A comparative analysis of incident reporting formats

doi:10.1016/j.cose.2017.10.009

Computers & Security

Volume 73, March 2018, Pages 87-101

https://doi.org/10.1016/j.cose.2017.10.009 Get rights and content

Abstract

Over the past few years, the number of attacks against IT systems and the resulting incidents has steadily increased. To protect against these attacks, joint approaches, which include the sharing of incident information, are increasingly gaining in importance. Several incident reporting formats build the basis for information sharing. However, it is often not clear how to design the underlying processes and which formats would fit the specific use cases. To close this gap, we have introduced an incident reporting process model and the generic model UPSIDE for basic incident reporting requirements. Subsequently, we have identified state-of-the-art incident reporting formats and used the introduced models to conduct a comparative analysis of these formats. This analysis shows the strengths and weaknesses of the evaluated formats and identifies the use cases for which they are suitable.

Introduction

The number and complexity of IT systems as well as the number of potential vulnerabilities compromising these systems have been steadily growing over the last years. This growth comes along with a likewise increasing number of potential threats to the systems. These threats range from autonomous self-replicating malwares with various obfuscation characteristics, which are not only restricted to affecting software but also infect hardware components with highly sophisticated targeted attacks. Altogether, this leads to a noticeable increase in successful cyberattacks resulting in both economic damage and loss of data (McAffee Corporation, 2016). Moreover, the implications that arise from such threats are not necessarily restricted to the IT landscape; they can also reach entities within the physical area and therefore can, in a worst-case scenario, even influence the critical infrastructure of a region, country or the whole society.

In the last decade, there have been significant research and development efforts in the area of threat intelligence. These include activities to mitigate damage in case of already occurred harm. However, it can be observed that traditional isolated defense approaches only provide security under certain conditions and therefore mostly do not meet the requirements to protect systems and infrastructures against today's threat landscape (Symantec Corporation, 2016). Since this can mostly be attributed to an incomplete information basis, one possible approach for improving the current situation and thus the overall security of systems is the sharing of threat information along with cooperation between victims and authorities (Johnson, 2003). Cooperative approaches can substantially strengthen the information basis. Such approaches accordingly allow the improvement of threat detection and mitigation of current as well as future attacks due to the enhanced knowledge of every single participant. Therefore, it can be presumed that threat exchange technologies will prospectively develop into one of the key cyber threat defense technologies within companies.

Such information exchange has recently been stipulated by law for critical infrastructure operators in various countries such as the European Union (European Commission, 2016), Germany (Deutscher Bundestag, 2015), and the USA (Congress of the United States of America, 2014). The exchange of information itself can take place between companies, CERTs, and governmental institutions.

The key element within threat intelligence-sharing techniques is the utilized data formats because they pre-define which information would be shared. Additionally, the used data format implicitly defines requirements for the information density of the respective data elements. In the area of data exchange, the formats for an automated exchange and the processing of information about threats and incidents are widely anticipated (SANS Institute, 2015).

Even though there are different approaches to automated threat intelligence-sharing, the body of literature is still quite limited. To the best of our knowledge, no comprehensive analysis of data formats in use gathering all significant aspects was performed in the past. In particular, the current versions of the two most important data formats, namely STIX and IODEF, have not been adequately covered within the academic literature yet. Owing to the increasing importance of incident reporting, we believe that a thorough analysis of all relevant formats is an essential factor for future research.

Against this background, the remainder of this paper is organized as follows. In Section 2, we provide an overview of the related work in the area of incident reporting formats. In Section 3, we propose a general model for an incident reporting process and incident reporting formats. Based on this, we provide a comprehensive overview of contemporary available incident reporting formats in Section 4. This is followed by the development of criteria for the comparison of reporting formats in Section 5. In Section 6, we provide an evaluation of the identified reporting formats that aims to support the decision processes and the selection of an appropriate exchange format. The paper is concluded in Section 7.

Section snippets

Related work

Even though a lot of work has been done in the area of incident management and incident response in recent years, only a handful of researchers have focused on the data structures and processes for the exchange of security incident information. To get a detailed picture of available work in this area, we conducted a literature review on incident reporting and reporting formats. Next, we examined the available information for each of the identified reporting formats.

ENISA (Dandurand et al, 2014,

A general model for incident reporting

As the foundation for building a model for incident reporting formats, the basic entities are determined in this context. Subsequently, we take a closer look at the incident detection process and data structures within this process. Based on the determined entities and data structures, we establish a generic model for an incident reporting format.

Incident reporting formats

As argued above, some studies on the formats for threat intelligence-sharing can already be found in the literature. However, to the best of our knowledge, there is no publication available that covers all relevant reporting formats or examines important formats in depth. To close this gap, we give a contemporary overview of today's incident reporting format landscape in this section. The data exchange formats given in the literature cover the formats for the exchange of raw system data, the

Criteria for evaluating incident reporting formats

The previous chapter introduced an overview of the relevant formats for the reporting of IT-security incidents. Within this chapter, we develop criteria for the comparison of these formats to build the basis for a later analysis. For this purpose, we propose criteria derived from the previously introduced UPSIDE pattern. Furthermore, we adapt criteria from the academic literature, adjusting them, wherever reasonable, to fit the specific purpose of incident reporting formats. Finally, we propose

Comparative analysis of incident reporting formats

In the previous sections, we have introduced a generic model for incident reporting and important incident reporting formats. Moreover, we developed a set of structural criteria to compare incident reporting formats based on the UPSIDE model and criteria from the literature as well as the additionally proposed criteria. In this section, we apply the structural criteria, followed by the general and additional criteria, to each of the identified formats.

Conclusion

In this paper, we have presented a comparative analysis of the most important incident reporting formats. We have developed a general model for an incident reporting process and introduced important terms in incident reporting as a first foundation. Next, we have developed a generic model for incident reporting formats as the basis for a later structural comparison of the examined formats. Furthermore, we have given an overview of incident reporting by exchange format approaches. Within this

Acknowledgment

This work is performed under the BMBF-DINGfest project which is supported under contract by the German Federal Ministry of Education and Research (16KIS0501K). The DINGfest project is dedicated to the detection of malicious system states in combination with visualization, forensic preparation and reporting of identified IT-security incidents. As part of the project, this work builds the basis for the definition of incident information sharing requirements as well as for the decision of a

Günther Pernul received both the diploma degree and the doctorate degree (with honors) from the University of Vienna, Austria. Currently he is full professor at the Department of Information Systems at the University of Regensburg, Germany. Prior he held positions with the University of Duisburg-Essen, Germany and with University of Vienna, Austria, and visiting positions the University of Florida and the College of Computing at the Georgia Institute of Technology, Atlanta. His research

References (33)

E. Asgarli et al.
Semantic ontologies for cyber threat sharing standards
IEEE Sympo Technol Homeland Secur (HST)
(2016)
S. Barnum
Standardizing cyber threat intelligence information with the Structured Threat Information eXpression (STIX)
C. Blackwell
A Security Ontology for Incident Analysis
(2010)
L.M. Cédric Michel
Adele: An Attack Description Language For Knowledge-Based Intrusion Detection
(2001)
S. Ciardhuáin
An extended model of cybercrime investigations
Int J Digit Evid
(2004)
P. Cichonski et al.
Computer Security Incident Handling Guide: Recommendations of the National Institute of Standards and Technology
(2012)
Congress of the United States of America
National Cybersecurity and Critical Infrastructure Protection Act of 2014
L. Dandurand et al.
Standards and tools for exchange and processing of actionable information
(2014)
O. Deniz et al.
Overview to some existing incident detection algorithms: a comparative evaluation
Procedia Soc Behav Sci
(2011)
Deutscher Bundestag
Gesetz zur Erhöhung der Sicherheit informationstechnischer Systeme

S. Eckmann et al.

STATL: an attack language for state-based intrusion detection

J Comput Secur

(2002)

ENISA

Detect, SHARE, Protect Solutions for Improving Threat Data Exchange among CERTs

(2013)

ENISA

Good practice guide for incident management

European Commission

NIS Directive 2016/1148 (EU) of the European Parliament and of the Council

S. Fenz et al.

Semantic Potential of existing Security Advisory Standards

F.C. Freiling et al.

A Common Process Model for Incident Response and Computer Forensics

Imf

(2007)

Cited by (38)

Agile incident response (AIR): Improving the incident response process in healthcare
2022, International Journal of Information Management
Citation Excerpt :
Much of the expenditures on cyber security is allocated to Incident Response (IR) teams (Steinke et al., 2015), who are responsible for reducing the impact of breaches and helping the business resume operations as soon as possible (Wiik, Gonzalez, & Kossakowski, 2005). To date, there is extensive research on improving IR processes (e.g., Bartnes, Moe, & Heegaard, 2016; Evans, He, & Maglaras, 2019; Grispos, Glisson, & Storer, 2017; He, Janicke et al., 2015; He & Johnson, 2015; Menges & Pernul, 2018; Skopik, Settanni, & Fiedler, 2016; Tøndel, Line, & Jaatun, 2014). Most IR processes and frameworks are linear in nature, where the completion of one aspect of the response must be completed before moving onto the next (Grispos, Glisson, & Storer, 2014), such as the ones proposed by The National Institute of Standards and Technology (NIST) (Cichonski, Millar, Grance, & Scarfone, 2012), CREST (Creasy, 2013), The International Organization for Standardization (ISO) (British Standards Institution, 2016) and Mitropoulos, Patsos, and Douligeris (2006).
Recent industrial reports show an increased number of cybersecurity incidents, which inflict significant financial losses. Although organisations have been increasing their investments towards information security, incidents continue to occur. Most organisations adopt traditional linear incident response (IR) frameworks to prevent, detect, contain, eradicate and learn lessons from information security incidents. However, due to their rigidness, such linear frameworks are often ineffective. In this study, inspired by the Agile Manifesto, we propose the Agile IR Framework to refine, adjust, and improve the current linear IR process. We use the IR framework of UK's National Health Service (NHS) as an illustrative case, critically analysing the current linear IR framework and demonstrating how it can be transformed into a hybrid IR framework. Using an illustrative case study from the healthcare domain, this study contributes to the incident response literature by showcasing how the integration of Agile principles in archetypical linear IR processes can improve incident response.
CTI-SOC2M2 – The quest for mature, intelligence-driven security operations and incident response capabilities: CTI-driven SOC capability maturity model
2021, Computers and Security
Citation Excerpt :
They are used to structure the different types of security-relevant information and the threat reports themselves. The role of different CTI formats has been explored by research highlighting their importance as a driving force for specific CTI use cases (Dandurand et al., 2014; Menges and Pernul, 2018). Finally, associated with the CTI concept, two levels of capabilities can be identified – individual CTI capabilities and organizational CTI capabilities (see Fig. 1).
Threats, cyber attacks, and security incidents pertain to organizations of all types. Everyday information security is essentially defined by the maturity of security operations and incident response capabilities. However, focusing on internal information only has proven insufficient in an ever-changing threat landscape. Cyber threat intelligence (CTI) and its sharing are deemed necessary to cope with advanced threats and strongly influence security capabilities. Therefore, in this work, we develop CTI-SOC2M2, a capability maturity model that uses the degree of CTI integration as a proxy for SOC service maturity. In the course, we examine existing maturity models in the domains of Security Operations Centers (SOCs), incident response, and CTI. In search of adequate maturity assessment, we show threat intelligence dependencies through applicable data formats. As the systematic development of maturity models demands, our mixed methodology approach contributes a new in-depth analysis of intelligence-driven security operations. The resulting CTI-SOC2M2 model contains CTI formats, SOC services and is complemented with an evaluation through expert interviews. A prototypical, tool-based implementation is aimed to document steps towards the model’s practical application.
A success model for cyber threat intelligence management platforms
2021, Computers and Security
Citation Excerpt :
The DeLone and McLean model is widely accepted and has been applied to a variety of contexts including information security practices (DeLone and McLean, 1992; 2003; Montesdioca and Maada, 2015), knowledge management systems (Kulkarni et al., 2007; Wu and Wang, 2006), e-commerce systems (DeLone and McLean, 2004), e-government systems (Wang and Liao, 2008), and employee portals (Urbach et al., 2010). Existing research in the field of threat intelligence management platforms has tended to focus on opportunities, requirements and challenges (Abu et al., 2018; Brown et al., 2015; Serrano et al., 2014; Sillaber et al., 2016; Tounsi and Rais, 2018; Zhao and White, 2012), legal and regulatory aspects (Nolan, 2015; Schwartz et al., 2016), standardisation efforts (Asgarli and Burger, 2016; Barnum, 2014; Johnson et al., 2016; Kampanakis, 2014; Menges and Pernul, 2018; OASIS Committee Specification, 2017; Skopik et al., 2016; Steinberger et al., 2015), implementation details (Alhawamdeh, 2017; Appala et al., 2015; Brown et al., 2015; Dandurand and Serrano, 2013; Mutemwa et al., 2017; Sauerwein et al., 2017; Wagner et al., 2016), and aspects of organisational integration and processes. The last of these includes papers that examine aspects regarding the integration of threat intelligence sharing and its platforms into organisational processes, policies and decisions (Amthor et al., 2019; Gschwandtner et al., 2018; Sauerwein et al., 2018; Sillaber et al., 2016; 2018).
The increasingly persistent and sophisticated threat actors, along with the sheer speed at which cyber attacks unfold, have made timely decision making imperative for ensuring the continued security of most organisations. Consequently, threat intelligence management platforms have been widely adopted to assist organisations in creating and participating in inter-organisational sharing efforts to protect against cyber attacks. Measuring the effectiveness and success of these platforms is critical to understanding how such products and services should be designed, implemented and used. Nevertheless, it is a fact that research and practice lack a common understanding of factors influencing the success of threat intelligence management platforms. To investigate these issues, we adopted the DeLone and McLean information system success model to threat intelligence sharing and employed a survey-based approach to collect data from 152 security professionals for its empirical assessment. Subsequently, we identified several factors that are decisive for the organisational success of a threat intelligence management platform.
NLP-Based Techniques for Cyber Threat Intelligence
2023, arXiv
An Artificial Intelligence Framework for the Representation and Reuse of Cybersecurity Incident Resolution Knowledge
2023, ACM International Conference Proceeding Series
An Exploratory Study on the Use of Threat Intelligence Sharing Platforms in Germany, Austria and Switzerland
2023, ACM International Conference Proceeding Series

View all citing articles on Scopus

Florian Menges received both the Bachelor of Science and Master of Science degree from the University of Regensburg, Germany. Currently he is research assistant at the Department of Information Systems at the University of Regensburg, Germany. His research interests include threat intelligence with a focus on sharing and reporting intelligence data, storage strategies for intelligence data as well as anonymization techniques and incentivizing the sharing and reporting of incident data.

View full text

A comparative analysis of incident reporting formats

Abstract

Introduction

Section snippets

Related work

A general model for incident reporting

Incident reporting formats

Criteria for evaluating incident reporting formats

Comparative analysis of incident reporting formats

Conclusion

Acknowledgment

Semantic ontologies for cyber threat sharing standards

IEEE Sympo Technol Homeland Secur (HST)

Standardizing cyber threat intelligence information with the Structured Threat Information eXpression (STIX)

A Security Ontology for Incident Analysis

Adele: An Attack Description Language For Knowledge-Based Intrusion Detection

An extended model of cybercrime investigations

Int J Digit Evid

Computer Security Incident Handling Guide: Recommendations of the National Institute of Standards and Technology

National Cybersecurity and Critical Infrastructure Protection Act of 2014

Standards and tools for exchange and processing of actionable information

Overview to some existing incident detection algorithms: a comparative evaluation

Procedia Soc Behav Sci

Gesetz zur Erhöhung der Sicherheit informationstechnischer Systeme