ChapterPDF Available

Cyber Threat Intelligence

Authors:
Daniel Schlette at University of Regensburg
Daniel Schlette
Download full-text PDF
Read full-text
Download citation

Abstract

The security of information systems is a fragile state and under constant scrutiny of malicious actors. Therefore, security incidents, cyberattacks, and other forms of imminent threats are common and must be dealt with. Cyber Threat Intelligence (CTI) aims to provide meaningful and actionable knowledge about threats originating from and targeting the cyber domain (i.e., information systems) and manifesting in (successful) information security impairments. Additionally, threat intelligence is commonly defined by its focus on evidence (e.g., Indicators of Compromise) and its context which helps to inform decision makers about adequate response to threats (McMillan 2013). CTI comprises different components and in essence refers to (1) the threat information itself, (2) structured data formats, (3) sharing platforms, and (4) incident response procedures. These components are further embraced by data quality and the CTI life cycle documenting a process from CTI generation to eventual revocation.
Content uploaded by Daniel Schlette
Author content
All content in this area was uploaded by Daniel Schlette on Feb 19, 2021
Content may be subject to copyright.
C
Cyber Threat Intelligence
Daniel Schlette
Chair of Information Systems, University of
Regensburg, Regensburg, Germany
Synonyms
Threat intelligence
Definition
The security of information systems is a
fragile state and under constant scrutiny of
malicious actors. Therefore, security incidents,
cyberattacks, and other forms of imminent
threats are common and must be dealt with.
Cyber Threat Intelligence (CTI) aims to provide
meaningful and actionable knowledge about
threats originating from and targeting the
cyber domain (i.e., information systems) and
manifesting in (successful) information security
impairments. Additionally, threat intelligence is
commonly defined by its focus on evidence (e.g.,
Indicators of Compromise) and its context which
helps to inform decision makers about adequate
response to threats (McMillan 2013).
CTI comprises different components and in
essence refers to (1) the threat information itself,
(2) structured data formats, (3) sharing platforms,
and (4) incident response procedures. These com-
ponents are further embraced by data quality and
the CTI life cycle documenting a process from
CTI generation to eventual revocation.
Background
Against the background of attackers sharing
information about vulnerabilities, malware, or
attack patterns, security analysts and defenders
began to leverage security information. The aim
to better protect information systems initially
mandated the collection and aggregation of
relevant knowledge. Thus, early work on threat
information started by detailing the many aspects
of information security incidents (Howard
and Longstaff 1998). Threat information itself
typically consists of various levels. Low-level
cyber-observables express artifacts such as
malicious files and their signatures but also
extend to processes and network traffic. Higher-
level threat information then provides insights on
more complex Indicators of Compromise (IoC),
vulnerabilities, and attacker behavior. Lastly,
a third level of threat information deals with
countermeasures relevant for incident response
and attribution of attacks (Mavroeidis and
Bromander 2017). When analyzed and put into
context, all this information represents cyber
threat intelligence. Accordingly, CTI is often
seen to fulfill either operational, tactical, or
strategic aims within an organization (Tounsi
and Rais 2018). However, to make use of
CTI for sharing, collaborative analysis, and
© Springer Science+Business Media LLC 2021
S. Jajodia et al. (eds.), Encyclopedia of Cryptography, Security and Privacy,
https://doi.org/10.1007/978-3-642-27739-9_1716-1
2Cyber Threat Intelligence
to overcome ambiguities, individual pieces
of CTI must be structured. Consequently, an
important element of CTI is structured data
formats. These data formats often deal with a
very specific aspect of CTI, but some also cover
the full CTI spectrum. Over the course of the
years, formats have been developed ranging
from enumerations and scoring systems to
frameworks and comprehensive CTI standards
(Dandurand et al. 2014). As formats in the
CTI ecosystem are manifold and diverse, there
is a need for comparison. Emphasis on their
dedicated functionalities specifies enumerations
to identify vulnerabilities or assets. Scoring
systems condense security information to a single
indicative number. Frameworks typically support
the understanding of attacker behavior. CTI
standards then integrate these granular elements
and provide a holistic view on security incidents
and attacks (Menges and Pernul 2018). Built
upon CTI formats, sharing and collaboration on
threat information become possible. CTI-sharing
platforms bring together different stakeholders
using technologies for information storage
and exchange. Besides, sharing of CTI has
to deal with the legal environment, industry
requirements, and incentives for participation
(Skopik et al. 2016). At last, CTI goes beyond
being purely informative and proves itself
actionable by directly linking to incident
response. To investigate, remediate, mitigate,
and prevent security incidents, CTI not only
contains information on root causes but can also
show blueprints of adequate countermeasures.
For all the above-mentioned components, data
quality plays an important role as low-quality
CTI implies ineffectiveness and can have
severe consequence when applied to defensive
information systems.
Theory and Applications
Whereas security information has been around
for at least the last two decades, cyber threat
intelligence is a much newer term and has sig-
nificantly gained momentum in the last 7 years.
Its theoretical foundations are strongly linked to
practical application. For instance, defining CTI
relates to organizational processes, and security
information eventually becomes CTI. Analogous
to the overall information security domain, peo-
ple, processes, and technology are part of CTI
and its applications. In CTI, security analysts
with certain skills may perform threat hunting
to identify and act upon CTI or derive incident
response procedures. CTI personnel can thus be
organized within the Security Operations Cen-
ter (SOC) or form a standalone organizational
unit with close contact to SOC, Computer Emer-
gency and Response Team (CERT) and other
IT-units (Brown and Lee 2019). Processes per-
taining to CTI include consuming, using, and
producing CTI. From a different perspective, the
CTI life cycle describes transformation processes
on threat information (Landauer et al. 2019).
Technology supportive of CTI covers sharing
platforms, most notably the MISP – Open Source
Threat Intelligence Platform, TAXII – Trusted
Automated Exchange of Indicator Information
servers and proprietary solutions. The STIX –
Structured Threat Information eXpression avail-
able in version 2.1 is currently a prevalent stan-
dard for CTI and follows a graph-based approach
(Barnum 2014). Thereby, different types of CTI
objects can be defined and connected. With MISP,
VERIS – Vocabulary for Event Recording and
Incident Sharing and IODEF – Incident Object
Description Exchange Format, there exist other
well-known and comprehensive CTI standards.
Complementing CTI technology, sources of CTI
include various security systems such as Secu-
rity Information and Event Management (SIEM)
systems, Intrusion Detection Systems (IDS), or
firewalls (Lee 2020). As CTI fosters bidirectional
transfer, these systems can serve as a sink too,
which is particularly helpful to prevent security
incidents in the future.
Open Problems and Future Directions
Research on CTI has led to a better understand-
ing of its manifold facets. Nevertheless, chal-
lenges and open problems remain with regard
to the use of threat information for active cyber
Cyber Threat Intelligence 3
C
defense. Actionable CTI has yet to cope with
its (semi-) automated use in incident response
processes. Therefore, development of dedicated
incident response data formats is a necessary step
(Nespoli et al. 2017). Subsequently, integration
into existing CTI formats (e.g., STIX2.1 and
its Course of Action object) will support com-
prehensiveness as well as effectiveness of CTI.
To this end, a second future direction is how
to assure CTI quality. Whereas first approaches
aim to analyze and propose quality metrics for
CTI (Schlette et al. 2020), the subjective nature
and the diversity of threat information demand
further research. Based upon data analysis, a
stronger data-centric focus must take the entire
CTI life cycle and organizational dependencies
into account. Here, a relevant challenge concern-
ing CTI sharing is the involvement of CTI users
beyond solely consuming CTI through sharing
incentives or regulatory requirements.
Cross-References
Cyber Threat Intelligence Sharing
Security Operations Center
Security Information and Event Management
References
Barnum S (2014) Standardizing cyber threat intelligence
information with the structured threat information
eXpression (STIX). Version 1.1, Revision 1. MITRE.
http://stixproject.github.io/getting-started/whitepaper/
Brown R, Lee RM (2019) The evolution of cyber threat
intelligence (CTI): 2019 SANS CTI survey. SANS
Dandurand L, Kaplan A, Kácha P, Kadobayashi Y,
Kompanek A, Lima T et al (2014) Standards and tools
for exchange and processing of actionable informa-
tion. ENISA. https://www.enisa.europa.eu/publications/
standards-and-tools-for-exchange-and-processing-of-
actionable-information
Howard JD, Longstaff TA (1998) A common language for
computer security incidents. Sandia National Labs
LandauerM, Skopik F, Wurzenberger M, Hotwagner
W, Rauber A (2019) A framework for cyber threat
intelligence extraction from raw log data. In: 2019
IEEE international conference on big data (Big
Data). IEEE, pp 3200–3209. https://doi.org/10.1109/
bigdata47090.2019.9006328
Lee RM (2020) 2020 SANS cyber threat intelligence
(CTI) survey. SANS
Mavroeidis V, Bromander S (2017) Cyber threat intel-
ligence model: an evaluation of taxonomies, sharing
standards, and ontologies within CTI. In: 2017 Euro-
pean intelligence and security informatics conference
(EISIC). IEEE, pp 91–98
McMillan R (2013) Definition: threat intelligence. Gart-
ner. https://www.gartner.com/en/documents/2487216/
definition-threat-intelligence. Checked on 10 Jan 2020
Menges F, Pernul G (2018) A comparative analysis of
incident reporting formats. Comput Secur 73:87–101.
https://doi.org/10.1016/j.cose.2017.10.009
Nespoli P, Papamartzivanos D, Mármol FG, Kam-
bourakis G (2017) Optimal countermeasures selec-
tion against cyber attacks: a comprehensive survey on
reaction frameworks. IEEE Commun Surv Tutorials
20(2):1361–1396
Schlette D, Böhm F, Caselli M, Pernul G (2020) Measur-
ing and visualizing cyber threat intelligence quality. Int
J Inf Secur 1–18
Skopik F, Settanni G, Fiedler R (2016) A problem shared
is a problem halved: a survey on the dimensions of
collective cyber defense through security information
sharing. Comput Secur 60:154–176. https://doi.org/
10.1016/j.cose.2016.04.003
Tounsi W, Rais H (2018) A survey on technical threat
intelligence in the age of sophisticated cyberattacks.
Comput Secur 72:212–233
... Lists with allowed and blocked indicators are an example of a commonly used method for IoCs. By contrast, due to the lack of automation, high-level CTI requires a lot of manual work, both during creation and use [3,4,5]. As a result of the currently high effort needed to generate it, only a limited amount of reports provide higher-level CTI such as TTPs. ...
... (2) Enabling verifiability of the generated CTI, allowing analysts to publish reports with less effort. (3) Confirming that it works with multiple NIDS. ...
... A significant number of recent works mention the need of automating the process of consuming [3,4,5] and producing CTI from raw data [24,25]. Specifically, Haque and Krishnan [12] design a framework to allow controlled CTI sharing between multiple entities. ...
Automated Cyber Threat Intelligence Generation on Multi-Host Network Incidents
Conference Paper
Full-text available
  • Dec 2023
The lack of automation is one of the main issues hindering the broad usage of high-level Cyber Threat Intelligence (CTI). Creating and using such information by capturing Tactics, Techniques and Procedures (TTPs) is currently an arduous manual task for Cyber Security Incident Response Teams (CSIRT). For CSIRTs, a Network Intrusion Detection System (NIDS) automates the detection of cyber threats. It provides relevant information about alerts to the analysts. This information could generate CTI reports to help others better protect themselves from similar attacks. Due to the demanding work involved in manually creating high-level CTI reports for multi-host incidents, automating this process has become increasingly important. In this paper, a solution is presented to automate the creation of verifiable high-level cyber threat intelligence reports by mapping chains of alerts to TTPs. The solution enables visualisation of attack chains and tactics used, but also manual analysis and validation of the reports created. The proposed approach is evaluated by comparing generating reports with existing CTI, validating any additional TTPs found. The evaluation shows that, not only it was able to match existing reports, but it was also able to improve the knowledge about these threats.
View
... AI and UEBA can identify these assaults considerably earlier in their lifecycle. AI enables proactive protection against potential breaches, even before vulnerabilities are disclosed and rectified to the public [29,30]. Thus, AI can inferred to be capable of revolutionizing vulnerability management. ...
Artificial Intelligence: Revolutionizing Cyber Security in the Digital Era
Article
Full-text available
  • Aug 2023
As we navigate the digital era of the 21st century, cyber security has grown into a pressing societal issue that requires innovative, cutting-edge solutions. In response to this pressing need, Artificial Intelligence (AI) has emerged as a revolutionary instrument, causing a paradigm shift in cyber security. AI's prowess resides in its capacity to process and analyze immense quantities of heterogeneous cyber security data, thereby facilitating the efficient completion of crucial tasks. These duties, which include threat detection, asset prioritization, and vulnerability management, are performed with a level of speed and accuracy that far exceeds human capabilities, thereby transforming our approach to cyber security. This document provides a comprehensive dissection of AI's profound impact on cyber security, as well as an in-depth analysis of how AI tools not only augment, but in many cases transcend human-mediated processes. By delving into the complexities of AI implementation within the realm of cyber security, we demonstrate the potential for AI to effectively anticipate, identify, and preempt cyber threats, empowering organizations to take a proactive stance towards digital safety. Despite these advancements, it is essential to consider the inherent limitations of AI. We emphasize the need for sustained human oversight and intervention to ensure that cyber security measures are proportionate and effective. Importantly, we address potential ethical concerns and emphasize the significance of robust governance structures for the responsible and transparent use of artificial intelligence in cyber security. This paper clarifies the transformative role of AI in reshaping cyber security strategies, thereby contributing to a safer, more secure digital future. In doing so, it sets the groundwork for further exploration and discussion on the use of AI in cyber security, a discussion that is becoming increasingly important as we continue to move deeper into the digital age.
View
Collaborative Sharing Cyber Threat Intelligence: Memperkuat Keamanan Siber Nasional melalui Kerjasama CSIRT
Article
Full-text available
  • Dec 2023
Sistem keamanan siber dalam beberapa tahun terakhir berkembang dan terlembaga, hal ini dikarenakan faktor keamanan siber telah menjadi perhatian penting, terutama pemerintah Indonesia. Pemerintah melalui BSSN telah banyak me-launching CSIRT (Computer Security Incident Response Team). CSIRT merupakan Tim Tanggap Insiden yang memberikan layanan untuk melindungi sistem atas insiden siber. Meskipun demikian, fenomena insiden siber yang menimpa sektor pemerintah tetap masif. Di sisi lain, lanskap keamanan siber dalam tiga tahun terakhir menunjukkan bahwa kemampuan ancaman siber meningkat signifikan, dan jumlahnya semakin banyak, puluhan varian malware muncul setiap bulan. Oleh karena itu, lembaga dan organisasi tidak cukup dengan melakukan pemantauan dan respon insiden yang bersifat reaktif, namun harus mengubah strategi dengan menggabungkan langkah-langkah keamanan preventif dengan intelijen ancaman. Pengembangan kemampuan Intelijen Ancaman Siber (CTI) dinilai sangat efektif untuk meningkatkan postur keamanan siber. Saat ini program CTI ada di BSSN. Namun, distribusi informasi masih bersifat satu arah, dari BSSN ke CSIRT lembaga. Penelitian ini menggunakan pendekatan kualitatif dengan teknik menggunakan studi kajian pustaka dari penelitian sebelumnya observasi. Hasil penelitian ini menunjukkan terdapat trend ancaman siber semakin tinggi dalam dua tahun terakhir. Beberapa insiden mengalami ekskalasi ancaman pada informasi vital nasional. Oleh karena itu intelijen ancaman siber sektor pemerintah harus dikerjakan bersama-sama oleh komunitas CSIRT. Di akhir, penelitian ini mengusulkan model collaborative sharing CTI yang melibatkan seluruh CSIRT pada masing-masing sektor untuk meningkatkan keamanan siber nasional.
View
Actionable Cyber Threat Intelligence for Automated Incident Response
Chapter
Full-text available
  • Jan 2023
  • Lect Notes Comput Sci
Applying Cyber Threat Intelligence for active cyber defence, while potentially very beneficial, is currently limited to predominantly manual use. In this paper, we propose an automated approach for using Cyber Threat Intelligence during incident response by gathering Tactics, Techniques and Procedures available on intelligence reports, mapping them to network incidents, and then using this map to create attack patterns for specific threats. We consider our method actionable because it provides the operator with contextualised Cyber Threat Intelligence related to observed network incidents in the form of a ranked list of potential related threats, all based on patterns matched with the incidents. We evaluate our approach with publicly available samples of different malware families. Our analysis of the results shows that our method can reliably match network incidents with intelligence reports and relate them to these threats. The approach allows increasing the automation of its use, thus addressing one of the major limiting factors of effective use of suitable Cyber Threat Intelligence.
View
Measuring and visualizing cyber threat intelligence quality
Article
Full-text available
The very raison d’être of cyber threat intelligence (CTI) is to provide meaningful knowledge about cyber security threats. The exchange and collaborative generation of CTI by the means of sharing platforms has proven to be an important aspect of practical application. It is evident to infer that inaccurate, incomplete, or outdated threat intelligence is a major problem as only high-quality CTI can be helpful to detect and defend against cyber attacks. Additionally, while the amount of available CTI is increasing it is not warranted that quality remains unaffected. In conjunction with the increasing number of available CTI, it is thus in the best interest of every stakeholder to be aware of the quality of a CTI artifact. This allows for informed decisions and permits detailed analyses. Our work makes a twofold contribution to the challenge of assessing threat intelligence quality. We first propose a series of relevant quality dimensions and configure metrics to assess the respective dimensions in the context of CTI. In a second step, we showcase the extension of an existing CTI analysis tool to make the quality assessment transparent to security analysts. Furthermore, analysts’ subjective perceptions are, where necessary, included in the quality assessment concept.
View
A comparative analysis of incident reporting formats
Article
Full-text available
  • Nov 2017
  • COMPUT SECUR
Over the past few years, the number of attacks against IT systems and the resulting incidents has steadily increased. To protect against these attacks, joint approaches, which include the sharing of incident information, are increasingly gaining in importance. Several incident reporting formats build the basis for information sharing. However, it is often not clear how to design the underlying processes and which formats would fit the specific use cases. To close this gap, we have introduced an incident reporting process model and the generic model UPSIDE for basic incident reporting requirements. Subsequently, we have identified state-of-the-art incident reporting formats and used the introduced models to conduct a comparative analysis of these formats. This analysis shows the strengths and weaknesses of the evaluated formats and identifies the use cases for which they are suitable.
View
Cyber Threat Intelligence Model: An Evaluation of Taxonomies, Sharing Standards, and Ontologies within Cyber Threat Intelligence
Conference Paper
Full-text available
  • Sep 2017
Cyber threat intelligence is the provision of evidence-based knowledge about existing or emerging threats. Benefits from threat intelligence include increased situational awareness, efficiency in security operations, and improved prevention, detection, and response capabilities. To process, correlate, and analyze vast amounts of threat information and data and derive intelligence that can be shared and consumed in meaningful times, it is required to utilize structured, machine-readable formats that incorporate the industry-required expressivity while at the same time being unambiguous. To a large extent, this is achieved with technologies like ontologies, schemas, and taxonomies. This research evaluates the coverage and high-level conceptual expressivity of cyber-threat-intelligence-relevant ontologies, sharing standards, and taxonomies pertaining to the who, what, why, where, when, and how elements of threats and intrusions in addition to courses of action and technical indicators. The results confirm that little emphasis has been given to developing a comprehensive cyber threat intelligence ontology, with existing efforts not being thoroughly designed, non-interoperable and ambiguous, and lacking proper semantics and axioms for reasoning.
View
Optimal Countermeasures Selection Against Cyber Attacks: A Comprehensive Survey on Reaction Frameworks
Article
  • Dec 2017
It is without doubt that today the volume and sophistication of cyber attacks keeps consistently growing, militating an endless arm race between attackers and defenders. In this context, full-fledged frameworks, methodologies, or strategies that are able to offer optimal or near-optimal reaction in terms of countermeasure selection, preferably in a fully or semi-automated way, are of high demand. This is reflected in the literature, which encompasses a significant number of major works on this topic spanning over a time period of 5 years, that is, from 2012 to 2016. The survey at hand has a dual aim, namely: first, to critically analyze all the pertinent works in this field, and second to offer an in-depth discussion and side-by-side comparison among them based on 7 common criteria. Also, a quite extensive discussion is offered to highlight on the shortcomings and future research challenges and directions in this timely area.
View
A survey on technical threat intelligence in the age of sophisticated cyber attacks
Article
  • Sep 2017
  • COMPUT SECUR
Today's cyber attacks require a new line of security defenses. The static approach of traditional security based on heuristic and signature does not match the dynamic nature of new generation of threats that are known to be evasive, resilient and complex. Organizations need to gather and share real-time cyber threat information and to transform it to threat intelligence in order to prevent attacks or at least execute timely disaster recovery. Threat Intelligence (TI) means evidence-based knowledge representing threats that can inform decisions. There is a general awareness for the need of threat intelligence while vendors today are rushing to provide a diverse array of threat intelligence products, specifically focusing on Technical Threat Intelligence (TTI). Although threat intelligence is being increasingly adopted, there is little consensus on what it actually is, or how to use it. Without any real understanding of this need, organizations risk investing large amounts of time and money without solving existing security problems. Our paper aims to classify and make distinction among existing threat intelligence types. We focus particularly on the TTI issues, emerging researches, trends and standards. Our paper also explains why there is a reluctance among organizations to share threat intelligence. We provide sharing strategies based on trust and anonymity, so participating organizations can do away with the risks of business leak. We also show in this paper why having a standardized representation of threat information can improve the quality of TTI, thus providing better automated analytics solutions on large volumes of TTI which are often non-uniform and redundant. Finally, we evaluate most popular open source/free threat intelligence tools, and compare their features with those of a new AlliaCERT TI tool.
View
A problem shared is a problem halved: A survey on the dimensions of collective cyber defense through security information sharing
Article
  • Apr 2016
  • COMPUT SECUR
The Internet threat landscape is fundamentally changing. A major shift away from hobby hacking toward well-organized cyber crime can be observed. These attacks are typically carried out for commercial reasons in a sophisticated and targeted manner, and specifically in a way to circumvent common security measures. Additionally, networks have grown to a scale and complexity, and have reached a degree of interconnectedness, that their protection can often only be guaranteed and financed as shared efforts. Consequently, new paradigms are required for detecting contemporary attacks and mitigating their effects. Today, many attack detection tasks are performed within individual organizations, and there is little cross-organizational information sharing. However, information sharing is a crucial step to acquiring a thorough understanding of large-scale cyber-attack situations, and is therefore seen as one of the key concepts to protect future networks. Discovering covert cyber attacks and new malware, issuing early warnings, advice about how to secure networks, and selectively distribute threat intelligence data are just some of the many use cases. In this survey article we provide a structured overview about the dimensions of cyber security information sharing. First, we motivate the need in more detail and work out the requirements for an information sharing system. Second, we highlight legal aspects and efforts from standardization bodies such as ISO and the National Institute of Standards and Technology (NIST). Third, we survey implementations in terms of both organizational and technological matters. In this regard, we study the structures of Computer Emergency Response Teams (CERTs) and Computer Security Incident Response Teams (CSIRTs), and evaluate what we could learn from them in terms of applied processes, available protocols and implemented tools. We conclude with a critical review of the state of the art and highlight important considerations when building effective security information sharing platforms for the future.
View
Standardizing Cyber Threat Intelligence Information with the Structured Threat Information eXpression (STIX™)
Article
It is becoming increasingly necessary for organizations to have a cyber threat intelligence capability and a key component of success for any such capability is information sharing with partners, peers and others they select to trust. While cyber threat intelligence and information sharing can help focus and prioritize the use of the immense volumes of complex cyber security information organizations face today, they have a foundational need for standardized, structured representations of this information to make it tractable. The Structured Threat Information eXpression (STIX™) is a quickly evolving, collaborative community-driven effort to define and develop a language to represent structured threat information. The STIX language is meant to convey the full range of cyber threat information and strives to be fully expressive, flexible, extensible, automatable, and as human-readable as possible. Though relatively new and still evolving, it is actively being adopted or considered for adoption by a wide range of cyber threat-related organizations and communities around the world. All interested parties are welcome to participate in evolving STIX as part of its open, collaborative community and leverage the upcoming STIX web site and collaborative forums.
View
Standards and tools for exchange and processing of actionable information
  • Jan 2014
  • L Dandurand
  • A Kaplan
  • P Kácha
  • Y Kadobayashi
  • A Kompanek
  • T Lima
Dandurand L, Kaplan A, Kácha P, Kadobayashi Y, Kompanek A, Lima T et al (2014) Standards and tools for exchange and processing of actionable information. ENISA. https://www.enisa.europa.eu/publications/ standards-and-tools-for-exchange-and-processing-ofactionable-information
A framework for cyber threat intelligence extraction from raw log data
  • Jan 1998
  • 3200-3209
  • J D Howard
  • T A Longstaff
  • F Skopik
  • M Wurzenberger
  • W Hotwagner
  • A Rauber
Howard JD, Longstaff TA (1998) A common language for computer security incidents. Sandia National Labs LandauerM, Skopik F, Wurzenberger M, Hotwagner W, Rauber A (2019) A framework for cyber threat intelligence extraction from raw log data. In: 2019 IEEE international conference on big data (Big Data). IEEE, pp 3200-3209. https://doi.org/10.1109/ bigdata47090.2019.9006328
SANS cyber threat intelligence (CTI) survey. SANS
  • Jan 2020
  • R M Lee
Lee RM (2020) 2020 SANS cyber threat intelligence (CTI) survey. SANS