Cyber Threat Intelligence Exchange

The processing and exchange of Cyber Threat Intelligence (CTI) has become an increas- ingly important topic in recent years. This trend can be attributed to various factors. On the one hand, the exchange of information offers great potential to strengthen the knowledge base of companies and thus improve their protection against cyber threats. On the other hand, legislators in various countries have recognized this potential and translated it into legal reporting requirements. However, CTI is still a very young research area with only a small body of literature. Hence, there are hardly any guidelines, uniform standards, or specifications that define or support such an exchange. This dissertation addresses the problem by reviewing the methodological foundations for the exchange of threat intelligence in three focal areas. First, the underlying data formats and data structures are analyzed, and the basic methods and models are developed. In the further course of the work, possibilities for integrating humans into the analysis process of security incidents and into the generation of CTI are investigated. The final part of the work examines possible obstacles in the exchange of CTI. Both the legal environment and mechanisms to create incentives for an exchange are studied. This work thus creates a solid basis and a structured framework for the cooperative use of CTI

Unifying Cyber Threat Intelligence

The threat landscape and the associated number of IT security incidents are constantly increasing. In order to address this problem, a trend towards cooperative approaches and the exchange of information on security incidents has been developing over recent years. Today, several different data formats with varying properties are available that allow to structure and describe incidents as well as cyber threat intelligence (CTI) information. Observed differences in data formats implicate problems in regard to consistent understanding and compatibility. This ultimately builds a barrier for efficient information exchange. Moreover, a common definition for the components of CTI formats is missing. In order to improve this situation, this work presents an approach for the description and unification of these formats. Therefore, we propose a model that describes the elementary properties as well as a common notation for entities within CTI formats. In addition, we develop a unified model to show the results of our work, to improve the understanding of CTI data formats and to discuss possible future research directions

Introducing DINGfest: An architecture for next generation SIEM systems

Isolated and easily protectable IT systems have developed into fragile and complex structures over the past years. These systems host manifold, flexible and highly connected applications, mainly in virtual environments. To ensure protection of those infrastructures, Security Incident and Event Management (SIEM) systems have been deployed. Such systems, however, suffer from many shortcomings such as lack of mechanisms for forensic readiness. In this extended abstract, we identify these shortcomings and propose an architecture which addresses them. It is developed within the DINGfest project, on which we report and for which we seek initial feedback from the community

A Quantitative and Dynamic Model for Plant Stem Cell Regulation

Plants maintain pools of totipotent stem cells throughout their entire life. These stem cells are embedded within specialized tissues called meristems, which form the growing points of the organism. The shoot apical meristem of the reference plant Arabidopsis thaliana is subdivided into several distinct domains, which execute diverse biological functions, such as tissue organization, cell-proliferation and differentiation. The number of cells required for growth and organ formation changes over the course of a plants life, while the structure of the meristem remains remarkably constant. Thus, regulatory systems must be in place, which allow for an adaptation of cell proliferation within the shoot apical meristem, while maintaining the organization at the tissue level. To advance our understanding of this dynamic tissue behavior, we measured domain sizes as well as cell division rates of the shoot apical meristem under various environmental conditions, which cause adaptations in meristem size. Based on our results we developed a mathematical model to explain the observed changes by a cell pool size dependent regulation of cell proliferation and differentiation, which is able to correctly predict CLV3 and WUS over-expression phenotypes. While the model shows stem cell homeostasis under constant growth conditions, it predicts a variation in stem cell number under changing conditions. Consistent with our experimental data this behavior is correlated with variations in cell proliferation. Therefore, we investigate different signaling mechanisms, which could stabilize stem cell number despite variations in cell proliferation. Our results shed light onto the dynamic constraints of stem cell pool maintenance in the shoot apical meristem of Arabidopsis in different environmental conditions and developmental states

A comparative analysis of incident reporting formats

Over the past few years, the number of attacks against IT systems and the resulting incidents has steadily increased. To protect against these attacks, joint approaches, which include the sharing of incident information, are increasingly gaining in importance. Several incident reporting formats build the basis for information sharing. However, it is often not clear how to design the underlying processes and which formats would fit the specific use cases. To close this gap, we have introduced an incident reporting process model and the generic model UPSIDE for basic incident reporting requirements. Subsequently, we have identified state-of-the-art incident reporting formats and used the introduced models to conduct a comparative analysis of these formats. This analysis shows the strengths and weaknesses of the evaluated formats and identifies the use cases for which they are suitable. (C) 2017 Elsevier Ltd. All rights reserved

A secure and auditable logging infrastructure based on a permissioned blockchain

Information systems in organizations are regularly subject to cyber attacks targeting confidential data or threatening the availability of the infrastructure. In case of a successful attack it is crucial to maintain integrity of the evidence for later use in court. Existing solutions to preserve integrity of log records remain cost-intensive or hard to implement in practice. In this work we present a new infrastructure for log integrity preservation which does not depend upon trusted third parties or specialized hardware. The system uses a blockchain to store non-repudiable proofs of existence for all generated log records. An open-source prototype of the resulting log auditing service is developed and deployed, followed by a security and performance evaluation. The infrastructure represents a novel software-based solution to the secure logging problem, which unlike existing approaches does not rely on specialized hardware, trusted third parties or modifications to the logging source. (C) 2019 Elsevier Ltd. All rights reserved

Graph-based visual analytics for cyber threat intelligence

Abstract The ever-increasing amount of major security incidents has led to an emerging interest in cooperative approaches to encounter cyber threats. To enable cooperation in detecting and preventing attacks it is an inevitable necessity to have structured and standardized formats to describe an incident. Corresponding formats are complex and of an extensive nature as they are often designed for automated processing and exchange. These characteristics hamper the readability and, therefore, prevent humans from understanding the documented incident. This is a major problem since the success and effectiveness of any security measure rely heavily on the contribution of security experts. To meet these shortcomings we propose a visual analytics concept enabling security experts to analyze and enrich semi-structured cyber threat intelligence information. Our approach combines an innovative way of persisting this data with an interactive visualization component to analyze and edit the threat information. We demonstrate the feasibility of our concept using the Structured Threat Information eXpression, the state-of-the-art format for reporting cyber security issues

Human-as-a-security-sensor for harvesting threat intelligence

Humans are commonly seen as the weakest link in corporate information security. This led to a lot of effort being put into security training and awareness campaigns, which resulted in employees being less likely the target of successful attacks. Existing approaches, however, do not tap the full potential that can be gained through these campaigns. On the one hand, human perception offers an additional source of contextual information for detected incidents, on the other hand it serves as information source for incidents that may not be detectable by automated procedures. These approaches only allow a text-based reporting of basic incident information. A structured recording of human delivered information that also provides compatibility with existing SIEM systems is still missing. In this work, we propose an approach, which allows humans to systematically report perceived anomalies or incidents in a structured way. Our approach furthermore supports the integration of such reports into analytics systems. Thereby, we identify connecting points to SIEM systems, develop a taxonomy for structuring elements reportable by humans acting as a security sensor and develop a structured data format to record data delivered by humans. A prototypical human-as-a-security-sensor wizard applied to a real-world use-case shows our proof of concept

DEALER: decentralized incentives for threat intelligence reporting and exchange

The exchange of threat intelligence information can make a significant contribution to improving IT security in companies and has become increasingly important in recent years. However, such an exchange also entails costs and risks, preventing many companies from participating. In addition, since legal reporting requirements were introduced in various countries, certain requirements must be taken into account in the exchange process. However, existing exchange platforms neither offer incentives to participate in the exchange process, nor fulfill requirements resulting from reporting obligations. With this work, we present a decentralized platform for the exchange of threat intelligence information. The platform supports the fulfillment of legal reporting obligations for security incidents and provides additional incentives for information exchange between the parties involved. We evaluate the platform by implementing it based on the EOS blockchain and IPFS distributed hash table. The prototype and cost measurements demonstrate the feasibility and cost-efficiency of our concept

Long-term results of total endovascular repair of arch-involving aortic pathologies using parallel grafts for supra-aortic debranching

OBJECTIVE We evaluated the long-term morphologic and clinical outcomes after thoracic endovascular aortic repair combined with parallel grafts (PG-TEVAR) for arch-involving aortic pathologies. METHODS We performed a retrospective analysis of perioperative and follow-up data of patients who had undergone PG-TEVAR at a single vascular surgery center from November 2010 to April 2018. Patients with prior or simultaneous open chest or cervical debranching procedures or arch repair were excluded. The primary endpoint was freedom from overall PG-TEVAR-related reintervention. The secondary endpoints were parallel graft sealing zone failure (presence of gutter-related type I or Ic endoleak), PG failure (occlusion or reintervention), stroke, and 30-day and overall PG-TEVAR-related and all-cause mortality. Kaplan-Meier curves were used to estimate the freedom from reintervention and survival. Receiver operating characteristics curves were used to find the optimal cutoff to prevent type Ia endoleak-related reintervention. RESULTS A total of 33 patients, including 8 women, with a median age of 74 years (interquartile range, 67-79 years) had undergone PG-TEVAR (chimney, periscope, and sandwich in 20, 15, and 13 patients, respectively) with proximal landing in Ishimaru zone 0, 1, or 2 in 4, 5, and 24 patients, respectively. The aortic pathologies included type B aortic dissection (acute and chronic, eight and six, respectively), degenerative aneurysm (n = 10), type Ia endoleak (n = 3), para-anastomotic/patch aneurysm (n = 4), left subclavian artery aneurysm (n = 1), and traumatic rupture (n = 1). The perioperative stroke rate and 30-day mortality was 6% and 9%, respectively. Direct postoperative computed tomography revealed 28 endoleaks (gutter-related type Ia, 12; gutter-related type Ib, 9; type Ia, 2; type Ic, 2; type III, 1; undetermined, 2) in 27 patients. The technical and clinical success rate was 37% and 30%, respectively. The mean follow-up for survival was 48 ± 31 months. The latest radiologic follow-up demonstrated 12 remaining and 1 new endoleak. The early and overall PG sealing zone failure and PG failure was 73% and 36% and 9% and 18%, respectively. The overall PG-TEVAR-related reintervention rate was 33% (n = 11). The estimated freedom from overall PG-TEVAR-related reintervention was 68% at 60 months. The main graft oversizing and length oversizing rates were not significantly associated statistically with the type Ia endoleak-related reintervention rate. The PG-TEVAR-related and all-cause mortality were 18% and 34%, respectively. CONCLUSIONS PG-TEVAR for total endovascular repair of arch-involving aortic pathologies resulted in a high rate of type I endoleaks and the need for long-term reintervention. Gutter-related endoleaks might be more frequent than reported and should not be underestimated because they can lead to sac enlargement and reintervention. Frequent radiologic surveillance is mandatory. Further studies comparing PG-TEVAR to other total endovascular alternatives are required to confirm these findings