HeATed Alert Triage (HeAT): Transferrable Learning to Extract Multistage Attack Campaigns

With growing sophistication and volume of cyber attacks combined with complex network structures, it is becoming extremely difficult for security analysts to corroborate evidences to identify multistage campaigns on their network. This work develops HeAT (Heated Alert Triage): given a critical indicator of compromise (IoC), e.g., a severe IDS alert, HeAT produces a HeATed Attack Campaign (HAC) depicting the multistage activities that led up to the critical event. We define the concept of "Alert Episode Heat" to represent the analysts opinion of how much an event contributes to the attack campaign of the critical IoC given their knowledge of the network and security expertise. Leveraging a network-agnostic feature set, HeAT learns the essence of analyst's assessment of "HeAT" for a small set of IoC's, and applies the learned model to extract insightful attack campaigns for IoC's not seen before, even across networks by transferring what have been learned. We demonstrate the capabilities of HeAT with data collected in Collegiate Penetration Testing Competition (CPTC) and through collaboration with a real-world SOC. We developed HeAT-Gain metrics to demonstrate how analysts may assess and benefit from the extracted attack campaigns in comparison to common practices where IP addresses are used to corroborate evidences. Our results demonstrates the practical uses of HeAT by finding campaigns that span across diverse attack stages, remove a significant volume of irrelevant alerts, and achieve coherency to the analyst's original assessments

Sharing Is Caring: Hurdles and Prospects of Open, Crowd-Sourced Cyber Threat Intelligence

Abstract—Cyber threat intelligence (CTI) is widely recognized as an important area in cybersecurity but it remains an area showing silos and reserved for large organizations. For an area whose strength is in open and responsive sharing, we see that the generation of feeds has a small scale, is secretive, and is nearly always from specialized businesses that have a commercial interest in not publicly sharing insights at a speed where it could be effective in raising preparedness or stopping an attack. This article has three purposes. First, we extensively review the state and challenges of open, crowd-sourced CTI, with a focus on the perceived barriers. Second, having identified that confidentiality (in multiple forms) is a key barrier, we perform a confidentiality threat analysis of existing sharing architectures and standards, including reviewing circa one million of real-world feeds between 2014 and 2022 from the popular open platform MISP toward quantifying the inherent risks. Our goal is to build the case that, either by redesigning sharing architectures or simply performing simple sanitization of shared information, the confidentiality argument is not as strong as one may have presumed. Third, after identifying key requirements for open crowd-based sharing of CTI, we propose a reference (meta-) architecture. Managerial Relevance—CTI is widely recognized as a key advantage toward cyber resilience in its multiple dimensions, from business continuity to reputation/regulatory protection. Furthermore, as we review in this article, there are strong indications that the next generation of approaches to cybersecurity will be centered on CTI. Whereas CTI is an established business area, we see little adoption, closed communities, or high costs that small businesses cannot afford. For an area that, intuitively, should be open, as velocity and accuracy of information is crucial, we shed light on why we have no significant open, crowd-sourced CTI. In other words, why is usage so lacking? We identify reasons and deconstruct unclear and unhelpful rationales by looking at a wide range of literature (research and professional) and an analysis of nearly ten years of open CTI data. Our findings from current data indicate two types of reasons. One, and dominant, is unhelpful perceptions (e.g., confidentiality), and another stems from market factors (e.g., “free-riding”) that need collective movement as no single player may be able to break the cycle. After looking at motivations and barriers, we review existing technologies, elicit requirements, and propose a high-level open CTI sharing architecture that could be used as a reference for practitioner

HeAT PATRL: Network-Agnostic Cyber Attack Campaign Triage With Pseudo-Active Transfer Learning

SOC (Security Operation Center) analysts historically struggled to keep up with the growing sophistication and daily prevalence of cyber attackers. To aid in the detection of cyber threats, many tools like IDS’s (Intrusion Detection Systems) are utilized to monitor cyber threats on a network. However, a common problem with these tools is the volume of the logs generated is extreme and does not stop, further increasing the chance for an adversary to go unnoticed until it’s too late. Typically, the initial evidence of an attack is not an isolated event but a part of a larger attack campaign describing prior events that the attacker took to reach their final goal. If an analyst can quickly identify each step of an attack campaign, a timely response can be made to limit the impact of the attack or future attacks. In this work, we ask the question “Given IDS alerts, can we extract out the cyber-attack kill chain for an observed threat that is meaningful to the analyst?” We present HeAT-PATRL, an IDS attack campaign extractor that leverages multiple deep machine learning techniques, network-agnostic feature engineering, and the analyst’s knowledge of potential threats to extract out cyber-attack campaigns from IDS alert logs. HeAT-PATRL is the culmination of two works. Our first work “PATRL” (Pseudo-Active Transfer Learning), translates the complex alert signature description to the Action-Intent Framework (AIF), a customized set of attack stages. PATRL employs a deep language model with cyber security texts (CVE’s, C-Sec Blogs, etc.) and then uses transfer learning to classify alert descriptions. To further leverage the cyber-context learned in the language model, we develop Pseudo-Active learning to self-label unknown unlabeled alerts to use as additional training data. We show PATRL classifying the entire Suricata database (~70k signatures) with a top-1 of 87\% and top-3 of 99\% with less than 1,200 manually labeled signatures. The final work, HeAT (Heated Alert Triage), captures the analyst’s domain knowledge and opinion of the contribution of IDS events to an attack campaign given a critical IoC (indicator of compromise). We developed network-agnostic features to characterize and generalize attack campaign contributions so that prior triages can aid in identifying attack campaigns for other attack types, new attackers, or network infrastructures. With the use of cyber-attack competition data (CPTC) and data from a real SOC operation, we demonstrate that the HeAT process can identify campaigns reflective of the analysts thinking while greatly reducing the number of actions to be assessed by the analyst. HeAT has the unique ability to uncover attack campaigns meaningful to the analyst across drastically different network structures while maintaining the important attack campaign relationships defined by the analyst

Aquisição e modelação de Threat Intelligence para desenvolver um sistema de reputação

A internet é a tecnologia crucial da Era da Informação, pois permite melhorar o desempenho das organizações e agilizar processos de negócio. A pandemia que marcou a segunda década do século XXI, a COVID-19, veio reforçar esta situação, pois fez com que o teletrabalho se tornasse uma realidade na generalidade das organizações, resultando num crescimento exponencial dos dispositivos conectados às redes das organizações. Consequentemente, os dispositivos vulneráveis a ataques, bem como os pontos de acesso à rede aumentaram, como tal a segurança da informação, das infraestruturas digitais e a forma como são armazenados os dados, têm gerado uma preocupação crescente no seio das organizações. Paralelamente, a threat intelligence aplicada no âmbito da cibersegurança é preponderante, pois permite partilhar dados sobre indicadores de compromisso com o objetivo de mitigar ameaças, bem como minimizar o impacto das ameaças do dia zero nos sistemas de informação. O presente trabalho visa o desenvolvimento de um modelo preciso e robusto para calcular a reputação de ameaças, tendo como base a threat intelligence. Desta forma, foi desenvolvido um conector compatível com a plataforma OpenCTI, utilizada para recolher e partilhar informações sobre as ameaças. Este conector permite recolher dados de plataformas externas e, através de um algoritmo, avaliar o nível de ameaça (ThreatScore) do indicador de compromisso, bem como o nível de confiança (TrustRating) da pontuação atribuída. A framework desenvolvida é de prevenção de ameaças, ou seja, é um mecanismo complementar às defesas da organização para a tomada de decisão.Internet is the crucial technology of the information age. It improves company’s performance and speeds up the business process. The pandemic situation that marked the second decade of the 21st century, COVID-19, reinforced this situation, many public and private organizations implemented teleworking, resulting in an exponential growth of devices connected to organizations networks. Therefore, devices vulnerable to attacks, as well as network access points, have increased, this generated a growing concern within organizations, about the security of information, digital infrastructures and the way in which data are stored. At the same time, threat intelligence applied to the cybersecurity is beginning to be predominant, as it allows sharing data about indicators of compromise (IoC) with the aim of mitigating threat risks, as well as minimizing the impact of zero-day vulnerability to steal vital and sensitive data from the companies. In the present work, we focus on developing a lightweight and accurate model to calculate a reputation score, based in the acquisition of threat intelligence. In this way, a compatible connector was developed for the OpenCTI platform, this platform is used to collect and share information about threats. The developed connector allows collecting data from external platforms and using an algorithm to calculate the threat level (ThreatScore) of the indicator of compromise analyzed, as well as the confidence level (TrustRating) of the assigned score. This framework is designed to complement, not to replace, cybersecurity program and risk management processes, providing credible information for decision making