A survey on technical threat intelligence in the age of sophisticated cyber attacks

Today's cyber attacks require a new line of security defenses. The static approach of traditional security based on heuristic and signature does not match the dynamic nature of new generation of threats that are known to be evasive, resilient and complex. Organizations need to gather and share real-time cyber threat information and to transform it to threat intelligence in order to prevent attacks or at least execute timely disaster recovery. Threat Intelligence (TI) means evidence-based knowledge representing threats that can inform decisions. There is a general awareness for the need of threat intelligence while vendors today are rushing to provide a diverse array of threat intelligence products, specifically focusing on Technical Threat Intelligence (TTI). Although threat intelligence is being increasingly adopted, there is little consensus on what it actually is, or how to use it. Without any real understanding of this need, organizations risk investing large amounts of time and money without solving existing security problems. Our paper aims to classify and make distinction among existing threat intelligence types. We focus particularly on the TTI issues, emerging researches, trends and standards. Our paper also explains why there is a reluctance among organizations to share threat intelligence. We provide sharing strategies based on trust and anonymity, so participating organizations can do away with the risks of business leak. We also show in this paper why having a standardized representation of threat information can improve the quality of TTI, thus providing better automated analytics solutions on large volumes of TTI which are often non-uniform and redundant. Finally, we evaluate most popular open source/free threat intelligence tools, and compare their features with those of a new AlliaCERT TI tool.

[1]  Arun Lakhotia,et al.  VirusBattle: State-of-the-art malware analysis for better cyber threat intelligence , 2014, 2014 7th International Symposium on Resilient Control Systems (ISRCS).

[2]  Kim-Kwang Raymond Choo,et al.  Future directions in technology-enabled crime: 2007-09 , 2008 .

[3]  Roshan K. Thomas,et al.  Cyber Denial, Deception and Counter Deception , 2015, Advances in Information Security.

[4]  Digit Oktavianto,et al.  Cuckoo Malware Analysis , 2013 .

[5]  Kevin Jones,et al.  On the collaborative practices of cyber threat intelligence analysts to develop and utilize tacit Threat and Defence Knowledge , 2016, 2016 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (CyberSA).

[6]  Thomas Hofmann,et al.  Probabilistic Latent Semantic Indexing , 1999, SIGIR Forum.

[7]  Bruce Schneier How Changing Technology Affects Security , 2012, IEEE Secur. Priv..

[8]  Ray Klump,et al.  Distributed IP Watchlist Generation for Intrusion Detection in the Electrical Smart Grid , 2010, Critical Infrastructure Protection.

[9]  Cynthia Wagner,et al.  MISP: The Design and Implementation of a Collaborative Threat Intelligence Sharing Platform , 2016, WISCS@CCS.

[10]  Florian Skopik,et al.  A problem shared is a problem halved: A survey on the dimensions of collective cyber defense through security information sharing , 2016, Comput. Secur..

[11]  Konstantin Beznosov,et al.  On the imbalance of the security problem space and its expected consequences , 2007, Inf. Manag. Comput. Secur..

[12]  Bruce Schneier,et al.  SECURITY PITFALLS IN CRYPTOGRAPHY , 1998 .

[13]  Oscar Serrano Serrano,et al.  From Cyber Security Information Sharing to Threat Management , 2015, WISCS@CCS.

[14]  Richard E. Overill,et al.  Statistical approach towards malware classification and detection , 2016, 2016 SAI Computing Conference (SAI).

[15]  Kelly Richards Australian business assessment of computer user security: a national survey , 2009 .

[16]  Maximiliano E. Korstanje Threat Mitigation and Detection of Cyber Warfare and Terrorism Activities , 2017 .

[17]  Kathleen M. Moriarty Real-time Inter-network Defense (RID) , 2010, RFC.

[18]  David Waltermire,et al.  Guide to Cyber Threat Information Sharing , 2016 .

[19]  Dong Li,et al.  Towards Identifying True Threat from Network Security Data , 2007, PAISI.

[20]  Eric W. Burger,et al.  Taxonomy Model for Cyber Threat Intelligence Information Exchange Technologies , 2014, WISCS '14.

[21]  Larry A. Dunning,et al.  Privacy Preserving Data Sharing With Anonymous ID Assignment , 2013, IEEE Transactions on Information Forensics and Security.

[22]  Olivier Ferrand How to detect the Cuckoo Sandbox and to Strengthen it? , 2014, Journal of Computer Virology and Hacking Techniques.

[23]  Kathleen M. Moriarty,et al.  Incident Coordination , 2011, IEEE Security & Privacy.

[24]  R.G. Cascella The "Value" of Reputation in Peer-to-Peer Networks , 2008, 2008 5th IEEE Consumer Communications and Networking Conference.

[25]  Roshan K. Thomas,et al.  Cyber Denial, Deception and Counter Deception: A Framework for Supporting Active Cyber Defense , 2015 .

[26]  Nora Cuppens-Boulahia,et al.  Fine-grained privacy control for the RFID middleware of EPCglobal networks , 2013, MEDES.

[27]  Tim Ring Threat intelligence: why people don't share , 2014 .

[28]  Panos Kampanakis,et al.  Security Automation and Threat Information-Sharing Options , 2014, IEEE Security & Privacy.

[29]  Yuri Demchenko,et al.  The Incident Object Description Exchange Format , 2007, RFC.

[30]  Kim-Kwang Raymond Choo,et al.  The cyber threat landscape: Challenges and future research directions , 2011, Comput. Secur..

[31]  Peter W. Foltz,et al.  An introduction to latent semantic analysis , 1998 .

[32]  Anoirel Issa Anti-virtual machines and emulations , 2012, Journal in Computer Virology.

[33]  Carsten Willems,et al.  Automatic analysis of malware behavior using machine learning , 2011, J. Comput. Secur..

[34]  Stuart Murdoch,et al.  Anonymity vs. Trust in Cyber-Security Collaboration , 2015, WISCS@CCS.

[35]  Ehab Al-Shaer,et al.  Data-driven analytics for cyber-threat intelligence and information sharing , 2017, Comput. Secur..

[36]  K. Cook,et al.  Social Exchange Theory , 1989, Theoretical Sociology.

[37]  Ruth Breu,et al.  Data Quality Challenges and Future Research Directions in Threat Intelligence Sharing Practice , 2016, WISCS@CCS.

[38]  Rosalind Godson A problem shared is a problem halved , 2014, Community practitioner : the journal of the Community Practitioners' & Health Visitors' Association.

[39]  Lei Zhou,et al.  The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market , 2003, J. Comput. Secur..

[40]  Robert David Steele Open source intelligence , 2006 .

[41]  Stephen Herzog,et al.  Revisiting the Estonian Cyber Attacks: Digital Threats and Multinational Responses , 2011 .

[42]  Marcin Seredynski,et al.  Modelling the Evolution of Cooperative Behavior in Ad Hoc Networks using a Game Based Model , 2007, 2007 IEEE Symposium on Computational Intelligence and Games.