Analysis of Internet Telescope Data for IoT Cyber Threat Intelligence
Due to the immense proliferation of the Internet of Things (IoT) devices across all levels (e.g., homes, businesses and industries), entangled with an abundance of vulnerabilities and Internet-wide scanning, IoT devices have grown into a captivating hive of cyber targets for perpetrators. In late 2016, Mirai botnet infecting vulnerable IoT devices in the wild initiated the largest recorded Distributed Denial of Service (DDoS), in which the IoT ecosystem was boldly introduced as a potentially potent weapon to the arsenal of cyber attackers. Furthermore, along with the public release of Mirai source code, a series of Mirai variants emerged in the wild (e.g., Miori, Hajime, Masuta) inheriting the same core scheme, scanning pace, infection course and network communication style of Mirai initial implementation while amending actor-specific malware elements. Such uncontrolled expansion of malware led to an unprecedented battle among Mirai's variants abusing a massive number of previously infected, as well as non-infected IoT devices. This chaotic phenomenon has left the security of worldwide IoT devices belonging to individuals, industries and Critical Infrastructures (CI) as a deserted victim to IoT botnet malware provoked and controlled by malicious actors and cyber criminal groups. In this dissertation, I formalize the detection systems and activities generated from infected IoT devices from the Internet telescope perspective. Further, propose techniques to fingerprint infected IoT devices in large-scale and cluster them to orchestrated campaigns. Besides, I provide several investigation including longitude analysis to shed light on their evolution. In addition, I develop and implement eX-IoT, a first-of-a-kind operational, real-time CTI feed, operating on streaming Internet-scale network telescope data, for fingerprinting (and notifying about) compromised IoT devices deployed in Internet-wide realms. Finally, I propose a proactive deception technique to operate a large-scale IoT malware attribution by particularly exploiting a flaw in the stateless scanning module of the existing IoT malware in the wild. I primarily turn a large Internet telescope into a large honeypot to capture the interaction of infected IoT devices on the Internet.