Pivot Attack Classification for Cyber Threat Intelligence

Rafael Salema Marques; Haider Al-Khateeb; Gregory Epiphaniou; Carsten Maple

doi:10.26735/zntl3639

Pivot Attack Classification for Cyber Threat Intelligence

Rafael Salema Marques, Haider Al-Khateeb, Gregory Epiphaniou, Carsten Maple

Research output: Contribution to journal › Article › peer-review

Abstract

The initial access achieved by cyber adversaries conducting a systematic attack against a targeted network is unlikely to be an asset of interest. Therefore, it is necessary to use lateral movement techniques to expand access to different devices within the network to accomplish the strategic attack’s objectives. The pivot attack technique is widely used in this context; the attacker creates an indirect communication tunnel with the target and uses traffic forwarding methods to send and receive commands. Recognising and classifying this technique in large corporate networks is a complex task, due to the number of different events and traffic generated. In this paper, we present a pivot attack classification criteria based on perceived indicators of attack (IoA) to identify the level of connectivity achieved by the adversary. Additionally, an automatic pivot classifier algorithm is proposed to include a classification attribute to introduce a novel capability for the APIVADS pivot attack detection scheme. The new algorithm includes an attribute to differentiate between types of pivot attacks and contribute to the threat intelligence capabilities regarding the adversary modus operandi. To the best of our knowledge, this is the first academic peer-reviewed study providing a pivot attack classification criteria.

Original language	English
Pages (from-to)	91-103
Number of pages	12
Journal	Journal of Information Security and Cybercrimes Research
Volume	5
Issue number	2
DOIs	https://doi.org/10.26735/zntl3639
Publication status	Published - 3 Oct 2022

Bibliographical note

Keywords

Cybersecurity
Pivot Attack
Classification
Lateral Movement
Pivoting
Flow-Based Analysis

Access to Document

10.26735/zntl3639Licence: CC BY-NC 4.0

Pivot_Attack_Classification_For_Cyber_Threat_Intelligence
© 2022. JISCR. This is an open access article, distributed under the terms of the Creative Commons, Attribution-NonCommercial License.
Final published version, 2.02 MBLicence: CC BY-NC 4.0

Cite this

@article{ef287dd8439f466d8442988a7c32b449,

title = "Pivot Attack Classification for Cyber Threat Intelligence",

abstract = "The initial access achieved by cyber adversaries conducting a systematic attack against a targeted network is unlikely to be an asset of interest. Therefore, it is necessary to use lateral movement techniques to expand access to different devices within the network to accomplish the strategic attack{\textquoteright}s objectives. The pivot attack technique is widely used in this context; the attacker creates an indirect communication tunnel with the target and uses traffic forwarding methods to send and receive commands. Recognising and classifying this technique in large corporate networks is a complex task, due to the number of different events and traffic generated. In this paper, we present a pivot attack classification criteria based on perceived indicators of attack (IoA) to identify the level of connectivity achieved by the adversary. Additionally, an automatic pivot classifier algorithm is proposed to include a classification attribute to introduce a novel capability for the APIVADS pivot attack detection scheme. The new algorithm includes an attribute to differentiate between types of pivot attacks and contribute to the threat intelligence capabilities regarding the adversary modus operandi. To the best of our knowledge, this is the first academic peer-reviewed study providing a pivot attack classification criteria.",

keywords = "Cybersecurity, Pivot Attack, Classification, Lateral Movement, Pivoting, Flow-Based Analysis",

author = "Marques, {Rafael Salema} and Haider Al-Khateeb and Gregory Epiphaniou and Carsten Maple",

note = "{\textcopyright} 2022. JISCR. This is an open access article, distributed under the terms of the Creative Commons, Attribution-NonCommercial License.",

year = "2022",

month = oct,

day = "3",

doi = "10.26735/zntl3639",

language = "English",

volume = "5",

pages = "91--103",

number = "2",

}

TY - JOUR

T1 - Pivot Attack Classification for Cyber Threat Intelligence

AU - Marques, Rafael Salema

AU - Al-Khateeb, Haider

AU - Epiphaniou, Gregory

AU - Maple, Carsten

PY - 2022/10/3

Y1 - 2022/10/3

N2 - The initial access achieved by cyber adversaries conducting a systematic attack against a targeted network is unlikely to be an asset of interest. Therefore, it is necessary to use lateral movement techniques to expand access to different devices within the network to accomplish the strategic attack’s objectives. The pivot attack technique is widely used in this context; the attacker creates an indirect communication tunnel with the target and uses traffic forwarding methods to send and receive commands. Recognising and classifying this technique in large corporate networks is a complex task, due to the number of different events and traffic generated. In this paper, we present a pivot attack classification criteria based on perceived indicators of attack (IoA) to identify the level of connectivity achieved by the adversary. Additionally, an automatic pivot classifier algorithm is proposed to include a classification attribute to introduce a novel capability for the APIVADS pivot attack detection scheme. The new algorithm includes an attribute to differentiate between types of pivot attacks and contribute to the threat intelligence capabilities regarding the adversary modus operandi. To the best of our knowledge, this is the first academic peer-reviewed study providing a pivot attack classification criteria.

AB - The initial access achieved by cyber adversaries conducting a systematic attack against a targeted network is unlikely to be an asset of interest. Therefore, it is necessary to use lateral movement techniques to expand access to different devices within the network to accomplish the strategic attack’s objectives. The pivot attack technique is widely used in this context; the attacker creates an indirect communication tunnel with the target and uses traffic forwarding methods to send and receive commands. Recognising and classifying this technique in large corporate networks is a complex task, due to the number of different events and traffic generated. In this paper, we present a pivot attack classification criteria based on perceived indicators of attack (IoA) to identify the level of connectivity achieved by the adversary. Additionally, an automatic pivot classifier algorithm is proposed to include a classification attribute to introduce a novel capability for the APIVADS pivot attack detection scheme. The new algorithm includes an attribute to differentiate between types of pivot attacks and contribute to the threat intelligence capabilities regarding the adversary modus operandi. To the best of our knowledge, this is the first academic peer-reviewed study providing a pivot attack classification criteria.

KW - Cybersecurity

KW - Pivot Attack

KW - Classification

KW - Lateral Movement

KW - Pivoting

KW - Flow-Based Analysis

UR - https://journals.nauss.edu.sa/index.php/JISCR/article/view/1948

U2 - 10.26735/zntl3639

DO - 10.26735/zntl3639

M3 - Article

SN - 1658-7790

VL - 5

SP - 91

EP - 103

JO - Journal of Information Security and Cybercrimes Research

JF - Journal of Information Security and Cybercrimes Research

IS - 2

ER -

Pivot Attack Classification for Cyber Threat Intelligence

Abstract

Bibliographical note

Keywords

Access to Document

Other files and links

Fingerprint

Cite this