Honeypots serve as a valuable deception technology, enabling security teams to gain insights into the behaviour patterns of attackers and investigate cyber security breaches. However, traditional honeypots prove ineffective against advanced adversaries like APT groups due to their evasion tactics and awareness of typical honeypot solutions. This paper emphasises the need to capture these attackers for enhanced threat intelligence, detection, and protection. To address this, we propose the design and deployment of a customized honeypot network based on adaptive camouflaging techniques. Our work focuses on orchestrating a behavioral honeypot network tailored for three APT groups, with strategically positioned attack paths aligning with their Tactics, Techniques, and Procedures, covering all cyber kill chain phases.

Cyber Threat Intelligence(CTI) plays an indispensable role in providing evidence-based knowledge to plan defensive strategies against advanced cyber attacks. Most threat intelligence data originate from security researchers, vendor blogs, list of threat indicators, and commercial cyber security firms. However, as attack surfaces become more dynamic and threat actors shift towards organization/sector-specific attacks, generic threat information is no longer adequate to safeguard against these targeted attacks. In such scenarios, darknet data can be an invaluable source of threat information at the enterprise level as in darknet, the traffic is destined for a range of unused IP addresses. As these IP addresses are unused, the traffic destined for them is considered suspicious and can serve as a valuable source for threat intelligence. Darknet monitoring is done in either active or passive mode. Passive darknet monitoring gives generic information without active engagement with the attacker devices. So, we developed a novel method for gathering threat intelligence via active darknet monitoring by designing a kernel-level darknet sensor that engages incoming traffic by establishing a 3-way handshake. We called it DARK-KERNEL in our previous work. This work aims to implement DARK-KERNEL as a Service (DKaaS) for organization-level threat intelligence. To achieve this, we deploy the DARK-KERNEL by assigning four unused public IP addresses. We gather 37 days of traffic and provide a comprehensive analysis of captured data using Security Onion and several automated scripts. In addition, we highlight a few attacks to define the effectiveness of DKaaS. Finally, we propose a novel framework that integrates DKaaS with a customizable Security Orchestration and Response (SOAR) engine to deploy behavioral honeypots to lure sophisticated attackers.

This research article critically examines the potential risks and implications arising from the malicious utilization of large language models(LLM), focusing specifically on ChatGPT and Google's Bard. Although these large language models have numerous beneficial applications, the misuse of this technology by cybercriminals for creating offensive payloads and tools is a significant concern. In this study, we systematically generated implementable code for the top-10 MITRE Techniques prevalent in 2022, utilizing ChatGPT, and conduct a comparative analysis of its performance with Google's Bard. Our experimentation reveals that ChatGPT has the potential to enable attackers to accelerate the operation of more targeted and sophisticated attacks. Additionally, the technology provides amateur attackers with more capabilities to perform a wide range of attacks and empowers script kiddies to develop customized tools that contribute to the acceleration of cybercrime. Furthermore, LLMs significantly benefits malware authors, particularly ransomware gangs, in generating sophisticated variants of wiper and ransomware attacks with ease. On a positive note, our study also highlights how offensive security researchers and pentesters can make use of LLMs to simulate realistic attack scenarios, identify potential vulnerabilities, and better protect organizations. Overall, we conclude by emphasizing the need for increased vigilance in mitigating the risks associated with LLMs. This includes implementing robust security measures, increasing awareness and education around the potential risks of this technology, and collaborating with security experts to stay ahead of emerging threats.

Even though machine learning and signature-based detection methods for ransomware have been proposed, they often fail to achieve very accurate detection. Ransomware that evades detection moves to the execution phase after initial access and installation. Due to the catastrophic nature of a ransomware attack, it is crucial to detect in its early stages of execution. If there is a method to detect ransomware in its execution phase early enough, then one can kill the processes to stop the ransomware attack. However, early detection with dynamic API call analysis is not an ideal solution, as the contemporary ransomware variants use low-level system calls to circumvent the detection methods. In this work, we use hardware performance counters (HPC) as features to detect the ransomware within 3-4 seconds - which may be sufficient, at least in the case of ransomware that takes longer to complete its full execution.

It is crucial to restrain ransomware activity before it causes significant damage or spreads further throughout the system. In this regard, we propose RTR-Shield a novel rule based tool to detect and block crypto ransomware activity in its early stage of execution. The tool primarily relies on two monitoring blocks - Registry Activity Monitoring Block (RAMB) and File Trap Monitoring Block (FTMB). RAMB is derived based on forensic analysis of registry modifications performed by 27 recent ransomware families within the first 10 s of payload execution. We also reveal the common keys and values that a ransomware modifies in its pre-encryption phase.