have become more professional with attackers investing more time and money into creating detection 

evasion techniques and developing sophisticated, targeted attacks exploiting zero-day vulnerabilities. 

Zero-day exploits are the biggest threat to security, because there are no defenses against them and the 

attacks can go unnoticed. Most organizations are not even prepared against popular untargeted malware, 

not to mention for Advanced Persistent Threats (APTs). They rely largely on signature-based security solutions, 

which only defend against known threats and require continuous rule updates to even stay up-to-date 

on cyber attacks. 

In this paper, we take a two-fold approach to securing networks against APTs. Firstly, we discuss using fuzzing, 

a robustness testing technique, to discover exploitable zero-day vulnerabilities proactively. Secondly, 

we present a botnet-inspired system which enables organizations to expand their knowledge of Internet 

abuse without straining their security resources by better utilizing security information already provided by 

the security community. By collecting security information from public and private feeds and automatically 

generating actionable abuse reports organizations can adopt cost-effective processes for detecting malicious 

activity and mitigating incidents. It is equally important to ensure the security and robustness of critical 

networks and services and to develop capabilities for detecting attacks at the earliest possible moment. 

By implementing fuzzing into your software development and procurement processes and having good 

abuse situation awareness, you can prepare your networks against APTs. 

2 

Advanced Persistent Threats 

(APTs) 

Internet abuse refers to the misuse of the Internet to injure and 

disturb other users. It is an umbrella term covering cyber crime, 

hacktivism, attacks by nation-state sponsored adversaries and 

hobbyist crackers. Different types of internet abuse include 

unauthorized network access, data theft and corruption, disruptions 

to normal traffic flow (e.g. DoS and DDoS attacks), the 

propagation of malware, spamming, phishing and botnets. APT 

refers to sophisticated Internet abuse performed by highlymotivated 

and well-resourced groups, such as organized cyber 

criminals, hostile nation states and hacktivists. These attacks 

frequently utilize unknown, zero-day vulnerabilities. Zero-day 

vulnerabilities pose the greatest threat to network security, because 

there are no defenses for attacks against them [1]. The 

attacks can go unnoticed and once discovered it takes time to 

locate the vulnerabilities and to create patches for them [1]. Advanced 

attacks, like the Stuxnet, can utilize multiple zero-days 

making them extremely difficult to defend against.


Preventing Advanced Cyber Attacks 

Crackers need to find a vulnerability in the protocol implementation 

in order to devise an attack against a target system [2]. 

By removing potential zero-day vulnerabilities proactively, you 

can make it significantly harder for crackers to devise attacks. 

Thus, the best way to prevent zero-day attacks is to get rid of exploitable 

vulnerabilities proactively [1]. Fuzzing enables you to 

find previously unknown, zero-day vulnerabilities by triggering 

them with unexpected inputs [1]. By incorporating fuzzing best 

practices into your organization’s development and procurement 

processes you can improve the security and robustness 

of your networks. 

Detecting Advanced Cyber Attacks 

Not all attacks can be prevented, thus organizations must be 

able defend against attacks. Organizations commonly rely on 

signature-based security defenses, such IPS/IDS solutions, vulnerability 

scanners and firewalls [3]. They are fairly efficient in 

defending against known attacks. However, they can only detect 

pieces of malware, for which an identifier, known as a signature, 

already exists and has been deployed [4]. Advanced attacks 

exploiting zero-day vulnerabilities can completely bypass 

these defenses [3]. Automating abuse information collection 

and processing is key to getting actionable information on incidents 

in your network. Good abuse situation awareness is key 

to establishing systematic and efficient processes for responding 

to cyber incidents. 

Zero Exposure 

Limited Exposure 

Public Exposure 

3 

Vulnerability Exposure 

Vulnerabilities are flaws in software or software components 

in hardware, which enable crackers to exploit a system. Vulnerabilities 

are not created when a system is being attacked. They 

are design and implementation errors that are introduced into 

the code during development [4]. The errors become vulnerabilities 

once the software is released, and it gets exposed to outside 

attacks [5]. Security researchers, security companies and 

hackers discover some of the vulnerabilities, and if they choose 

to report the findings, they can enable software developers to 

create patches for the found vulnerabilities [5]. After the patch 

release the vulnerability becomes public knowledge [5]. 

No exposure, no publicity 

Figure 1 categorizes vulnerabilities based on exposure. The exposure 

of a vulnerability depends firstly on whether the vulnerability 

can be accessed by outside attackers, and secondly on 

how public the vulnerability is. During development, new vulnerabilities 

have zero exposure to attacks: nobody knows that 

they exist and they cannot be exploited by outsiders [5]. After 

release the vulnerabilities have limited exposure: they are open 

to attacks, but the attackers first have to find them [5]. After a 

patch is released, the exposure is full: the attackers have both 

the possibility to attack and the information they need [5]. Public 

exposure can be avoided by deploying patches 

in a timely manner. In this paper, we focus on techniques 

used to discover zero-day vulnerabilities with 

zero-exposure prior to release or implementation 

and to detect attacks exploiting zero-day vulnerabilities 

with limi-ted exposure. 

inside access only 

Release/ 

Implementation 

Patch 

Release 

in-and outside access 

Figure 1: Vulnerability exposure. Based on [5].


4 

Known and Unknown 

Vulnerabilities 

In this paper we focus on the fourth quadrant, the unidentified 

zero-day vulnerabilities. These vulnerabilities are the biggest 

threat to an organization’s security [7]. Their existence is 

unknown, there are no defenses against them and an attack 

can go completely unnoticed [7]. If an attacker finds a zero-day 

vulnerability in a network, service or application, they can do 

what they want with it from website defacing, obstructing operations 

to stealing confidential information. It is unlikely that 

targets of high profile attacks are not keeping their patches upto-date. 

It is the zero-day vulnerabilities in their systems that 

make APTs possible. How can APTs be mitigated 

Figure 2 divides vulnerabilities into known and unknown vulnerabilities 

for which there are already patches available or not. 

If you have vulnerabilities within your systems for which patches 

already exist, then clearly you should be doing better vulnerability 

research and be more vigilant about patch updates [6]. 

Most organizations do a good job, employing various technologies 

like anti-virus, firewall, IPS/IDS to defend against known 

attacks and keep up-to-date with software updates [6]. During 

the small window when a vulnerability has been discovered but 

there is no patch yet, a workaround needs to be implemented. 

Zero-Day vulnerabilities and APTs 

Patch 

Not available 

Implement 

workaround 

 

5 

Fuzzing 

Fuzzing is a black-box robustness testing technique used to reveal 

unknown zero-day vulnerabilities by triggering them with 

unexpected inputs. Basically, unexpected data in the form of 

modified protocol messages are fed to the inputs of a system, 

and the behavior of the system is monitored [9]. If the system 

fails, e.g., by crashing or by failing built-in code assertions, then 

there is an exploitable vulnerability in the software [10]. While 

many security techniques focus on finding known vulnerabilities 

or variations of them, fuzzing reveals previously unknown 

vulnerabilities, so called zero-day vulnerabilities by triggering 

them with unexpected inputs [4]. Figure 3 depicts the flow of 

fuzzing tests. Discovering Zero-Day Vulnerabilities 

A survey conducted by a large independent software vendor 

found that every single unique vulnerability found had been 

discovered by fuzzing [6]. The Internet is full of fuzzing kits, 

like the Phoenix Exploit Kit, Blackhole and Crimepack, favored 

among crackers to find exploitable vulnerabilities in networks 

and applications [6]. Industry leading companies are already using 

fuzzing to protect their networks against zero-day attacks. 

By finding zero-day vulnerabilities proactively, networks can 

be made more robust against attacks reducing the risk of advanced 

cyber attacks [4]. 

Patch 

Available 

Apply the patch 

Known 

Vulnerability 

Do better 

vulnerability 

research 

Unknown/Zero-Day 

Vulnerability 

Figure 2: Known and Unknown Vulnerabilities.[8] 

6 

Automating Fuzzing 

In fuzzing, thousands and even millions of misuse-cases are created 

for each use-case, thus most robustness testing solutions 

contain at least some degree of automation. There are two popular 

ways to automate fuzzing: generation and mutation-based 

fuzzing [11]. In mutation-based fuzzing, real-life inputs such 

as network traffic and files, are used to generate test cases by


Figure 3: The flow of fuzzing. [9] 

modifying the samples either randomly or based on the sample 

structure [11]. In generation-based fuzzing, the process of data 

element identification is automated by using protocol models 

[11]. 

Specification-based Fuzzing 

Specification-based fuzzing is a form of generation-based 

fuzzing, which uses protocol and file format specifications to 

provide the fuzzer with protocol or file format specific information, 

e.g., on the boundary limits of the data elements [11]. 

Specification-based test generation achieves excellent coverage 

testing the protocol features included in the specification. 

However, new features and proprietary features not included in 

the specification are not covered [12]. If no specification is available, 

then the best fuzzing results can be achieved with mutation-based 

fuzzers [12]. Generation-based testing can also be 

complemented with longer mutation-based fuzzing test runs. 

Some vulnerabilities might only be triggered through more aggressive 

input space testing [12]. Thus, the best test results are 

achieved by combining testing techniques. 

7 

Abuse Situation Awareness 

Human error is frequently attributed as the main cause of security 

breaches [13]. Endsley argues that the term “human error” 

is misleading, because it implies that the problems are caused 

by careless, poorly trained employees, when in most cases the 

real problem is inadequate situation awareness [14]. Security 

personnel operate in highly complex networks and handle vast 

amounts of information [14]. The problem is not that they do 

not know what is the correct way to react to incidents. Finding 

and identifying security incidents from the flood of network information 

is very difficult [14].


Rapid Detection 

Attack Impact 

Advanced attacks are typically hard to detect, because they are 

designed to stay under the radar [15]. Moreover, there is a lot 

scattered information about Internet abuse and local security 

experts tend to lag behind the latest knowledge. They use detection 

rules that defend against latest threats to the best of 

their knowledge. However, their latest knowledge can be quite 

outdated when compared to global state-of-the-art abuse situation 

awareness. Good abuse situation awareness provides information 

on the current security landscape, making it easier 

to identify attacks. For example, when new C&C servers are reported 

by the security community, local actors can automatically 

deploy this new information to their sensors. Thus, abuse 

situation awareness allows you to discover incidents earlier, and 

also to detect advanced attacks that might not otherwise be 

noticed. With better abuse situation awareness, the human factor 

can be reduced [14]. 

STOP ABUSE HERE 

Infection 

Malware 

Downloaded 

More devices 

corrupted 

The key to reducing the impact of cyber attacks is rapid detection 

[15]. According to the Verizon 2012 Security report, in 85% 

of incidents it took the attackers only a few minutes to compromise 

the victim, but it took them a day or longer to locate and 

exfiltrate data [16]. There is a window for mitigating the impact 

of cyber attacks, but according to the same report, it took the 

victims months or even years to discover the breaches [16]. To 

detect APTs at the earliest possible moment, security experts 

need quick access to the latest security information. To achieve 

this they need to actively monitor all possible sources of abuse 

information, something which cannot be executed manually. 

Information flood 

Better awareness of network incidents and internet abuse enables 

you to detect and react to attacks earlier. In most cases, 

organizations already have access to the correct information, 

but they are not fully using it [14]. Security personnel are 

drowned in disparate information from internal sources like 

log files, IDS/IPS alerts, network management tools and 

SIEM platforms [3]. In addition, there are many 

good external sources of threat information 

such as government channels, industry associations, 

commercial data feeds and 

abuse feeds provided by non-profit 

organizations such as Shadowserver. 

This information comes in a variety 

Critical resources 

accessed 

of formats, meaning that security 

personnel spend a lot of their manually 

collecting and processing the 

information [3]. The vast amount of 

information and poor processes result 

in security personnel being overwhelmed 

and susceptible to missing critical bits of information 

[14].


8 

Automating Abuse Situation 

Awareness 

By automating the collection and processing of abuse information, 

security personnel can handle more information in shorter 

time and discover relevant information faster. Automating basic 

tasks frees up the security personnel’s time to do the actual 

analysis [3]. However, the lack of a common information sharing 

standard has been a major hindrance to automating abuse 

situation awareness [15]. Security notifications and abuse feeds 

come in a variety of formats, including not machine-readable 

formats [3]. Especially following external threat information 

sources involves sifting through emails, website postings and 

other human communications. Instead of waiting for an ideal 

information sharing format, organizations should employ practical 

security collaboration solutions [15], such as AbuseSA. 

Collaboration 

The best results are achieved by fully automating the feedersproxies-cleaners 

information chain. Through collaboration, 

each organization can scale their security expertise, speed up 

attack detection and improve remediation [15]. The feeders 

are best at discovering Internet abuse [17]. The proxies have 

the best expertise and resources for collecting, aggregating 

and reporting abuse information provided by the international 

security community [17]. Actual attack mitigation needs to be 

done by the cleaners, because only they have access to their 

networks [17]. However, the availability of actionable abuse 

information collected and reported by the feeders and proxies 

makes their task a lot easier. 

9 

Botnet-Inspired Situation 

Awareness System (AbuseSA) 

Feeders, Proxies and Cleaners 

Actors in the abuse situation awareness field can be divided 

into three groups: feeders, proxies and cleaners [17]. Feeders 

monitor network incidents and provide data for abuse notifications 

which can be fed to other organizations [17]. Feeders 

are security vendors, industry organizations, government channels 

and non-commercial organizations, like Shadowserver, 

Zone-H and DShield [17]. The proxies, that is CERTs, ISP abuse 

teams and government defense organizations, are in charge of 

informing their stakeholders about abuse [17]. The stakeholders 

or the cleaners are organizations, enterprises, ISPs, critical 

infrastructure providers that are responsible for keeping their 

own networks clean [17]. 

The AbuseSA is a botnet-inspired system for automatically 

collecting and sharing abuse situation awareness [17]. Similar 

systems have been used by the Finnish and Estonian national 

CERTs for automated abuse handling [17]. Before they became 

associated with malicious purposes, small software modules, 

or bots, were used for administrating Internet relay chat (IRC) 

rooms [18]. Administrating chat rooms was time consuming 

and bots could be used automate this task [18]. Criminals took 

this approach and used it to create huge botnets. By joining 

hundreds of thousands of infected PCs to IRC command and 

control (C&C) channels the criminals could control their net- 

Feeders produce data which AbuseSA users collect, process and report systematically to protect 

Abuse Feeds / Intelligence 

Proxies 

Cleaners 

Citizens 

• Non-profit and commercial organizations 

• Shadowserver, Zone-H, DShield, Abuse.ch, 

Malwaredomainlist and tens or more. 

• National and Governmental CERTS 

• Cyber Defense Organizations 

• ISP Abuse Teams 

• ISPs 

• Critical Infrastructure Providers 

• Govermental Organizations 

Critical Infra 

Figure 5: Feeders, Proxies and Cleaners. [17]


works remotely. An abuse situation awareness system needs 

to collect information from potentially unreliable sources and 

produce reliable reports. Botnets are modular and resilient and 

they can distribute processing. These features make a botnetinspired 

architecture the ideal basis for an abuse situation 

awareness system. 

Benefits of a botnet-based architecture 

The botnet-inspired architecture makes AbuseSA very flexible, 

scalable and robust. In AbuseSA, each source is followed by its 

own bot, which reports to a C&C channel. Using separate bots 

for different sources makes the system flexible and resilient to 

errors in the sources. The system can collect information from a 

wide variety of sources; each bot can be configured to understand 

the transports and formats of its source. Thus, the user 

can collect information without imposing any requirements to 

the feed provider. In addition, new sources can be added simply 

by adding a new bot on the fly, which makes the system easy 

to scale. The botnets communicate over the extensible messaging 

and presence protocol (XMPP). Thus various tasks can be 

distributed and even run in various geolocations. 

10 

Cyber Security Risks 

Hobbyists, Hacktivists and Cyber Crime 

Security threats have been growing in scale and sophistication 

for decades. Twenty years ago, cyber attacks were primarily 

the domain of hobbyists. Then, as the opportunity for profiting 

from stolen information grew, criminals started taking a larger 

role. More recently spies working for government and corporate 

espionage are leading some of the most technically advanced 

and resource intensive attacks to date. 2011 saw a significant increase 

in the activity of “hacktivist” groups like Anonymous and 

LulzSec [19]. The motivation for these groups is retaliation for 

perceived wrongdoing. Rather than financial gain, their main 

goal is embarrassing their victims. However, their attacks are 

not without financial consequences. 

Critical Infrastructure 

Critical infrastructure networks are no longer isolated. They 

are all connected to the cyberspace, the global network of 

interdependent information technology infrastructures and 

communication networks, and they depend on common commercial 

off-the-shelf software. When SCADA systems were fist 

implemented in the 1960’s, it would have been hard to image 

that critical control system could be attacked remotely or that 

printers in adjacent corporate networks could be used as weapons 

to attack them. Nobody could envision such threats, so no 

measures were taken to make the networks resilient against cyber-attacks. 

Newer SCADA devices communicate using Internet 

protocols, sometimes over the public Internet [20]. This helps 

reduce the cost of dedicated communication links, but at the 

same time it makes the networks more open to outside attacks 

[20]. 

Power grids, telecommunication and transportation networks 

are exactly the type of infrastructure that has been the target of 

traditional warfare, only the weapons have changed [21]. There 

have only been a limited number of reported cyber-attacks 

against critical infrastructure [21]. However, it would be naïve to 

assume that hostile nation states, terrorists and hacktivists are 

not aware how vulnerable these networks are and how much 

havoc such an attack could cause [21]. The Stuxnet was the first 

publicly admitted act of cyber warfare. It demonstrated that 

cyber-attacks can cause significant physical damage to a facility 

[22]. The Stuxnet was a very sophisticated attack carefully 

selecting its victims and remaining undetected [22]. It utilized 

four different zero-day vulnerabilities. However, many critical 

infrastructure networks are so vulnerable that it does not take a 

sophisticated attack like Stuxnet to exploit them. In many countries, 

large parts of the critical infrastructure is privately owned 

and extremely vulnerable [21]. 

Corporate Networks 

A network is only as strong as its weakest element [23]. If attackers 

manage to compromise a laptop or a smartphone of a 

remote user working over a VPN, then they direct access to your


network. The Stuxnet was carried into the plants on a corrupted laptop or thumb drive [22]. Corporate networks connected to critical 

networks are full of equipment, like VoIP phones, printers and storage devices. Nobody thought that these devices could be used 

to attack the networks, so the developers did not try to make this difficult or impossible to do [12]. 

When sourcing equipment for critical networks or networks connected to critical networks security, robustness testing should be 

used as an acceptance criterion. The challenge with outsourcing is that you lose visibility over the security and quality of the software 

development. Often buyers have been surprised to find that the middleware they have purchased has an open source core. 

Networks for distributed organizations often include site-to-site, branch office, and remote access networks. There might also be 

additional network security layers such as VPNs and LANs. All these add to the complexity of a network making it more difficult to 

secure and increasing the importance of proactive measures. 

Desktops, laptops, 

smartphones, USB sticks 

Printers 

Firewall 

IPS/IDS 

Web and 

mobile services 

Cloud 

services 

Closed Network 

Router 

Corporate Network 

Router 

Internet 

Laptops 

USB Sticks 

Web servers 

VoIP server 

Storage devices 

VPN 

Partners 

Branch office 

Roaming user 

Remote user 

Figure 6: Closed and corporate networks. 

Cloud Security 

eGov and mGov 

In recent years the use of virtualization technologies and cloud 

services has increased dramatically. Cloud services and virtualization 

can help government agencies connect with citizens, 

improve efficiency and reduce costs. However, like any new 

technology, cloud services and virtualization introduce new security 

concerns. New technologies are not necessarily inherently 

less secure than old ones. They just have not been tested and 

used for as long. Also, the threats can be different. The potential 

security risk in cloud technologies is the hypervisor, which controls 

all the clients within a virtual cloud. If the implementations 

of PHYP or another hypervisor protocol contain vulnerabilities, 

these could be exploited to inject malicious code or to otherwise 

control client clouds. 

eGov and mGov services make information sharing between 

citizens, businesses and government more seamless: less paperwork, 

less bureaucracy and you use the services whenever, 

wherever. Such initiatives should be applauded, as they improve 

the efficiency of government services and improve the 

quality of service experienced by the users. However, in developing 

services with external user interfaces to handle private 

and confidential information, the robustness of the services 

should be thoroughly tested before deployment. Any security 

incidents could erode user confidence and set back the development 

of the services.


11 

Fuzzing Best Practices 

Fuzzing can be used to test all software and software components 

with hardware, so you can use it to test all types 

applications, services and network equipment like routers, 

switches and servers, and also security software like antivirus 

and firewalls [6]. The cost of not fuzzing can be high. 

It can be costly, if an important network element is offline 

or services unavailable, never mind the consequences of an 

advanced cyber attack. 

As an acceptance condition 

Many vendors are in a hurry to push software onto the market, 

and often times it is the user who ends up doing the 

testing [12]. Actually, software products have the highest 

rate of defects of product sold today [12]. By insisting on 

using fuzzing as an acceptance condition, you can make 

vendors claim responsibility over the quality and security of 

their products [6]. A prominent US ISP already uses fuzzing 

as entry criteria for its network suppliers [7]. The Codenomicon 

Defensics test suites automatically collect all important 

information on found vulnerabilities into a Remediation 

Package, which you can send to third parties for automated 

reproduction [23]. 

During SDL 

Large software houses already include fuzzing as a part 

of their secure development lifecycles: Cisco’s CSDL, Microsoft’s 

SDLC and the Adobe Product lifecycles are good 

examples of this. Giants like IBM and Google also promote 

fuzzing [12]. The Microsoft secure development lifecycle 

(SDL) model endorses the use of fuzzing in the verification 

phase [24]. However, fuzzing can be used throughout the 

development process from the moment the first software 

components are ready to even after the release [24]. The 

earlier the vulnerabilities are found, the easier and cheaper 

it is to fix them [1]. Indeed, by building security into your 

software you can avoid costly, critical and embarrassing 

software blunders. 

During production 

In addition to fuzzing before development, the production 

environment should also be tested, because testing elements 

in isolation does not always reveal the same issues as 

testing a live environment [6]. However, this may disturb the 

tested system, because it is essentially simulating an attack 

against it [24]. Thus, it should only be done after extensive 

testing and in the presence of support personnel [24]. 

Augmenting parameter security defenses 

During the lag time between threat discovery and signature 

deployment, the IDS (intrusion detection system) is 

unable to identify the threat [23]. Help your defenses block 

attacks exploiting zero-day vulnerabilities by using the extensive 

documentation that Defensics provides [23]. The 

test cases triggering vulnerabilities in your system are described 

clearly making it easy to write your own IDS rules 

[23]. The rules can be based on vulnerabilities found by running 

predefined Defensics tests, or testing around known 

vulnerabilities downloaded from third party vulnerability 

feeds [23]. You can also use Defensics to generate variations 

of the original attack and to test how well IDS/IPS systems 

and firewalls can detect and block both the original attack 

and variations of it [23].


12 

Abuse Situation Awareness Best Practices 

To respond to cyber attacks in a timely and effective manner, organizations need to adopt systematic 

incident handling processes. To develop such processes is the ability to share real abuse situation 

information. The key to designing an effective situation awareness system is understanding 

that real situation awareness only exists in the mind of the human operators [14]. Thus, tons of data 

will not help unless it successfully transmitted, absorbed and assimilated in a timely manner by the 

operator [14]. Here are some best practices for abuse situation awareness. 

Automated Data Collection 

External abuse feeds are an under-used resource, and it is easy to understand why: There can be 

billions of abuse notifications daily, each of them different in terms of timing, format, transport and 

content [3]. Security personnel must sift through emails, website postings or other communications. 

In most organizations, these tasks are performed manually by skilled analysts. It makes a lot 

of sense automate basic tasks like collecting and processing abuse information, and free up the 

analysts’ time to do the actual analysis [3]. 

Automated Analysis 

Expertise plays a major role in situation awareness [14]. An experienced operator will be able to 

spot similarities between events, even if the events are not exactly alike [14]. For novices this task 

is much harder [14]. Thus, a good situation awareness system should help the operators draw parallels 

between events [14]. In AbuseSA, incidents are stored into a knowledge database for users 

with access rights to share. This information can be used to automatically augment abuse feeds’ 

information in real-time. For example, if a certain IP address has been identified as a drop-time, 

then traffic to this address will immediately be flagged as high risk. 

Actionable Reporting 

Abuse feed transports and formats vary considerably. Reporting standards, on the other hand, can 

be strict [17]. The AbuseSA sanitizes and normalizes all the information, sending reports to stakeholders 

at preferred times, in preferred formats. Actionable reporting enables stakeholders to take 

swift action. Organizations often waste time handling notifications that contain inaccurate, false or 

old information, or do not contain vital information, like IP-addresses. The AbuseSA removes all this 

information only reporting actionable abuse information.


Figure 7: Map view of Internet abuse. 

Figure 8: Categorization view of Internet abuse.


Figure 9: Dynamic visualizations allow you to view the same data on different abstraction levels. 

Visualizations 

Situation awareness should help operators make better informed 

decisions faster [17]. Information collected at the lowest 

level can easily overwhelm human decision makers [26]. It 

is better to provide information on multiple abstraction levels 

with high-level abstractions complementing lower level details 

[26]. Abuse Situation Awareness generates this with real-time 

visualizations, providing high level abstractions (Figure 7). By 

clicking on the interactive images users can drill down to more 

detailed information for a more closer analysis (Figure 8). Also, 

the analyst can highlight different aspects of the collected information 

by choosing the visualized datasets differently (Figure 

9). 

Collaboration 

Global situation awareness is essential for understanding the 

threat landscape. Many actors only have an “island view” of 

events, knowing what is happening in their own network. Yet, 

global abuse situation awareness is the key to understanding 

global incident trends. The global view enables authorities and 

major players in different countries to share intelligence on the 

development of the incident and coordinate their responses 

[27]. Due to the sheer volume of dynamic information involved, 

visualizations are essential to providing global abuse situation 

awareness. AbuseSA provides a combination of interactive 

earth-view visualizations and abuse categorizations based on 

location, abuse type and industry.


Combining Internal and External Information 

Comprehensive situation awareness is achieved by combining threat and vulnerability intelligence from internal 

and external sources. Most organizations employ SIEM systems and IPS/IDS solutions, which provide 

valuable insight into incidents within networks. However, even serious cyber threats can be dismissed as 

random attacks, if the security personnel lack the global abuse situation awareness needed to examine events 

in coordination with other security incidents. 

Similarly, external abuse information requires 

network-specific intelligence to be applied into 

practice. Figure 10 depicts the iteration of abuse 

situation awareness from internal and external 

sources. The internal resources include vulnerability 

and threat information from internal threat 

monitoring and in-house fuzz tests. The external 

resources include general abuse feeds and 

industry-specific threat information. Utilizing 

external information sources used to be challenging, 

due to the lack of common information 

sharing standards. AbuseSA solves this problem 

by being format-independent. You can use AbuseSA collect and present information in any format making 

it easier to combine internal and external security intelligence. The AbuseSA also makes it possible to share 

security information within industries on a completely new level. 

13 

Conclusion 

Cyber attacks are getting more sophisticated and traditional signature-based defenses are no longer enough 

to secure increasingly public networks. There has been a sharp rise in Advanced Persistent Threats, highlymotivated 

and well-resourced groups carrying out high-impact attacks. These attacks frequently exploit zeroday 

vulnerabilities making them hard to detect and difficult to defend against. 

This paper presented two approaches to handling such threats. Firstly, fuzzing can be used to prevent zeroday 

attacks by getting rid of exploitable vulnerabilities proactively. Secondly, abuse situation awareness provides 

you with the information you need to respond to cyber attacks rapidly. 

The best results can be achieved by incorporating fuzzing and situation awareness best practices in to your 

organizations processes. Fuzzing should be a part of your software development and procurement processes. 

Similarly, abuse situation awareness should be a part of your network monitoring processes automating the 

collection of abuse and incident information from internal and external sources. Due to the complexity and 

vastness of critical networks, the only effective form of cyber security is proactive cyber security.


References 

[1] Codenomicon, “How to Really Avoid Zero-Day Attacks – Build 

Security In, Don’t Add it”, January 2010 [2] OECD, “Malicious 

Software (Malware): A Security Threat to the Internet Economy”, 

OECD Ministerial Meeting on the Future of the Internet Economy, 

June 2008. [3] RSA, The Security Devision of EMC, “Getting 

Ahead of Advanced Threats: Achieving Intelligence-Driven Information 

security”, Security for Business Innovation Council 

Report, 2012. [4] T. Rontti, A-M. Juuso & J-M. Tirilä, “Securing 

Next Generation Networks by Fuzzing Protocol Implementations”, 

November 2011. [5] A. Takanen, “Unknown Vulnerability 

Management and Testing”, Fuzzing 101 Webinar, January 2011. 

[6] C. Wang and A. Takanen, “Fuzz your infrastructure - the blackhats 

are doing it, shouldn’t you”, Codenomicon and Forrester, 

Fuzzing 101 Webinar, April 2011. [7] A-M. Juuso & A. Takanen, 

“Unknown Vulnerability Management for Telecommunications, 

March 2011. [8] Next-Generation Marketing and Measurement, 

a commissioned study conducted by Forrester on behalf of Omniture, 

June 2009. In [6]. [9] A. Takanen, J.D. Demott & C. Miller, 

Fuzzing for Software Security Testing and Quality Assurance, 

Artech House, 2008. [10] A. Takanen, “Fuzzing: Helping to Avoid 

Zero-Day Attack”, February 2010. http://www.continuitycentral. 

com/feature0754.html visited 2011/12/09 [11] R. Kaksonen & 

A. Takanen, “XML Fuzzing Tool: Testing XML on Multiple Levels”, 

Testing Experience, December 2009 [12] M. Varpiola, “Embedded 

Device [fuzz] testing [against [A]PT]], Government and 

Defense perspective”, Amphion Forum, June 2012. [13] L. F. 

Cranor, “A Framework for Reasoning About the Human in the 

Loop”, UPSEC 2008. http://static.usenix.org/event/upsec08/ 

tech/full_papers/cranor/cranor.pdf visited 2012/08/15 [14] M. 

R. Endsley, “Designing for situation awareness in complex systems”. 

Proceedings of the Second intenational workshop on 

symbiosis of humans, artifacts and environment, Kyoto, Japan, 

2001. [15] RSA Security Brief, “Breaking Down Barriers to Collaboration 

in the Fight Against Advanced Threats”, February 

2012. [16] Verizon, “2012 Data Breach Investigations Report”, 

2012. [17] J. Kenttälä, “Abuse Situation awareness, Deal with 

Malware, Spam, Botnets, Phishing and more”, August 2012. [18] 

I. Sánchez, E. Kuusela, S. Turpeinen, J. Röning & J. Riekki, “Botnet-inspired 

architechture for Interactive Spaces”, Conference 

Proceedings of the 8th International Conference on Mobile and 

Ubiquitous Multimedia,Cambridge, UK, 2009. [19] HP, “2011 

Top Cyber Security Risks Report”, technical white paper, April 

2012. [20] P. Sommer & I. Brown, “Reducing Systemic Cybersecurity 

Risk”, OECD Project Future Global Shocks, January 2011. 

[21] The Washington Post, “Understanding cyberspace is key 

to defending against digital attacks”, June 2012. http://www. 

washingtonpost.com/investigations/understanding-cyberspace-is-key-to-defending-against-digital-attacks/2012/06/02/ 

gJQAsIr19U_story.html visited 2012/08/15 [22] S. Kroft, “Stuxnet: 

Computer worm opens new era of warfare”, 60 Minutes, 

July 2012. [23] A-M. Juuso & A. Takanen, “Unknown Vulnerability 

Management”, April 2010. [24] A-M. Juuso & A. Takanen, “Building 

Secure Software using Fuzzing and Static Code Analysis”, 

August 2011. [25] Financial Services Sector Coordinating Council 

for Critical Infrastructure Protection and Homeland Security 

“Homeland Security Strategy for Critical Infrastructure Protection 

in the Financial Services Sector”, May 2004. [26] P. Barford 

& al, “Cyber SA: Situational Awareness for Cyber Defense”. [27] R. 

Chipman & R. Wuerfel, “Network based Information sharing Between 

Emergency Operations Center”, IEEE, 2008. Collaboration

CODENOMICON LTD | INFO@CODENOMICON.COM | WWW.CODENOMICON.COM 

Global and EMEA Headquarters | Tutkijantie 4E FIN-90590 OULU FINLAND | Tel. +358 424 7431 

Americas Headquarters | 12930 Saratoga Avenue, Suite B-1 Saratoga, CA 95070 UNITED STATES | Tel. +1 408-414-7650 

APAC Headquarters | 46B Tras Street Singapore 078985 Singapore | Tel. +65 9188 1502

Download PDF - Codenomicon

Create successful ePaper yourself

Delete template?

Save as template?