Fig 2 - uploaded by Vasileios Mavroeidis
Content may be subject to copyright.
Cyber Threat Intelligence Model 

Cyber Threat Intelligence Model 

Source publication
Conference Paper
Full-text available
Cyber threat intelligence is the provision of evidence-based knowledge about existing or emerging threats. Benefits of threat intelligence include increased situational awareness and efficiency in security operations and improved prevention, detection, and response capabilities. To process, analyze, and correlate vast amounts of threat information...

Context in source publication

Context 1
... Identify information and concepts covered in each work based on the abstraction layers of the Cyber Threat Intelligence model ( Figure 2). Table 1 presents the results. ...

Similar publications

Article
Full-text available
In spite of being just a few years old, ransomware is quickly becoming a serious threat to our digital infrastructures, data and services. Majority of ransomware families are requesting for a ransom payment to restore a custodian access or decrypt data which were encrypted by the ransomware earlier. Although the ransomware attack strategy seems to...

Citations

... Threat intelligence is a type of data that is created as part of a threat management program [45]. It can include information on the threats faced by an organization, how those threats are realized, the impact of those threats, and the mitigation strategies used to protect against them [46]. Threat intelligence is also valuable because it can provide insights into how threat actors work and what methods they use. ...
Article
Full-text available
This survey is Chinese Advanced Persistent Threat (APT) real attack groups and scenarios. This survey provides a taxonomy of Chinese APT groups/attacks in conjunction with the use of Threat Intelligence (TI) to detect and prevent the attacks. This paper will provide the current knowledge and emerging APT groups that target governments and private enterprises. In addition, this paper presents, contributions, performance comparison and methods of criticism of detection in the current solutions. The study covers many attack groups funded by different Chinese governments to attack other governments around the world, taking into account that each group is specialized to attack specific sectors, some of them attack the military, police and intelligence departments, and some attack the banking, commercial and agricultural sectors, and some attack the information technology, health, arts, and nanotechnology sectors, etc. In this paper, we propose solutions at the first potential victim, and at the network, level to stop APT attacks. We recommend that there must be multi-layer protection over the first machine and infrastructure to detect and prevent APT attacks. This Paper will use adversarial tactics techniques and common knowledge (ATT&CK) as a knowledge base. We recommend researchers focus on ATT&CK, and TI to develop a solution against APT attacks.
... Threat intelligence products and services can support those needs. All in all, cyber-threat intelligence may consist of cyber-observable express artifacts (e.g., malicious files and their signatures, processes, and network traffic); insights on more complex indicators of compromise (IoC), vulnerabilities, and attacker behavior; and potential countermeasures relevant to incident response and attribution of attacks (Mavroeidis & Bromander, 2017). ...
Book
The prevalence of cyber-dependent crimes and illegal activities that can only be performed using a computer, computer networks, or other forms of information communication technology has significantly increased during the last two decades in the USA and worldwide. As a result, cybersecurity scholars and practitioners have developed various tools and policies to reduce individuals' and organizations' risk of experiencing cyber-dependent crimes. However, although cybersecurity research and tools production efforts have increased substantially, very little attention has been devoted to identifying potential comprehensive interventions that consider both human and technical aspects of the local ecology within which these crimes emerge and persist. Moreover, it appears that rigorous scientific assessments of these technologies and policies "in the wild" have been dismissed during the process of encouraging innovation and marketing. Consequently, governmental organizations, public and private companies allocate a considerable portion of their operations budgets to protecting their computer and internet infrastructures without understanding the effectiveness of various tools and policies in reducing the myriad of risks they face. Unfortunately, this practice may complicate organizational workflows and increase costs for government entities, businesses, and consumers. The success of the evidence-based approach in improving the performances of a wide range of professions (for example, medicine, policing, and education) leads us to believe that an evidence-based cybersecurity approach is critical for improving cybersecurity efforts. This book seeks to explain the foundation of the evidence-based cybersecurity approach, reviews its relevance in the context of existing security tools and policies, and the authors provide concrete examples of how adopting this approach could improve cybersecurity operations and guide policymakers' decision-making process. The evidence-based cybersecurity approach explained aims to support security professionals', policymakers', and individual computer users' decision-making processes regarding the deployment of security policies and tools by calling for rigorous scientific investigations of the effectiveness of these policies and mechanisms in achieving their goals in protecting critical assets. This book illustrates how this approach provides an ideal framework for conceptualizing an interdisciplinary problem like cybersecurity because it stresses moving beyond decision-makers political, financial, social backgrounds, and personal experiences when adopting cybersecurity tools and policies. This approach is also a model in which policy decisions are made based on scientific research findings. https://www.routledge.com/Evidence-Based-Cybersecurity-Foundations-Research-and-Practice/Pomerleau-Maimon/p/book/9781032062761
... A few previous papers [13] [7][12] [14] have attempted to present adversarial reconnaissance techniques comprehensively. For example, [13] classified the evolution of cyber reconnaissance into four categories: internet intelligence, network information gathering, side-channel attacks, and social engineering [15] [16]. ...
Chapter
Full-text available
Cyber attackers frequently able to penetrate networks and compromise systems by exploiting weaknesses in people and systems. The key to the success of these attacks is cyber threat intelligence that adversaries collect throughout the phases of the cyber kill chain. We summarize and analyze the methods, tactics, and tools that adversaries use to conduct reconnaissance activities throughout the attack process. First, we discuss what types of Cyber intelligence attackers seek, and how and when they can collect this information. Then, we provide a taxonomy and detailed overview of adversarial reconnaissance techniques. The taxonomy introduces a classification of reconnaissance techniques based on the source as third party, human, and system-based cyber threat intelligence gathering. This paper therefore, provides a comprehensive view of attacker's reconnaissance that can help in understanding and modeling this complex but vital aspect of cyber-attacks as well as insights that can improve defensive strategies.
... To date, interorganizational cooperation is used primarily for sharing threat intelligence in the form of Indicators of Compromise (IoC), such as IP addresses, domain names, and URL patterns used during an attack [29], [73]. However, this approach has wellknown limitations as it relies on detection of ongoing attacks and their associated IoCs, while attackers can change their infrastructure and behavior to make the detected IoCs obsolete [23], [41], [69]. This observation leads to the natural question: Are there other, more proactive and reliable approaches to global defense coordination that could be effective against evolving, sophisticated cyber threats? ...
Preprint
The cyber-threat landscape has evolved tremendously in recent years, with new threat variants emerging daily, and large-scale coordinated campaigns becoming more prevalent. In this study, we propose CELEST (CollaborativE LEarning for Scalable Threat detection), a federated machine learning framework for global threat detection over HTTP, which is one of the most commonly used protocols for malware dissemination and communication. CELEST leverages federated learning in order to collaboratively train a global model across multiple clients who keep their data locally, thus providing increased privacy and confidentiality assurances. Through a novel active learning component integrated with the federated learning technique, our system continuously discovers and learns the behavior of new, evolving, and globally-coordinated cyber threats. We show that CELEST is able to expose attacks that are largely invisible to individual organizations. For instance, in one challenging attack scenario with data exfiltration malware, the global model achieves a three-fold increase in Precision-Recall AUC compared to the local model. We deploy CELEST on two university networks and show that it is able to detect the malicious HTTP communication with high precision and low false positive rates. Furthermore, during its deployment, CELEST detected a set of previously unknown 42 malicious URLs and 20 malicious domains in one day, which were confirmed to be malicious by VirusTotal.
... Several cyber threat intelligence solutions have been developed or are being investigated to address each of these challenges, including applying machine learning to automate data collecting and processing, combining pre-existing solutions, and obtaining unstructured datasets multiple sources, and then connecting the dots by adding context to Indicators of Compromise (IoCs) and the tactics, technology, and procedures of a given threat (Tounsi and Rais 2018;Mavroeidis and Bromander 2017). The value of threat intelligence derived from within an organization sits between the direct usefulness of specific knowledge about threats to the organization (Padayachee, 2012). ...
Article
Full-text available
Cyber threat intelligence combines two separate areas: cyber security and intelligence. Consequently, it draws on and combines information from these two areas. However, there are few recent scientific studies on cyber threat intelligence maturity, which offer many possibilities.
... CTI is one of the widely adopted techniques in the defence community against cyber attacks. The ultimate goal of CTI is to share the experiences faced by an organisation, this includes the attack types encountered, as well as the techniques and tactics used in their execution [17]. Many organisations using signature-based IDS heavily rely on shared intel, such as Malware Information Sharing Platform (MISP) [18], an open-source CTI platform. ...
... Hold(Task b .completed) 16 Send aggregated global model parameters g to endpoints 17 End(Task e ) 18 End Combiner process ...
Preprint
Full-text available
The continuous strengthening of the security posture of IoT ecosystems is vital due to the increasing number of interconnected devices and the volume of sensitive data shared. The utilisation of Machine Learning (ML) capabilities in the defence against IoT cyber attacks has many potential benefits. However, the currently proposed frameworks do not consider data privacy, secure architectures, and/or scalable deployments of IoT ecosystems. In this paper, we propose a hierarchical blockchain-based federated learning framework to enable secure and privacy-preserved collaborative IoT intrusion detection. We highlight and demonstrate the importance of sharing cyber threat intelligence among inter-organisational IoT networks to improve the model's detection capabilities. The proposed ML-based intrusion detection framework follows a hierarchical federated learning architecture to ensure the privacy of the learning process and organisational data. The transactions (model updates) and processes will run on a secure immutable ledger, and the conformance of executed tasks will be verified by the smart contract. We have tested our solution and demonstrated its feasibility by implementing it and evaluating the intrusion detection performance using a key IoT data set. The outcome is a securely designed ML-based intrusion detection system capable of detecting a wide range of malicious activities while preserving data privacy.
... Rudman and Irwin (2016) [24] devised a tool that used samples from the peer-to-peer (P2P) malware Dridex 6 for generating IoC in an automated fashion. Mavroeidis and Bromander (2017) [25] discussed ontologies, sharing standards, and taxonomies for tackling CTI. The work compares different methodologies and existing model's expressiveness for use by security officers. ...
Preprint
Full-text available
Cyber threat intelligence (CTI) is practical real-world information that is collected with the purpose of assessing threats in cyber-physical systems (CPS). A practical notation for sharing CTI is STIX. STIX offers facilities to create, visualise and share models; however, even a moderately simple project can be represented in STIX as a quite complex graph, suggesting to spread CTI across multiple simpler sub-projects. Our tool aims to enhance the STIX-based modelling task in contexts when such simplifications are infeasible. Examples can be the microgrid and, more in general, the smart grid.
... Threat Intelligence refers to the task of gathering data concerning attacks or breaches (e.g. context, methods, indicators, devices, etc.) for enabling the organizations to set up countermeasures on the basis of a wide range of information [11]. In order to enhance prevention and detection of new threats, organizations can collaborate by sharing information about recent discovered threats. ...
Article
Sharing threat events and Indicators of Compromise (IoCs) enables quick and crucial decision making relative to effective countermeasures against cyberattacks. However, the current threat information sharing solutions do not allow easy communication and knowledge sharing among threat detection systems (in particular Intrusion Detection Systems (IDS)) exploiting Machine Learning (ML) techniques. Moreover, the interaction with the expert, which represents an important component to gather verified and reliable input data for the ML algorithms, is weakly supported. To address all these issues, ORISHA, a platform for ORchestrated Information SHaring and Awareness enabling the cooperation among threat detection systems and other information awareness components, is proposed here. ORISHA is backed by a distributed Threat Intelligence Platform based on a network of interconnected Malware Information Sharing Platform instances, which enables the communication with several Threat Detection layers belonging to different organizations. Within this ecosystem, Threat Detection Systems mutually benefit by sharing knowledge that allows them to refine the underlying predictive accuracy. Uncertain cases, i.e. examples with low anomaly scores, are proposed to the expert, who acts with the role of oracle in an Active Learning scheme. By interfacing with a honeynet, ORISHA allows for enriching the knowledge base with further positive attack instances and then yielding robust detection models. An experimentation conducted on a well-known Intrusion Detection benchmark demonstrates the validity of the proposed architecture.
... 5. The ship equipment whitelisting technique and data set [38]. 6. Maritime cyberthreat intelligence: technology for the classification and evaluation of threat information tailored to ships, the maritime industry, and stakeholders [39]. 7. Ship digital forensic technology to collect and analyze digital evidence in security incidents of onboard systems. ...
Article
Full-text available
Cybersecurity is important on ships that use information and communication technology. On such ships, the work, control, and sensor systems are connected for steering, navigation, and cargo management inside the hull, and a cyberattack can have physical consequences such as sinking and crashing. Research on ship cybersecurity is a new challenge, and related studies are lacking. Cyberattack models can provide better insight. With this study, we aim to introduce a cyberattack analysis method based on the MITRE ATT&CK framework so that a cyberattack model for ships can be established. In addition, we identify the characteristics of the attack phase by analyzing cases of hacking and vulnerability research for ship systems using tactics, techniques, and procedures, and suggest the minimum measures essential for defense. Using the ship cyberattack model, we aim to identify the characteristics of the systems used for ship navigation, communication, and control; provide an understanding of the threats and vulnerabilities; and suggest mitigation measures through the proposed model. We believe the results of this study could guide future research.
... Private companies have also developed well-known standards to enable threat information sharing. Mandiant's OpenIOC is an extensible XML schem designed to describe the technical characteristics of evidence of compromise [23]. It provides indicators about files (such as full paths, imports and exports, or compile times), hosts and networks (such as DNS or URI), processes (such as handles or paths), registry entries (such as names or text), services (such as name or DLL) and signatures (such as Snort or Yara), among others. ...
Article
Full-text available
Cyber threat intelligence feeds the focus on atomic and computed indicators of compromise. These indicators are the main source of tactical cyber intelligence most organizations benefit from. They are expressed in machine-readable formats, and they are easily loaded into security devices in order to protect infrastructures. However, their usefulness is very limited, specially in terms of time of life. These indicators can be useful when dealing with non-advanced actors, but they are easily avoided by advanced ones. To detect advanced actor’s activities, an analyst must deal with behavioral indicators of compromise, which represent tactics, techniques and procedures that are not as common as the atomic and computed ones. In this paper, we analyze why these indicators are not widely used, and we identify key requirements for successful behavioral IOC detection, specification and sharing. We follow the intelligence cycle as the arranged sequence of steps for a defensive team to work, thereby providing a common reference for these teams to identify gaps in their capabilities.