Polina Zilberman

Polina Zilberman, Rami Puzis, Sunders Bruskin et al.

Threat emulators are tools or sets of scripts that emulate cyber attacks or malicious behavior. They can be used to create and launch single procedure attacks and multi-step attacks; the resulting attacks may be known or unknown cyber attacks. The motivation for using threat emulators varies and includes the need to perform automated security audits in organizations or reduce the size of red teams in order to lower pen testing costs; or the desire to create baseline tests for security tools under development or supply pen testers with another tool in their arsenal. In this paper, we review and compare various open-source threat emulators. We focus on tactics and techniques from the MITRE ATT&CK Enterprise matrix and determine whether they can be performed and tested with the emulators. We develop a comprehensive methodology for our qualitative and quantitative comparison of threat emulators with respect to general features, such as prerequisites, attack definition, cleanup, and more. Finally, we discuss the circumstances in which one threat emulator is preferred over another. This survey can help security teams, security developers, and product deployment teams examine their network environment or products with the most suitable threat emulator. Using the guidelines provided, a team can select the threat emulator that best meets their needs without evaluating all of them.

Elad Rapaport, Ingmar Poese, Polina Zilberman et al.

Large content providers and content distribution network operators usually connect with large Internet service providers (eyeball networks) through dedicated private peering. The capacity of these private network interconnects is provisioned to match the volume of the real content demand by the users. Unfortunately, in case of a surge in traffic demand, for example due to a content trending in a certain country, the capacity of the private interconnect may deplete and the content provider/distributor would have to reroute the excess traffic through transit providers. Although, such overflow events are rare, they have significant negative impacts on content providers, Internet service providers, and end-users. These include unexpected delays and disruptions reducing the user experience quality, as well as direct costs paid by the Internet service provider to the transit providers. If the traffic overflow events could be predicted, the Internet service providers would be able to influence the routes chosen for the excess traffic to reduce the costs and increase user experience quality. In this article we propose a method based on an ensemble of deep learning models to predict overflow events over a short term horizon of 2-6 hours and predict the specific interconnections that will ingress the overflow traffic. The method was evaluated with 2.5 years' traffic measurement data from a large European Internet service provider resulting in a true-positive rate of 0.8 while maintaining a 0.05 false-positive rate. The lockdown imposed by the COVID-19 pandemic reduced the overflow prediction accuracy. Nevertheless, starting from the end of April 2020 with the gradual lockdown release, the old models trained before the pandemic perform equally well.

Rami Puzis, Polina Zilberman, Yuval Elovici

Attackers rapidly change their attacks to evade detection. Even the most sophisticated Intrusion Detection Systems that are based on artificial intelligence and advanced data analytic cannot keep pace with the rapid development of new attacks. When standard detection mechanisms fail or do not provide sufficient forensic information to investigate and mitigate attacks, targeted threat hunting performed by competent personnel is used. Unfortunately, many organization do not have enough security analysts to perform threat hunting tasks and today the level of automation of threat hunting is low. In this paper we describe a framework for agile threat hunting and forensic investigation (ATHAFI), which automates the threat hunting process at multiple levels. Adaptive targeted data collection, attack hypotheses generation, hypotheses testing, and continuous threat intelligence feeds allow to perform simple investigations in a fully automated manner. The increased level of automation will significantly boost the analyst's productivity during investigation of the harshest cases. Special Workflow Generation module adapts the threat hunting procedures either to the latest Threat Intelligence obtained from external sources (e.g. National CERT) or to the likeliest attack hypotheses generated by the Attack Hypotheses Generation module. The combination of Attack Hypotheses Generation and Workflows Generation enables intelligent adjustment of workflows, which react to emerging threats effectively.