The WOMBAT Attack Attribution Method: Some Results
ICISS '09 Proceedings of the 5th International Conference on Information Systems Security
On a multicriteria clustering approach for attack attribution
ACM SIGKDD Explorations Newsletter
An analysis of rogue AV campaigns
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Proceedings of the First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security
A strategic analysis of spam botnets operations
Proceedings of the 8th Annual Collaboration, Electronic messaging, Anti-Abuse and Spam Conference
Identifying almost identical files using context triggered piecewise hashing
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Visual spam campaigns analysis using abstract graphs representation
Proceedings of the Ninth International Symposium on Visualization for Cyber Security
Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues
Information Sciences: an International Journal
Hi-index | 0.00 |
Recent high-profile attacks against governments and large industry demonstrate that malware can be used for effective industrial espionage. Most previous incident reports have focused on describing the anatomy of specific incidents and data breaches. In this paper, we provide an in-depth analysis of a large corpus of targeted attacks identified by Symantec during the year 2011. Using advanced triage data analytics, we are able to attribute series of targeted attacks to attack campaigns quite likely performed by the same individuals. By analyzing the characteristics and dynamics of those campaigns, we provide new insights into the modus operandi of attackers involved in those campaigns. Finally, we evaluate the prevalence and sophistication level of those targeted attacks by analyzing the malicious attachments used as droppers. While a majority of the observed attacks rely mostly on social engineering, have a low level of malware sophistication and use little obfuscation, our malware analysis also shows that at least eight attack campaigns started about two weeks before the disclosure date of the exploited vulnerabilities, and therefore were probably using zero-day attacks at that time.