Skip to main content
SpringerLink
Log in
Book cover

Nordic Conference on Secure IT Systems

NordSec 2022: Secure IT Systems pp 368–385Cite as

Actionable Cyber Threat Intelligence for Automated Incident Response

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13700))

Abstract

Applying Cyber Threat Intelligence for active cyber defence, while potentially very beneficial, is currently limited to predominantly manual use. In this paper, we propose an automated approach for using Cyber Threat Intelligence during incident response by gathering Tactics, Techniques and Procedures available on intelligence reports, mapping them to network incidents, and then using this map to create attack patterns for specific threats. We consider our method actionable because it provides the operator with contextualised Cyber Threat Intelligence related to observed network incidents in the form of a ranked list of potential related threats, all based on patterns matched with the incidents. We evaluate our approach with publicly available samples of different malware families. Our analysis of the results shows that our method can reliably match network incidents with intelligence reports and relate them to these threats. The approach allows increasing the automation of its use, thus addressing one of the major limiting factors of effective use of suitable Cyber Threat Intelligence.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   64.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   84.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    We use ‘alerts’ as a general term, and when more specific we use ‘events’ for basic alerts and network ‘incidents’ for the alerts after correlation.

  2. 2.

    https://attack.mitre.org/techniques/enterprise/.

References

  1. Chismon, D., Ruks, M.: Threat intelligence: collecting, analysing, evaluating. MWR InfoSecurity 3(2), 36–42 (2015)

    Google Scholar 

  2. Schlette, D.: Cyber threat intelligence. In: Jajodia, S., Samarati, P., Yung, M. (eds.) Encyclopedia of Cryptography, Security and Privacy, pp. 1–3. Springer, Heidelberg (2021). https://doi.org/10.1007/978-3-642-27739-9_1716-1

  3. Nespoli, P., Papamartzivanos, D., Mármol, F.G., Kambourakis, G.: Optimal countermeasures selection against cyber attacks: a comprehensive survey on reaction frameworks. IEEE Commun. Surv. Tutor. 20(2), 1361–1396 (2017)

    Article  Google Scholar 

  4. Groenewegen, A., Janssen, J.S.: TheHive project: the maturity of an open-source security incident response platform (2021)

    Google Scholar 

  5. Berrueta, E., Morato, D., Magaña, E., Izal, M.: Open repository for the evaluation of ransomware detection tools. IEEE Access 8, 65658–65669 (2020)

    Article  Google Scholar 

  6. Gao, Y., Xiaoyong, L.I., Hao, P.E.N.G., Fang, B., Yu, P.: HinCTI: a cyber threat intelligence modeling and identification system based on heterogeneous information network. In: IEEE Transactions on Knowledge and Data Engineering, p. 1 (2020)

    Google Scholar 

  7. Liao, X., Yuan, K., Wang, X., Li, Z., Xing, L., Beyah, R.: Acing the IOC game: toward automatic discovery and analysis of open-source cyber threat intelligence. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS 2016). Association for Computing Machinery, New York, pp. 755–766 (2016). https://doi.org/10.1145/2976749.2978315

  8. Gao, P., et al.: Enabling efficient cyber threat hunting with cyber threat intelligence. In: 2021 IEEE 37th International Conference on Data Engineering (ICDE), pp. 193–204 (2021). ISSN: 2375-026X

    Google Scholar 

  9. Zhu, Z., Dumitras, T.: ChainSmith: automatically learning the semantics of malicious campaigns by mining threat intelligence reports. In: 2018 IEEE European Symposium on Security and Privacy (EuroS &P), pp. 458–472. IEEE (2018)

    Google Scholar 

  10. Afzaliseresht, N., Miao, Y., Michalska, S., Liu, Q., Wang, H.: From logs to stories: human-centred data mining for cyber threat intelligence. IEEE Access 8, 19089–19099 (2020)

    Article  Google Scholar 

  11. Tundis, Andrea, Ruppert, Samuel, Mühlhäuser, Max: On the automated assessment of open-source cyber threat intelligence sources. In: Krzhizhanovskaya, V.V., et al. (eds.) ICCS 2020. LNCS, vol. 12138, pp. 453–467. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-50417-5_34

    Chapter  Google Scholar 

  12. Noor, U., Anwar, Z., Altmann, J., Rashid, Z.: Customer-oriented ranking of cyber threat intelligence service providers. Electron. Commer. Res. Appl. 41, 100976 (2020)

    Article  Google Scholar 

  13. Brown, R., Lee, R.M.: 2021 SANS Cyber Threat Intelligence (CTI) Survey, p. 19 (2021)

    Google Scholar 

  14. Berndt, Anzel, Ophoff, Jacques: Exploring the value of a cyber threat intelligence function in an organization. In: Drevin, Lynette, Von Solms, Suné, Theocharidou, Marianthi (eds.) WISE 2020. IAICT, vol. 579, pp. 96–109. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-59291-2_7

    Chapter  Google Scholar 

  15. Schlette, D., Caselli, M., Pernul, G.: A comparative study on cyber threat intelligence: the security incident response perspective. IEEE Commun. Surv. Tutor. 23(4), 2525–2556 (2021)

    Article  Google Scholar 

  16. Gong, S., Lee, C.: Cyber threat intelligence framework for incident response in an energy cloud platform. Electronics 10(3), 239 (2021)

    Article  Google Scholar 

  17. Liu, J., et al.: TriCTI: an actionable cyber threat intelligence discovery system via trigger-enhanced neural network. Cybersecurity 5(1), 8 (2022). https://doi.org/10.1186/s42400-022-00110-3

    Article  Google Scholar 

  18. Amthor, P., Fischer, D., Kühnhauser, W.E., Stelzer, D.: Automated cyber threat sensing and responding: integrating threat intelligence into security-policy-controlled systems. In: Proceedings of the 14th International Conference on Availability, Reliability and Security, pp. 1–10 (2019). https://doi.org/10.1145/3339252.3340509

  19. Serketzis, N., Katos, V., Ilioudis, C., Baltatzis, D., Pangalos, G.: Improving forensic triage efficiency through cyber threat intelligence. Future Internet 11(7), 162 (2019)

    Article  Google Scholar 

  20. Legoy, V., Caselli, M., Seifert, C., Peter, A.: Automated retrieval of ATT &CK tactics and techniques for cyber threat reports. arXiv preprint arXiv:2004.14322 (2020)

  21. Husari, G., Al-Shaer, E., Ahmed, M., Chu, B., Niu, X.: TTPDrill: automatic and accurate extraction of threat actions from unstructured text of CTI sources. In: Proceedings of the 33rd Annual Computer Security Applications Conference, pp. 103–115 (2017)

    Google Scholar 

  22. Li, Z., Zeng, J., Chen, Y., Liang, Z.: AttacKG: constructing technique knowledge graph from cyber threat intelligence reports. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds) Computer Security – ESORICS 2022. LNCS, vol. 13554, pp. 589–609. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-17140-6_29

  23. Hybrid Analysis: https://www.hybrid-analysis.com/

  24. Stillions, R.: The DML model (2014). http://ryanstillions.blogspot.com/2014/04/the-dml-model_21.html

  25. Bromander, S., Jøsang, A., Eian, M.: Semantic cyberthreat modelling. In: STIDS, pp. 74–78 (2016)

    Google Scholar 

  26. Gunter, D.: Hunting with rigor: quantifying the breadth, depth and threat intelligence coverage of a threat hunt in industrial control system environments, p. 21 (2018)

    Google Scholar 

  27. Cole, E.: Advanced Persistent Threat: Understanding the Danger and How to Protect Your Organization. Newnes, London (2012)

    Google Scholar 

  28. Ghafir, I., Prenosil, V.: Advanced persistent threat attack detection: an overview. Int. J. Adv. Comput. Netw. Secur. 4(4), 5054 (2014)

    Google Scholar 

  29. Sauerwein, C., Fischer, D., Rubsamen, M., Rosenberger, G., Stelzer, D., Breu, R.: From threat data to actionable intelligence: an exploratory analysis of the intelligence cycle implementation in cyber threat intelligence sharing platforms. In: The 16th International Conference on Availability, Reliability and Security, pp. 1–9 (2021). https://doi.org/10.1145/3465481.3470048

  30. MITRE: MITRE ATT &CK techniques mapped to data sources. Tech. Rep. (2019). http://attack.mitre.org/docs/attack_roadmap_2019.pdf

Download references

Author information

Authors and Affiliations

  1. Eindhoven University of Technology, 5612 AZ, Eindhoven, The Netherlands

    Cristoffer Leite & Jerry den Hartog

  2. Forescout Technologies, 5612 AB, Eindhoven, The Netherlands

    Cristoffer Leite, Daniel Ricardo dos Santos & Elisa Costante

Authors
  1. Cristoffer Leite
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jerry den Hartog
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Daniel Ricardo dos Santos
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Elisa Costante
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Cristoffer Leite .

Editor information

Editors and Affiliations

  1. Reykjavik University, Reykjavik, Iceland

    Hans P. Reiser

  2. Reykjavik University, Reykjavik, Iceland

    Marcel Kyas

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Leite, C., den Hartog, J., Ricardo dos Santos, D., Costante, E. (2022). Actionable Cyber Threat Intelligence for Automated Incident Response. In: Reiser, H.P., Kyas, M. (eds) Secure IT Systems. NordSec 2022. Lecture Notes in Computer Science, vol 13700. Springer, Cham. https://doi.org/10.1007/978-3-031-22295-5_20

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-22295-5_20

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-22294-8

  • Online ISBN: 978-3-031-22295-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation