2-Extended Analysis-Full

Recommendations

Info

Communities @ Risk 21EXTENDED ANALYSIS: 2.1 Summary, Methodology and Data <strong>Analysis</strong>TARGETED THREAT INDEXOur dataset includes a wide range of targeted malware threats that have varying levelsof complexity. This range presents a challenge in ranking the relative sophistication ofthe malware and targeting tactics used by attackers.While metrics such as the Common Vulnerability Scoring System exist for the purpose ofcommunicating the level of severity and danger of a vulnerability, there is no standardizedsystem for ranking the sophistication of targeted email attacks. This gap is likelybecause evaluating the sophistication of targeting is non-technical, and cannot be automateddue to the requirement of a strong familiarity with the underlying subject material.To address this gap, we developed the Targeted Threat Index (TTI) to assign a rankingscore to the targeted malicious emails in our dataset. The TTI score is intended for usein prioritizing deeper analysis of incoming threats, as well as for getting an overall ideaof how severely an organization is threatened. 4The TTI Score is calculated in two parts: (Social Engineering Sophistication BaseValue) × (Technical Sophistication Multiplier) = TTI ScoreTTI scores range from zero to 10, where 10 is the most sophisticated attack. Scoresof zero are reserved for threats that are not targeted, even if they are malicious. Forexample, an email from a widely-spread spam campaign using an attached PDF orXLS file to bypass anti-spam filters would score zero. Sophisticated financially-motivatedmalware would also score zero if it was not part of a targeted attack.Social Engineering SophisticationTo measure the targeting sophistication base value we assign a score that ranges from zeroto five, which rates the social engineering techniques used to persuade a victim to open amalicious link or attachment. This score considers the content, presentation, and claimedsender identity of the email. This determination also includes the content of any associatedfiles, as malware is often implanted into legitimate relevant documents to evade suspicionfrom users when the malicious documents are opened. The features for each score aredetailed in Table 7(for examples of emails with each of these scores see Appendix A).4 For further details on the TTI including detailed discussion of its design, limitations, and plans for future work see: Hardy, S.,Crete-Nishihata, M., Kleemola, K., Senft, A., Sonne, S., Wiseman, G., Gill, P., Deibert, R. “Targeted Threat Index: Characterizingand Quantifying Politically-Motivated Targeted Malware.” USENIX Security 2014. https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-hardy.pdf
Communities @ Risk 22EXTENDED ANALYSIS: 2.1 Summary, Methodology and Data <strong>Analysis</strong>TABLE 7: TTI base value scoreVALUE012345DESCRIPTIONNot targeted..Recipient does not appear to be a specific target...Content is not relevant to recipient...The email is likely spam or a non-targeted phishing attempt.Targeted, Not customized..Recipient is a specific target...Content is not relevant to recipient or contains information that is obviously false withlittle to no validation required by the recipient...The email header and / or signature do not reference a real person or organization.Targeted, Poorly customized..Recipient is a specific target...Content is generally relevant to the target but has attributes that make it appear questionable(e.g., incomplete text, poor spelling and grammar, incorrect addressing)...The email header and / or signature may reference a real person or organization.Targeted, Customized..Recipient is a specific target...Content is relevant to the target and may repurpose legitimate information (such asa news article, press release, or a conference or event website) and can be externallyverified (e.g., message references information that can be found online). Or, the email textappears to repurpose legitimate email messages that may have been collected from publicmailing lists or from compromised accounts...The email header and / or signature references a real person or organization.Targeted, Personalized..Recipient is a specific target...Email message is personalized for the recipient or target organization (e.g., specificallyaddressed or referring to individual and / or organization by name)...Content is relevant to the target and may repurpose legitimate information that can beexternally verified or appears to repurpose legitimate messages...The email header and / or signature references a real person or organization.Targeted, Highly personalized..Recipient is a specific target...Email is individually personalized and customized for the recipient and references confidential,sensitive information that is directly relevant to the target (e.g., internal meetingminutes, compromised communications from the organization)...The email header and / or signature references a real person or organization.
Page 2 and 3: EXTENDED ANALYSIS:2.1Summary, Metho
Page 4 and 5: Communities @ Risk 3EXTENDED ANALYS
Page 12 and 13: Communities @ Risk 11EXTENDED ANALY
Page 20 and 21: Communities @ Risk 19EXTENDED ANAL
Page 30 and 31: EXTENDED ANALYSIS:2.2Cluster Analys
Page 64: Communities @ Risk 63EXTENDED ANALY
Page 73 and 74:
Communities @ Risk 72EXTENDED ANALY
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Communities @ Risk 100EXTENDED ANAL
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
EXTENDED ANALYSIS:2.3Civil Society
Page 111 and 112:
Page 113 and 114:
Communities @ Risk 112duced new ris
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
Page 125:
show all

2-Extended Analysis-Full

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?