Abstract
In this paper we propose an approach for hunting adversarial tactics, techniques and procedures by leveraging information described in structured cyber threat intelligence models. We focused on the properties of timeliness and completeness of cyber threat intelligence indicators to drive the discovery of tactics, techniques and procedures placed highly on the so-called Pyramid of Pain.
We used the unit 42 playbooks dataset to evaluate the proposed approach and illustrate the limitations and opportunities of a systematic intelligence sharing process for high pain tactics, techniques and procedures discovery. We applied the Levenshtein Distance in order to present a metric between the attack vectors constructed from the kill chain phases for completeness and timeliness.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
ENISA: ENISA threat landscape report 2018. (2019). https://doi.org/10.2824/622757
Hutchins, E., Cloppert, M., Amin, R.: Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. Lead Issues Inf. Warf. Secur. Res. 1(1), 80–106 (2011)
Qiang, L., Zhengwei, J., Zeming, Y., Baoxu, L., Xin, W., Yunan, Z.: A quality evaluation method of cyber threat intelligence in user perspective. In: Proceedings of 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications/12th IEEE International Conference on Big Data Science and Engineering Trust, pp. 269–276 (2018). https://doi.org/10.1109/TrustCom/BigDataSE.2018.00049
Liao, X., Yuan, K., Wang, X., Li, Z., Xing, L., Beyah, R.: Acing the IOC game : toward automatic discovery and analysis of open-source cyber threat intelligence, pp. 755–766 (2016)
Bianco, D.: Pyramid of Pain. http://detect-respond.blogspot.gr/2013/03/the-pyramid-of-pain.html. Accessed 02 March 2020
ENISA: Detect, SHARE, protect solutions for improving threat data exchange among CERTs (2013)
ENISA: Exploring the opportunities and limitations of current Threat Intelligence Platforms, p. 42 (2017)
Rahayu, S.S., Robiah, Y.: Cyber threat intelligence – issue and challenges cyber threat intelligence – issue and challenges, pp. 371–379 (2018). https://doi.org/10.11591/ijeecs.v10.i1
Ponemon Institute: Third annual study on exchanging cyber threat intelligence: there has to be a better way (2018)
ENISA: Actionable information for security incident response (2014)
Kompanek, A.: Evaluating threat intelligence feeds. FIRST technical colloquium for threat intelligence (2016)
Faiella, M., Gonzalez-granadillo, G.: Enriching threat intelligence platforms capabilities (2016)
Sillaber, C., Sauerwein, C., Mussmann, A., Breu, R.: Data quality challenges and future research directions in threat intelligence sharing practice, pp. 65–70 (2016)
Grispos, G., Glisson, W.B., Storer, T.: How good is your data? Investigating the quality of data generated during security incident response investigations (2019)
Sadiq, S.: Handbook of Data Quality. Springer, Heidelberg (2013)
Pols, P.: The unified kill chain. Cyber Security Academy (2017)
Cichonski, P.: Computer security incident handling guide: recommendations of the national institute of standards and technology. NIST Spec. Publ. 800–61, 79 (2012). https://doi.org/10.6028/NIST.SP.800-61r2
MITRE: A structured language for cyber threat intelligence. https://oasis-open.github.io/cti-documentation/. Accessed 2 March 2020
Unit 42: Unit 42 playbook viewer. https://pan-unit42.github.io/playbook_viewer/. Accessed 2 March 2020
MITRE: ATT&CK framework. https://attack.mitre.org/. Accessed 02 March 2020
Acknowledgements
This work has received funding from the European Union’s Horizon 2020 research and innovation program under the grant agreement no. 830943 (ECHO).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Yucel, C., Chalkias, I., Mallis, D., Karagiannis, E., Cetinkaya, D., Katos, V. (2020). On the Assessment of Completeness and Timeliness of Actionable Cyber Threat Intelligence Artefacts. In: Dziech, A., Mees, W., Czyżewski, A. (eds) Multimedia Communications, Services and Security. MCSS 2020. Communications in Computer and Information Science, vol 1284. Springer, Cham. https://doi.org/10.1007/978-3-030-59000-0_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-59000-0_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-58999-8
Online ISBN: 978-3-030-59000-0
eBook Packages: Computer ScienceComputer Science (R0)