ABSTRACT
Across the world, organizations have teams gathering threat data to protect themselves from incoming cyber attacks and maintain a strong cyber security posture. Teams are also sharing information, because along with the data collected internally, organizations need external information to have a comprehensive view of the threat landscape. The information about cyber threats comes from a variety of sources, including sharing communities, open-source and commercial sources, and it spans many different levels and timescales. Immediately actionable information are often low-level indicators of compromise, such as known malware hash values or command-and-control IP addresses, where an actionable response can be executed automatically by a system. Threat intelligence refers to more complex cyber threat information that has been acquired or inferred through the analysis of existing information. Information such as the different malware families used over time with an attack or the network of threat actors involved in an attack, is valuable information and can be vital to understanding and predicting attacks, threat developments, as well as informing law enforcement investigations. This information is also actionable, but on a longer time scale. Moreover, it requires action and decision-making at the human level. There is a need for effective intelligence management platforms to facilitate the generation, refinement, and vetting of data, post sharing. In designing such a system, some of the key challenges that exist include: working with multiple intelligence sources, combining and enriching data for greater intelligence, determining intelligence relevance based on technical constructs, and organizational input, delivery into organizational workflows and into technological products. This paper discusses these challenges encountered and summarizes the community requirements and expectations for an all-encompassing Threat Intelligence Management Platform. The requirements expressed in this paper, when implemented, will serve as building blocks to create systems that can maximize value out of a set of collected intelligence and translate those findings into action for a broad range of stakeholders.
- Allen, J. and Lehrer, N. 1992. DARPA/Rome Laboratory Planning and Scheduling Initiative Knowledge Representation Specification Language (KRSL), Version 2.0.1 Reference Manual. ISX Corporation.Google Scholar
- Aziz, A. System and method of detecting malicious traffic while reducing false positives. US8776229 B1.Google Scholar
- Bonifacio, M. et al. 2004. Peer-Mediated Distributed Knowledge Management. Agent-Mediated Knowledge Management. L. van Elst et al., eds. Springer Berlin Heidelberg. 31--47.Google Scholar
- Burger, E.W. et al. 2014. Taxonomy Model for Cyber Threat Intelligence Information Exchange Technologies. Proceedings of the 2014 ACM Workshop on Information Sharing & Collaborative Security (New York, NY, USA, 2014), 51--60. Google ScholarDigital Library
- Clark, R.M. 2004. Intelligence Analysis: A Target-centric Approach. CQ Press.Google Scholar
- Dandurand, L. and Serrano, O.S. 2013. Towards improved cyber security information sharing. Cyber Conflict (CyCon), 2013 5th International Conference on (Jun. 2013), 1--16.Google Scholar
- Edwards, C. et al. System and method of data collection, processing, analysis, and annotation for monitoring cyber-threats and the notification thereof to subscribers. US 20020038430 A1.Google Scholar
- Ehrig, M. et al. 2003. SWAP: Ontology-based Knowledge Management with Peer-to-Peer Technology.Google Scholar
- Fransen, F. et al. 2015. Cyber security information exchange to gain insight into the effects of cyber threats and incidents. e & i Elektrotechnik und Informationstechnik. 132, 2 (2015), 106--112.Google Scholar
- Fulton, J.A. 1992. Technical report on the semantic unification meta-model. Standards working document ISO TC184/SC4/WG3 N103. IGES/PDES Organization, Dictionary/Methodology Committee.Google Scholar
- Gruber, T.R. 1995. Toward principles for the design of ontologies used for knowledge sharing? International Journal of Human-Computer Studies. 43, 5-6 (Nov. 1995), 907--928. Google ScholarDigital Library
- INFOSEC Research Council 2006. Hard Problems List. Cyber Security and Information Assurance Interagency Working Group (CSIA IWG).Google Scholar
- Kalfoglou, Y. and Schorlemmer, M. 2003. Ontology Mapping: The State of the Art. The knowledge engineering review. 18, 1 (2003), 1--31. Google ScholarDigital Library
- Kampanakis, P. 2014. Security Automation and Threat Information-Sharing Options. Security Privacy, IEEE. 12, 5 (Sep. 2014), 42--51.Google Scholar
- Serrano, O. et al. 2014. On the Design of a Cyber Security Data Sharing System. Proceedings of the 2014 ACM Workshop on Information Sharing & Collaborative Security (New York, NY, USA, 2014), 61--69. Google ScholarDigital Library
- Sommer, R. and Paxson, V. 2010. Outside the closed world: On using machine learning for network intrusion detection. Security and Privacy (SP), 2010 IEEE Symposium on (2010), 305--316. Google ScholarDigital Library
- 2014. Standards and tools for exchange and processing of actionable information. ENISA -- European Union Agency for Network and Information Security.Google Scholar
Index Terms
- From Cyber Security Information Sharing to Threat Management
Recommendations
Government regulations in cyber security: Framework, standards and recommendations
AbstractCyber security refers to the protection of Internet-connected systems, such as hardware, software as well as data (information) from cyber attacks (adversaries). A cyber security regulation is needed in order to protect information ...
Highlights- We list and discuss the cyber attacks, security requirements and measures. We then discuss the cyber security incident management framework and its various ...
A Summary of the Development of Cyber Security Threat Intelligence Sharing
In recent years, the sharing of cybersecurity threat intelligence (hereinafter referred to as threat intelligence) has received increasing attention from national network security management organizations and network security enterprises. Academia and ...
From information security to cyber security
The term cyber security is often used interchangeably with the term information security. This paper argues that, although there is a substantial overlap between cyber security and information security, these two concepts are not totally analogous. ...
Comments