Iranian Journal of
Information Technology & Communication
No.33-34, Vol.9, Fall & Winter 2018
Cyber Threats Foresight Against Iran Based on Attack Vector
* Mahdi Omrani ** Masoud Shafiee *** Siavash Khorsandi
* Department of Management, Science and Technology Amir Kabir University of Technology, Tehran, Iran
**Faculty of Electrical Engineering Amir Kabir University of Technology, Tehran, Iran
***Associate Professor Faculty of Computer Engineering Amir Kabir University of Technology, Tehran, Iran
Cyber threats have been extraordinary increased in recent years. Cyber attackers, including government agencies or hackers, have made significant advances in the use of various tools for attacking target systems in some countries particularly on Islamic republic of Iran. The complexity of cyber threats and the devastating effects of them on critical systems highlights necessity of cyber threats Foresight. This research can prepare the country for countering cyber threats based on existing and potential attack Vectors. First of all, 18 major cyber threats drivers base on attack Vectors through reviewing resources and interviewing with seven experts were identified. We use cross-impact analysis Future studies method to indicate main drivers of future cyber threats such as social engineering, Denial of service, ransomwares, spoofing and fraud and non-state actors. Mic Mac software will be used for this step. Finally, future scenarios for cyber threats were identified by using scenario-based approach. Scenario Wizard software will be used. The results of the research include two strong scenarios and 18 possible scenarios, based on the strongest scenario, ransomware, spoofing, fraud, social engineering and Denial of service are the most likely cyber threats by non-state actors through in a limited level.
Keywords: Foresight, cyber threats; attack Vector; cross-impact analysis;senario
Today, cyber threats are one of the most serious and ambiguous concerns of many countries in cyberspace. Due to the difference in cyber threats from the perspective of nature, content, multiplicity of actors with traditional and conventional threats, they can no longer be confronted with past strategies and actions. Some threat such as Stuxnet, Doku, Viber, Vana cray against the country highlights the need for cyber threat forecasting and preparedness to deal with these threats.
The emergence of new trends and paradigms of information and communication technology such as service oriented, networking, cloud computing, Internet of things, the fourth industrial revolution had been had Deep effects on the perspectives, orientations, policies, strategies in some organizations and government .
The foresight approach used extensively in the formulation of macro documents at the national and international levels is based on a participatory and microfinance approach that encompasses the widespread participation of experts and influential institutions in each field of expertise in developing of strategic documents, prospects, policy making, and the possibility of creating an agreement and consensus among them.
If the trends and key factors of cyber threats and their impact on each other are identified, then we can create future cyber security scenarios and manage the organization's cyber security challenges. Therefore, it is essential that serious measures be taken at the strategic, operational, and technical levels of the various dimensions of cyber threats through future research in our country.
The organization of research is as follows: In the second part, the most important researches on the classification of cyber threats is reviewed. In the third section, the main research approach is expressed. Research methodology and analysis of the results are described in sections 4 and 5. In the sixth section, conclusions and future works will be presented.
There are several ways to categorize cyber threats. The main characteristics for a proper cyber threats classification are acceptability, non-overlapping, comprehensible, complete, comprehensive, clear and repeatable .There are some of the most famous cyber threat categories:
Kjaerland, categorized cyber intrusions in 2005 based on four categories; method of operations, impact of the intrusion, source of the intrusion and target. This study examined the likelihood of attacks against different kinds of targets and the likelihood of various kinds of attacks occurring together on a given target. The classification emphasizes the aggressor's motive for the attack and tries to quantitatively analyze the cause of the attack and the location of the attack. The weakness of this classification is that it does not provide enough details regarding the Vectors of identifying the start of the attack and only provides a high-level view of the types of attack Vectors .
Hansman and Hunt created a unique taxonomy in 2004 which was designed to be used by information bodies to classify new attacks. This taxonomy was based on four dimensions of attack tools, the target of the attack, the type of vulnerability and the impact of the attack. The various levels of information inside each one are available to defenders for details of the attack. The weakness of the classification is the lack of sufficient information about vulnerabilities, which results in the lack of information needed to protect the system against attacks .
Mirkovic and Reihner created a comprehensive taxonomy of Distributed Denial of Service Defenses which categorized DDoS, defense mechanisms based on activity level, degree of cooperation and deployment location, source address, the dynamics of the attack rate, the type of victim, and the level of impact. The weakness of classification is that it only emphasizes an attack type .
Lough suggested an attack-driven classification called VERDICT that focuses on four main reasons for security errors, such as incorrect validation, inaccurate disclosure, improper randomization, and inappropriate publishing. The weakness of the classification is that it does not take into account the types of attacks, such as Worms, Viruses and Trojans .
Howard delivered a classification of attacks based on events in five dimensions of tools, vulnerabilities, operations, goals, and outcomes. This classification, although providing useful information, lacks details for accurate analysis of attacks .
Simmons et al, (2009) suggested a cyber threat taxonomy which called AVOIDIT base on five dimension of Attack Vector, Operational Impact, Defense, Information Impact and Target to help identify and defend against cybercrime attacks. The classification is intended to address shortcomings and deficiencies in previous practices and provides useful information for managing cyber threats. The lack of coverage of physical attack Vectors and new attacks is one of the weaknesses in this classification .
One of the most important dimensions of cyber threats in the mentioned categories is Attack Vector, the main approach of the present research is to identify the most popular Vectors of attack and mapping out the future cyber threats based on them.
The research main approach
One of the key components of cyber threats is determining of attack vectors. An attack Vector is defined as an attack path through which an attacker can access a system. Starting a successful attack may require several vulnerabilities. Therefore, in order to accurately investigate the Vectors of attack identifying vulnerabilities in the system is essential.
A lot of researches has been done on cybercrime vulnerabilities and there are various databases in this field. CVE (Common Vulnerabilities and Exposure) and NVD (National Vulnerability Database) are two examples of vulnerability-related database. The CVE database, although fully covered by more than 98,000 vulnerabilities, is difficult to use, because it does not provide a specific classification for vulnerabilities .
The NVD's database reduces vulnerabilities by using the Common Vulnerability Score System (CVSS), but it is difficult to exploit the vulnerability due to excessive access to vulnerabilities. The attack Vector is one of the key components for quantifying vulnerabilities in this database .
The main approach of the present research is to predict the future of cyber threats based on attack Vectors. 11 attack Vectors mentioned in the latest version of the AVOIDIT classification were considered as the basis for research . In addition, more than 20 other attack Vectors were added by reviewing several security sources, such as McAfee's most recent 2017 cyber threat reports and EU Cyber threat reports , , .
- Research Methodology
Foresight has more than 39 research Vectors, which is generally done by combining different Vectors. Research has been done by combining Foresight methods such as resource reviews, expert panel, cross-impact analysis, scenario analysis. According to the characteristics of the statistical society (cybersecurity and foresight experts), the research has been done through targeted sampling. The realm of research is ten years from now.
The cross-impact analysis method, as one of the prominent scenario planning Vectors, was first developed by Theodore Gordon and Helmer in 1996. It is a visualization of the interactions between trends and variables, and is based on the question "Can future predictions be based on the possible effects of future events on each other?" .
The steps to do cross-impact analysis are as follows:
A. In the first step, a total of 31 major attack Vectors were identified and provided to seventeen cyber security and Foresight experts. By conducting multiple expert panels, the attack Vectors were examined. Eventually, by elimination less important and the classification of similar attack Vectors, 18 Vectors of attack were identified as cyber threats drivers. They described in Table 1.
B. In the second step, an 18*18 matrix was designed to show the number of cyber threats, and the experts were asked to determine the relationship of 18 major drivers with respect to the range (0 to 3), so that the zero number, Without impact, number of one low impact, number of two intermediate effects and number of three effects of propulsion on each other.
C. In the third step, the main drivers of cyber threats were identified based on the cross-impact analysis Vector and the results of the experts' supplementary questionnaires were analyzed using the Mic Mac software.
Table1: Most Important Attack Vectors
Insufficient Input Validation
Insufficient Authentication Validation
File Descriptor Attack
Denial Of Service
Rootkit & Botnet
- Analysis of research findings
Mic Mac software, determines the extent of the influence and impact of their variables and their space by identifying low-impact and removable variables, objective and effective variables, and identifies the most important variables as main drivers . The results of the complete of experts in the Mic Mac software supplementary questionnaire are as follows:
The degree of maturity filling is 94.44%, which indicates that the factors selected affect more than 94% of the cases. Generally, 324 relationships that can be evaluated, the number of eighteen relationships is zero; these factors do not affect each other and do not affect each other. The matrix is based on statistical indicators with two data rotations of desirability and optimization of 100%, which shows the high validity of the questionnaire.
In Table 2, the sum of the numbers of the rows of each variables, as the effect of the numbers and the sum of the columns of each variable, shows the effect of the other variables in two stages of repetition.
Table 2: cross impact matrix main keys
The axis of influence and the impact of variables
The most important outputs of the Mic Mac software are the presentation of the variables in the form of the axis of influence and the impact of variables, as shown in Figure 1.
Figure1: Axis of Influence and Impact
In the above axis, the system variables in five domains are most influential, two-way variables (Risk and purpose); influenced (dependent); independent and regulated.
The most influential variables: they have most influential and least impact and are located in the northwest.
Two-way variables (risk and purpose): they act simultaneously as influential and impact, and are located in the northeast.
Effective variables (result): they have a very low impact and a very high influential and are located in the southeast.
Independent variables: they have a low impact and are located in the southwestern part.
Regulator variables: they have the ability to become other variables and are located in the center of gravity.
When the influence and impact of a variable is high, it will be placed in the risk area and the target variables; therefore, it can be considered as a key factor in success.
One of the most important outputs of Mic Mac software is direct and indirect effects of variables. Table 3 shows the direct and indirect effects base on their priority.
Analyzing the direct effects of variables
Figure 2 illustrates the dispersion map of variables and their position in the axis of influence and the impact of variables, directly. The Variable of non-governmental actors is there in the area of effective variables. Variables like social engineering, denial of services, ransomware, spoofing and fraud are there in the area of double-headed variable. The variables like known vulnerability, Insufficient Input Validation, Kernel Flaws, Insufficient Authentication Validation, and Installed Malware are there in the affected area. The Variables like buffer overflow, design error, file descriptor, incorrect configuration, competition status, and symbolic links in the region of independent and variables like rootkit and botnet are in the area Regulated.
Table 3: Direct and Indirect Effects