“Automated Solution for Enrichment and Quality IoC Creation from OSINT”

From Navigators

Rui Azevedo, Ibéria Medeiros, Alysson Bessani

in Proceedings of the 10th Simpósio de Informática (INForum 2018), Coimbra, Portugal, Sept. 2018.

Abstract: Cyber-security has become a top priority for most organizations, as the impact costs of cyber-attacks has risen to the billions of dollars. Organizations, to protect themselves, are resorting to security information and event management (SIEM) systems to monitor their infrastructures while investing in cyber threat intelligence (CTI) to provide them forewarning about the risks they face, as well as to accelerate their response times in the detection of attacks. One path to obtain CTI is the collection of open source intelligence (OSINT) via threat intelligence platforms (TIP) and their representation as indicators of compromise (IoC). However, most of TIPs provide threat information with little to no processing. This situation increases the pressure on security analysts who, already faced with the arduous task of sorting the alerts originating from their networks, must also sort this additional flow of data to find relevant intelligence. This paper proposes an approach to generate \emph{threat intelligence of quality} based on collected OSINT feeds that can later be used in defensive infrastructures, such as SIEMs. The approach, implemented in a platform and assessed with 34 OSINT feeds, was able to create \emph{enriched IoCs} that allowed e identification of cyber-attacks previously not possible by analyzing the IoCs individually.