Social media snitches on imminent cyber-attacks

Everybody is using social media. Not only the good guys, the bad ones as well. But luckily, you can use that to your advantage, as does the Brazilian research and education network RNP. Together with researchers from several universities, RNP has designed an early warning system monitoring a range of social media channels to spot imminent attacks and to launch preventive measures and counterattacks.

Cybercriminals send each other messages, for example, on Twitter and Facebook, to orchestrate and coordinate attacks. Here are some current examples from Brazil:

On 18th March 2014 user AnonymousBR tweeted: “Operation Hacking World Cup DoS (Denial of Service) DDos attack against government servers
Secrets revealed”.

Shortly after, several Brazilian government web servers suffered DoS attacks.

Social networks

On 19th April 2016, several users retweeted: “@Anatel_Informa Bring people pressure on them? Petition? DDoS #Target”.

The following day, the Brazilian Telecommunications Agency Anatel’s web servers suffered a massive DDoS attack, and, 4 days later, sensitive data was publicly leaked.

As the number and intensity of cyber attacks increases at a fast pace, in the field of research and education as well, universities and research organizations have to fight back by raising their security standards. In this Brazilian project, called EWS (from Early Warning System), network engineers are able to protect data and infrastructure by getting ahead of the attackers.

Early Warning System

According to the EWS project coordinator, Daniel Batista, (pictured above) the ease of accessing online social networks nowadays, mainly via mobile devices, has attracted the attention of the attackers. “Many attacks, in order to succeed, need the work of a large amount of people. Attackers have noticed that you can recruit these people through social networks”.

In addition, in certain attacks, such as web page defacement, the attackers aim to let the world know that they are responsible, so they use social networks to showcase their actions. “This means that monitoring of social networks brings a new type of relevant information for IT security that will never appear, early, in logs of firewalls or operating systems”, says Batista.

Reactive procedures

The Early Warning System, known as Hórus, anticipates security events and incidents against network and computer systems located within the infrastructure of RNP and their clients’ networks. A web system and sensors collect data from social networks and other non-structured sources.

In 2015, a prototype was built to monitor and collect messages about cyber security events posted on Twitter and Facebook. The messages were normalized, filtered, and analysed to find potential security incidents involving RNP clients.

During the first year Hórus detected security notifications and incidents about data leak, attack orchestrations, new vulnerabilities, potential targets and defacements of Web pages. And RNP was able to launch reactive mechanism to prevent or reduce the damage caused by the attacks.

Upgrades

During 2016 the system has been improved to use Natural Language Processing (NLP) to filter out relevant messages more efficiently. Also, new data sources were introduced, such as forums and Internet Relay Chat (IRC) channels used by attackers. Besides that, the Hórus system was integrated on a pilot mode with the system known as SGIS used by the RNP’s Service Centre for Security Incidents (CAIS).

Now, in 2017, RNP’s Service Center for Security Incidents (CAIS) is moving the Hórus system into production to improve its incident handling process. RNP conducts the project together with researchers from the University of Sao Paulo and the Federal Technological University of Paraná.