AN EARLY DETECTION MODEL FOR KERBEROASTING ATTACKS AND DATASET LABELING

(Received: 25-Aug.-2022, Revised: 28-Oct.-2022 , Accepted: 22-Nov.-2022)

Authors Remah Younisse, Mouhammd Alkasassbeh, Mohammad Almseidin, Hamza Abdi,

Keywords #Kerberoasting attacks #Attack life-cycle #Dataset labeling #Early detection

Abstract The wild nature of humans has become civilized and the weapons they use to attack each other are now digitized. Security over the Internet usually takes a defensive shape, aiming to fight against attacks created for malicious reasons. Invaders’ actions over the Internet can take patterns by going through specific steps every time they attack. These patterns can be used to predict, mitigate and stop these attacks. This study proposes a method to label datasets related to multi-stage attacks according to attack stages rather than the attack type. These datasets can be used later in machine-learning models to build intelligent defensive models. On the other hand, we propose a method to predict and early kill attacks in an active directory environment, such as kerberoasting attacks. In this study, we have collected data related to a suggested kerberoasting attack scenario in pcap files. Every pcap file contains data related to a particular stage of the attack life-cycle and the extracted information from the pcap files was used to highlight the features and specific activities during every step. The information was used to draw an efficient defensive plan against the attack. Here, we propose a methodology to draw equivalent defensive plans for other similar attacks as the kerberoasting attack covered in this study.

References

[1] A. Yeboah-Ofori, S. Islam and E. Yeboah-Boateng, "Cyber Threat Intelligence for Improving Cyber Supply Chain Security," Proc. of the IEEE Int. Conf. on Cyber Security and Internet of Things (ICSIoT), pp. 28–33, Accra, Ghana, 2019.

[2] W. Matsuda, M. Fujimoto and T. Mitsunaga, "Detecting APT Attacks against Active Directory Using Machine Leaning," Proc. of the IEEE Conf. on Application, Information and Network Security (AINS), pp. 60–65, Langkawi, Malaysia, 2018.

[3] C. D. Motero, J. R. B. Higuera, J. B. Higuera, J. A. S. Montalvo and N. G. Gómez, "On Attacking Kerberos Authentication Protocol in Windows Active Directory Services: A Practical Survey," IEEE Access, vol. 9, pp. 109289–109319, 2021.

[4] L. Kotlaba, S. Buchovecká and R. Lórencz, "Active Directory Kerberoasting Attack: Detection Using Machine Learning Techniques," Proc. of the 7th Int. Conf. on Information Systems Security and Privacy (ICISSP 2021), pp. 376-383, DOI: 10.5220/0010202803760383, 2020.

[5] M. Alkasassbeh, G. Al-Naymat, A. B. Hassanat and M. Almseidin, "Detecting Distributed Denial of Service Attacks Using Data Mining Techniques," International Journal of Advanced Computer Science and Applications, vol. 7, no. 1, 2016.

[6] M. Almseidin, J. Al-Sawwa and M. Alkasassbeh, "Generating a Benchmark Cyber Multi-step Attacks Dataset for Intrusion Detection," J. of Intelligent & Fuzzy Systems, vol. 43, no. 3, pp. 3679-3694, 2022.

[7] M. Lehto, "APT Cyber-attack Modeling: Building a General Model," Proc. of the 17th Int. Conf. on Cyber Warfare and Security, vol. 17, DOI: 10.34190/iccws.17.1.36, 2022.

[8] M. Almseidin, J. Al-Sawwa and M. Alkasassbeh, "Anomaly-based Intrusion Detection System Using Fuzzy Logic," Proc. of the IEEE International Conference on Information Technology (ICIT), pp. 290– 295, Amman, Jordan, 2021.

[9] B. E. Strom, A. Applebaum, D. P. Miller, K. C. Nickels, A. G. Pennington and C. B. Thomas, "Mitre ATTACK: Design and Philosophy," Project No.: 10AOH08A-JC, Technical Report, The MITRE Corporation, 2018.

[10] T. Dargahi, A. Dehghantanha, P. N. Bahrami, M. Conti, G. Bianchi and L. Benedetto, "A Cyber-kill- chain Based Taxonomy of Crypto-ransomware Features," Journal of Computer Virology and Hacking Techniques, vol. 15, no. 4, pp. 277–305, 2019.

[11] H. Kim, H. Kwon and K. K. Kim, "Modified Cyber Kill Chain Model for Multimedia Service Environments," Multimedia Tools and Applications, vol. 78, no. 3, pp. 3153–3170, 2019.

[12] R. Badhwar, "Advanced Active Directory Attacks and Prevention," Chapter in Book: The CISO’s Next Frontier, pp. 131–144, Springer, 2021.

[13] S. Muthuraj, M. Sethumadhavan, P. Amritha and R. Santhya, "Detection and Prevention of Attacks on Active Directory Using SIEM," Proc. of the Int. Conf. on Information and Communication Technology for Intelligent Systems (ICTIS 2020), Part of the Smart Innovation, Systems and Technologies Book Series, vol. 196, pp. 533–541, 2020.

[14] T. Osmëni and M. Ali, "Exploration of the Attacking Web Vectors," Proc. of the IEEE Int. Conf. on Computing, Networking, Telecommunications & Engineering Sciences Applications (CoNTESA), pp. 31–35, Tirana, Albania, 2021.

[15] A. Hassanzadeh and R. Burkett, "SAMIIT: Spiral Attack Model in IIoT Mapping Security Alerts to Attack Life Cycle Phases," Proc. of the 5th Int. Symposium for ICS & SCADA Cyber Security Research, pp. 11–20, DOI: 10.14236/ewic/ICS2018.2, 2018.

[16] M. Li, W. Huang, Y. Wang, W. Fan and J. Li, "The Study of APT Attack Stage Model," Proc. of the IEEE/ACIS 15th Int. Conf. on Computer and Inf. Sci. (ICIS), pp. 1–5, Okayama, Japan, 2016.

[17] J. D. Mireles, J.-H. Cho and S. Xu, "Extracting Attack Narratives from Traffic Datasets," Proc. of the IEEE Int. Conf. on Cyber Conflict (CyCon US), pp. 1–6, Washington, USA, 2016.

[18] A. Dimitriadis, N. Ivezic, B. Kulvatunyou and I. Mavridis, "D4i-digital Forensics Framework for Reviewing and Investigating Cyber Attacks," Array, vol. 5, p. 100015, 2020.

[19] L. Kotlaba, S. Buchovecká and R. Lórencz, "Active Directory Kerberoasting Attack: Monitoring and Detection Techniques," Proc. of the 6th Int. Conf. on Information Systems Security and Privacy (ICISSP 2020), pp. 432–439, DOI: 10.5220/0008955004320439, 2020.

[20] M. Al-Kasassbeh and T. Khairallah, "Winning Tactics with DNS Tunnelling," Network Security, vol. 2019, no. 12, pp. 12–19, 2019.

[21] MITRE, "Active Directory," [Online], Available: https://attack.mitre.org/datasources/DS0026/, 2022.

[22] MITRE, "Use Alternate Authentication Material," [Online], Available: https://attack.mitre.org/techniqu es/T1558/, 2022.

[23] SecLists, "Common - credentials," [Online], Available: https://github.com/ danielm iessler/ SecLists /blob/ master/Passwords/Common - Credentials/10 - million - password - list - top - 100000.txt, Accessed: Oct. 2022.