Cyber Threat Intelligence Exchange

The processing and exchange of Cyber Threat Intelligence (CTI) has become an increas- ingly important topic in recent years. This trend can be attributed to various factors. On the one hand, the exchange of information offers great potential to strengthen the knowledge base of companies and thus improve their protection against cyber threats. On the other hand, legislators in various countries have recognized this potential and translated it into legal reporting requirements. However, CTI is still a very young research area with only a small body of literature. Hence, there are hardly any guidelines, uniform standards, or specifications that define or support such an exchange. This dissertation addresses the problem by reviewing the methodological foundations for the exchange of threat intelligence in three focal areas. First, the underlying data formats and data structures are analyzed, and the basic methods and models are developed. In the further course of the work, possibilities for integrating humans into the analysis process of security incidents and into the generation of CTI are investigated. The final part of the work examines possible obstacles in the exchange of CTI. Both the legal environment and mechanisms to create incentives for an exchange are studied. This work thus creates a solid basis and a structured framework for the cooperative use of CTI

TRIDEnT: Building Decentralized Incentives for Collaborative Security

Sophisticated mass attacks, especially when exploiting zero-day vulnerabilities, have the potential to cause destructive damage to organizations and critical infrastructure. To timely detect and contain such attacks, collaboration among the defenders is critical. By correlating real-time detection information (alerts) from multiple sources (collaborative intrusion detection), defenders can detect attacks and take the appropriate defensive measures in time. However, although the technical tools to facilitate collaboration exist, real-world adoption of such collaborative security mechanisms is still underwhelming. This is largely due to a lack of trust and participation incentives for companies and organizations. This paper proposes TRIDEnT, a novel collaborative platform that aims to enable and incentivize parties to exchange network alert data, thus increasing their overall detection capabilities. TRIDEnT allows parties that may be in a competitive relationship, to selectively advertise, sell and acquire security alerts in the form of (near) real-time peer-to-peer streams. To validate the basic principles behind TRIDEnT, we present an intuitive game-theoretic model of alert sharing, that is of independent interest, and show that collaboration is bound to take place infinitely often. Furthermore, to demonstrate the feasibility of our approach, we instantiate our design in a decentralized manner using Ethereum smart contracts and provide a fully functional prototype.Comment: 28 page

A comparative analysis of cyber-threat intelligence sources, formats and languages

The sharing of cyber-threat intelligence is an essential part of multi-layered tools used to protect systems and organisations from various threats. Structured standards, such as STIX, TAXII and CybOX, were introduced to provide a common means of sharing cyber-threat intelligence and have been subsequently much-heralded as the de facto industry standards. In this paper, we investigate the landscape of the available formats and languages, along with the publicly available sources of threat feeds, how these are implemented and their suitability for providing rich cyber-threat intelligence. We also analyse at a sample of cyber-threat intelligence feeds, the type of data they provide and the issues found in aggregating and sharing the data. Moreover, the type of data supported by various formats and languages is correlated with the data needs for several use cases related to typical security operations. The main conclusions drawn by our analysis suggest that many of the standards have a poor level of adoption and implementation, with providers opting for custom or traditional simple formats

A Security Information and Event Management Pattern

In order to achieve a high level of cyber security awareness most mid to large sized companies use Security Information and Event Management (SIEM) embedded into a Security Operations Center. These systems enable the centralized collection and analysis of security relevant information generated by a variety of different systems, to detect advanced threats and to improve reaction time in case of an incident. In this paper, we derive a generic SIEM pattern by analyzing already existing tools on the market, among additional information. Thereby, we adhere to a bottom-up process for pattern identification and authoring. This article can serve as a foundation to understand SIEM in general and support developers of existing or new SIEM systems to increase reusability by defining and identifying general software modules inherent in SIEM

NLP-Based Techniques for Cyber Threat Intelligence

In the digital era, threat actors employ sophisticated techniques for which, often, digital traces in the form of textual data are available. Cyber Threat Intelligence~(CTI) is related to all the solutions inherent to data collection, processing, and analysis useful to understand a threat actor's targets and attack behavior. Currently, CTI is assuming an always more crucial role in identifying and mitigating threats and enabling proactive defense strategies. In this context, NLP, an artificial intelligence branch, has emerged as a powerful tool for enhancing threat intelligence capabilities. This survey paper provides a comprehensive overview of NLP-based techniques applied in the context of threat intelligence. It begins by describing the foundational definitions and principles of CTI as a major tool for safeguarding digital assets. It then undertakes a thorough examination of NLP-based techniques for CTI data crawling from Web sources, CTI data analysis, Relation Extraction from cybersecurity data, CTI sharing and collaboration, and security threats of CTI. Finally, the challenges and limitations of NLP in threat intelligence are exhaustively examined, including data quality issues and ethical considerations. This survey draws a complete framework and serves as a valuable resource for security professionals and researchers seeking to understand the state-of-the-art NLP-based threat intelligence techniques and their potential impact on cybersecurity

Integrative methodology to produce cyber threat intelligence using open source platforms

Dissertação (mestrado) — Universidade de Brasília, Faculdade de Tecnologia, Departamento de Engenharia Elétrica, Mestrado Profissional em Engenharia Elétrica, 2020.Neste trabalho foi proposta uma metodologia integrativa de plataformas de CTI de código aberto vi- sando a produção de inteligência de ameaça de qualidade. Primeiramente, foi desenvolvida uma metodo- logia de avaliação para analisar padrões e plataformas de CTI e definir soluções com potencial de conso- lidação no mercado. Essa metodologia de avaliação baseou-se em uma estratégia de seleção de soluções de CTI populares de código aberto e no estabelecimento de critérios de avaliação para analisar e comparar essas soluções. Os resultados dessa avaliação comparativa mostraram a existência de boas soluções de CTI de código aberto e possibilitaram a definição de uma metodologia integrativa para a produção de inteli- gência de ameaça, baseada na complementaridade das plataformas MISP e OpenCTI. Alguns cenários de teste foram simulados e analisados com base em uma proposta definida que utiliza o método 5W3H para avaliar a completude da inteligência produzida e, consequentemente, entender sua qualidade e eficácia no processo de tomada de decisão contra incidentes. A partir dos resultados produzidos foi possível verificar que a metodologia proposta é satisfatória quando aplicada à conjuntos de dados de ameaça de tamanho controlado e contextualizados. Além disso, foi possível identificar algumas desvantagens em sua aplicação que podem proporcionar o desenvolvimento de trabalhos futuros.In this work, an integrative methodology of open source CTI platforms was proposed, aiming to pro- duce quality threat intelligence. First, an evaluation methodology was developed to analyze CTI standards and platforms and define solutions with potential for consolidation in the market. This evaluation metho- dology was based on a strategy for selecting popular open source CTI solutions and establishing evaluation criteria to analyze and compare these solutions. The results of this comparative evaluation showed the exis- tence of great open source CTI solutions and have led to the definition of an integrative methodology for the production of threat intelligence, based on the complementarity of the platforms MISP and OpenCTI. Some test scenarios were simulated and analyzed based on a defined proposal that uses the 5W3H method to assess the completeness of the intelligence produced and, consequently, understand its quality and ef- fectiveness in the decision making process. From the results produced, it was possible to verify that the proposed methodology is satisfactory when applied to contextualized and controlled size threat data sets. In addition, it was possible to identify some disadvantages in its application that may provide the development of future works

A Universal Cybersecurity Competency Framework for Organizational Users

The global reliance on the Internet to facilitate organizational operations necessitates further investments in organizational information security. Such investments hold the potential for protecting information assets from cybercriminals. To assist organizations with their information security, The National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (NCWF) was created. The framework referenced the cybersecurity work, knowledge, and skills required to competently complete the tasks that strengthen their information security. Organizational users’ limited cybersecurity competency contributes to the financial and information losses suffered by organizations year after year. While most organizational users may be able to respond positively to a cybersecurity threat, without a measure of their cybersecurity competency they represent a cybersecurity threat to organizations. The main goal of this research study was to develop a universal Cybersecurity Competency Framework (CCF) to determine the demonstrated cybersecurity Knowledge, Skills, and Tasks (KSTs) through the NCWF (NICE, 2017) as well as identify the cybersecurity competency of organizational users. Limited attention has been given in cybersecurity research to determine organizational users’ cybersecurity competency. An expert panel of cybersecurity professionals known as Subject Matter Experts (SMEs) validated the cybersecurity KSTs necessary for the universal CCF. The research study utilized the explanatory sequential mixed-method approach to develop the universal CCF. This research study included a developmental approach combining quantitative and qualitative data collection in three research phases. In Phase 1, 42 SMEs identified the KSTs needed for the universal CCF. The results of the validated data from Phase 1 were inputted to construct the Phase 2 semi-structured interview. In Phase 2, qualitative data were gathered from 12 SMEs. The integration of the quantitative and qualitative data validated the KSTs. In Phase 3, 20 SMEs validated the KST weights and identified the threshold level. Phase 3 concluded with the SMEs\u27 aggregation of the KST weights into the universal CCF index. The weights assigned by the SMEs in Phase 3 showed that they considered knowledge as the most important competency, followed by Skills, then Tasks. The qualitative results revealed that training is needed for cybersecurity tasks. Phase 3 data collection and analysis continued with the aggregation of the validated weights into a single universal CCF index score. The SMEs determined that 72% was the threshold level. The findings of this research study significantly contribute to the body of knowledge on information systems and have implications for practitioners and academic researchers. It appears this is the only research study to develop a universal CCF to assess the organizational user’s competency and create a threshold level. The findings also offer further insights into what organizations need to provide cybersecurity training to their organizational users to enable them to competently mitigate cyber-attacks

Tackling the Challenges of Information Security Incident Reporting: A Decentralized Approach

Information security incident under-reporting is unambiguously a business problem, as identified by a variety of sources, such as ENISA (2012), Symantec (2016), Newman (2018) and more. This research project identified the underlying issues that cause this problem and proposed a solution, in the form of an innovative artefact, which confronts a number of these issues. This research project was conducted according to the requirements of the Design Science Research Methodology (DSRM) by Peffers et al (2007). The research question set at the beginning of this research project, probed the feasible formation of an incident reporting solution, which would increase the motivational level of users towards the reporting of incidents, by utilizing the positive features offered by existing solutions, on one hand, but also by providing added value to the users, on the other. The comprehensive literature review chapter set the stage, and identified the reasons for incident underreporting, while also evaluating the existing solutions and determining their advantages and disadvantages. The objectives of the proposed artefact were then set, and the artefact was designed and developed. The output of this development endeavour is “IRDA”, the first decentralized incident reporting application (DApp), built on “Quorum”, a permissioned blockchain implementation of Ethereum. Its effectiveness was demonstrated, when six organizations accepted to use the developed artefact and performed a series of pre-defined actions, in order to confirm the platform’s intended functionality. The platform was also evaluated using Venable et al’s (2012) evaluation framework for DSR projects. This research project contributes to knowledge in various ways. It investigates blockchain and incident reporting, two domains which have not been extensively examined and the available literature is rather limited. Furthermore, it also identifies, compares, and evaluates the conventional, reporting platforms, available, up to date. In line with previous findings (e.g Humphrey, 2017), it also confirms the lack of standard taxonomies for information security incidents. This work also contributes by creating a functional, practical artefact in the blockchain domain, a domain where, according to Taylor et al (2019), most studies are either experimental proposals, or theoretical concepts, with limited practicality in solving real-world problems. Through the evaluation activity, and by conducting a series of non-parametric significance tests, it also suggests that IRDA can potentially increase the motivational level of users towards the reporting of incidents. This thesis describes an original attempt in utilizing the newly emergent blockchain technology, and its inherent characteristics, for addressing those concerns which actively contribute to the business problem. To the best of the researcher’s knowledge, there is currently no other solution offering similar benefits to users/organizations for incident reporting purposes. Through the accomplishment of this project’s pre-set objectives, the developed artefact provides a positive answer to the research question. The artefact, featuring increased anonymity, availability, immutability and transparency levels, as well as an overall lower cost, has the potential to increase the motivational level of organizations towards the reporting of incidents, thus improving the currently dismaying statistics of incident under-reporting. The structure of this document follows the flow of activities described in the DSRM by Peffers et al (2007), while also borrowing some elements out of the nominal structure of an empirical research process, including the literature review chapter, the description of the selected research methodology, as well as the “discussion and conclusion” chapter

Harnessing Human Potential for Security Analytics

Humans are often considered the weakest link in cybersecurity. As a result, their potential has been continuously neglected. However, in recent years there is a contrasting development recognizing that humans can benefit the area of security analytics, especially in the case of security incidents that leave no technical traces. Therefore, the demand becomes apparent to see humans not only as a problem but also as part of the solution. In line with this shift in the perception of humans, the present dissertation pursues the research vision to evolve from a human-as-a-problem to a human-as-a-solution view in cybersecurity. A step in this direction is taken by exploring the research question of how humans can be integrated into security analytics to contribute to the improvement of the overall security posture. In addition to laying foundations in the field of security analytics, this question is approached from two directions. On the one hand, an approach in the context of the human-as-a-security-sensor paradigm is developed which harnesses the potential of security novices to detect security incidents while maintaining high data quality of human-provided information. On the other hand, contributions are made to better leverage the potential of security experts within a SOC. Besides elaborating the current state in research, a tool for determining the target state of a SOC in the form of a maturity model is developed. Based on this, the integration of security experts was improved by the innovative application of digital twins within SOCs. Accordingly, a framework is created that improves manual security analyses by simulating attacks within a digital twin. Furthermore, a cyber range was created, which offers a realistic training environment for security experts based on this digital twin

A comparative analysis of incident reporting formats

Over the past few years, the number of attacks against IT systems and the resulting incidents has steadily increased. To protect against these attacks, joint approaches, which include the sharing of incident information, are increasingly gaining in importance. Several incident reporting formats build the basis for information sharing. However, it is often not clear how to design the underlying processes and which formats would fit the specific use cases. To close this gap, we have introduced an incident reporting process model and the generic model UPSIDE for basic incident reporting requirements. Subsequently, we have identified state-of-the-art incident reporting formats and used the introduced models to conduct a comparative analysis of these formats. This analysis shows the strengths and weaknesses of the evaluated formats and identifies the use cases for which they are suitable. (C) 2017 Elsevier Ltd. All rights reserved