Abstract
Applying Cyber Threat Intelligence for active cyber defence, while potentially very beneficial, is currently limited to predominantly manual use. In this paper, we propose an automated approach for using Cyber Threat Intelligence during incident response by gathering Tactics, Techniques and Procedures available on intelligence reports, mapping them to network incidents, and then using this map to create attack patterns for specific threats. We consider our method actionable because it provides the operator with contextualised Cyber Threat Intelligence related to observed network incidents in the form of a ranked list of potential related threats, all based on patterns matched with the incidents. We evaluate our approach with publicly available samples of different malware families. Our analysis of the results shows that our method can reliably match network incidents with intelligence reports and relate them to these threats. The approach allows increasing the automation of its use, thus addressing one of the major limiting factors of effective use of suitable Cyber Threat Intelligence.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
We use ‘alerts’ as a general term, and when more specific we use ‘events’ for basic alerts and network ‘incidents’ for the alerts after correlation.
- 2.
References
Chismon, D., Ruks, M.: Threat intelligence: collecting, analysing, evaluating. MWR InfoSecurity 3(2), 36–42 (2015)
Schlette, D.: Cyber threat intelligence. In: Jajodia, S., Samarati, P., Yung, M. (eds.) Encyclopedia of Cryptography, Security and Privacy, pp. 1–3. Springer, Heidelberg (2021). https://doi.org/10.1007/978-3-642-27739-9_1716-1
Nespoli, P., Papamartzivanos, D., Mármol, F.G., Kambourakis, G.: Optimal countermeasures selection against cyber attacks: a comprehensive survey on reaction frameworks. IEEE Commun. Surv. Tutor. 20(2), 1361–1396 (2017)
Groenewegen, A., Janssen, J.S.: TheHive project: the maturity of an open-source security incident response platform (2021)
Berrueta, E., Morato, D., Magaña, E., Izal, M.: Open repository for the evaluation of ransomware detection tools. IEEE Access 8, 65658–65669 (2020)
Gao, Y., Xiaoyong, L.I., Hao, P.E.N.G., Fang, B., Yu, P.: HinCTI: a cyber threat intelligence modeling and identification system based on heterogeneous information network. In: IEEE Transactions on Knowledge and Data Engineering, p. 1 (2020)
Liao, X., Yuan, K., Wang, X., Li, Z., Xing, L., Beyah, R.: Acing the IOC game: toward automatic discovery and analysis of open-source cyber threat intelligence. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS 2016). Association for Computing Machinery, New York, pp. 755–766 (2016). https://doi.org/10.1145/2976749.2978315
Gao, P., et al.: Enabling efficient cyber threat hunting with cyber threat intelligence. In: 2021 IEEE 37th International Conference on Data Engineering (ICDE), pp. 193–204 (2021). ISSN: 2375-026X
Zhu, Z., Dumitras, T.: ChainSmith: automatically learning the semantics of malicious campaigns by mining threat intelligence reports. In: 2018 IEEE European Symposium on Security and Privacy (EuroS &P), pp. 458–472. IEEE (2018)
Afzaliseresht, N., Miao, Y., Michalska, S., Liu, Q., Wang, H.: From logs to stories: human-centred data mining for cyber threat intelligence. IEEE Access 8, 19089–19099 (2020)
Tundis, Andrea, Ruppert, Samuel, Mühlhäuser, Max: On the automated assessment of open-source cyber threat intelligence sources. In: Krzhizhanovskaya, V.V., et al. (eds.) ICCS 2020. LNCS, vol. 12138, pp. 453–467. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-50417-5_34
Noor, U., Anwar, Z., Altmann, J., Rashid, Z.: Customer-oriented ranking of cyber threat intelligence service providers. Electron. Commer. Res. Appl. 41, 100976 (2020)
Brown, R., Lee, R.M.: 2021 SANS Cyber Threat Intelligence (CTI) Survey, p. 19 (2021)
Berndt, Anzel, Ophoff, Jacques: Exploring the value of a cyber threat intelligence function in an organization. In: Drevin, Lynette, Von Solms, Suné, Theocharidou, Marianthi (eds.) WISE 2020. IAICT, vol. 579, pp. 96–109. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-59291-2_7
Schlette, D., Caselli, M., Pernul, G.: A comparative study on cyber threat intelligence: the security incident response perspective. IEEE Commun. Surv. Tutor. 23(4), 2525–2556 (2021)
Gong, S., Lee, C.: Cyber threat intelligence framework for incident response in an energy cloud platform. Electronics 10(3), 239 (2021)
Liu, J., et al.: TriCTI: an actionable cyber threat intelligence discovery system via trigger-enhanced neural network. Cybersecurity 5(1), 8 (2022). https://doi.org/10.1186/s42400-022-00110-3
Amthor, P., Fischer, D., Kühnhauser, W.E., Stelzer, D.: Automated cyber threat sensing and responding: integrating threat intelligence into security-policy-controlled systems. In: Proceedings of the 14th International Conference on Availability, Reliability and Security, pp. 1–10 (2019). https://doi.org/10.1145/3339252.3340509
Serketzis, N., Katos, V., Ilioudis, C., Baltatzis, D., Pangalos, G.: Improving forensic triage efficiency through cyber threat intelligence. Future Internet 11(7), 162 (2019)
Legoy, V., Caselli, M., Seifert, C., Peter, A.: Automated retrieval of ATT &CK tactics and techniques for cyber threat reports. arXiv preprint arXiv:2004.14322 (2020)
Husari, G., Al-Shaer, E., Ahmed, M., Chu, B., Niu, X.: TTPDrill: automatic and accurate extraction of threat actions from unstructured text of CTI sources. In: Proceedings of the 33rd Annual Computer Security Applications Conference, pp. 103–115 (2017)
Li, Z., Zeng, J., Chen, Y., Liang, Z.: AttacKG: constructing technique knowledge graph from cyber threat intelligence reports. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds) Computer Security – ESORICS 2022. LNCS, vol. 13554, pp. 589–609. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-17140-6_29
Hybrid Analysis: https://www.hybrid-analysis.com/
Stillions, R.: The DML model (2014). http://ryanstillions.blogspot.com/2014/04/the-dml-model_21.html
Bromander, S., Jøsang, A., Eian, M.: Semantic cyberthreat modelling. In: STIDS, pp. 74–78 (2016)
Gunter, D.: Hunting with rigor: quantifying the breadth, depth and threat intelligence coverage of a threat hunt in industrial control system environments, p. 21 (2018)
Cole, E.: Advanced Persistent Threat: Understanding the Danger and How to Protect Your Organization. Newnes, London (2012)
Ghafir, I., Prenosil, V.: Advanced persistent threat attack detection: an overview. Int. J. Adv. Comput. Netw. Secur. 4(4), 5054 (2014)
Sauerwein, C., Fischer, D., Rubsamen, M., Rosenberger, G., Stelzer, D., Breu, R.: From threat data to actionable intelligence: an exploratory analysis of the intelligence cycle implementation in cyber threat intelligence sharing platforms. In: The 16th International Conference on Availability, Reliability and Security, pp. 1–9 (2021). https://doi.org/10.1145/3465481.3470048
MITRE: MITRE ATT &CK techniques mapped to data sources. Tech. Rep. (2019). http://attack.mitre.org/docs/attack_roadmap_2019.pdf
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Leite, C., den Hartog, J., Ricardo dos Santos, D., Costante, E. (2022). Actionable Cyber Threat Intelligence for Automated Incident Response. In: Reiser, H.P., Kyas, M. (eds) Secure IT Systems. NordSec 2022. Lecture Notes in Computer Science, vol 13700. Springer, Cham. https://doi.org/10.1007/978-3-031-22295-5_20
Download citation
DOI: https://doi.org/10.1007/978-3-031-22295-5_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-22294-8
Online ISBN: 978-3-031-22295-5
eBook Packages: Computer ScienceComputer Science (R0)