“Leveraging OSINT to Improve Threat Intelligence Quality”
Master’s thesis, Mestrado em Segurança Informática, Departamento de Informática, Faculdade de Ciências da Universidade de Lisboa, Jan. 2019
Abstract: The impact of cyber-attacks and its cost has increased and risen to the billions of dollars, and therefore cyber-security has become a top priority for most organizations. To more aptly protect themselves, organizations are moving from reactive to proactive defensive measures, investing in cyber threat intelligence (CTI) to provide them forewarning about the risks they face, as well as to accelerate their response times in the detection of attacks. One means to obtain CTI is the collection of open source intelligence (OSINT) feeds via threat intelligence platforms and their representation as indicators of compromise (IoC). However, most of these platforms are providing threat information with little to no processing. This situation increases the pressure on security analysts who, already faced with the arduous task of sorting through the multitude of alerts originating from their networks must also sort this additional flow of data to find relevant intelligence. This dissertation proposes an architecture to generate threat intelligence of quality in the form of new enriched IoCs based on collected OSINT feeds. This improved intelligence is obtained by correlating and combining IoCs coming from different OSINT feeds that contain information on the same threat, aggregating them into clusters, and then representing the threat information contained within those clusters in a single enriched IoC. This dissertation first offers an overview of the current status of the use of CTI, methodologies, and technologies used, before proposing an architecture focused on a clustering approach, for which two methods are introduced, the na¨ıve and the n-level aggregation. It then describes the implementation of this architecture and its validation. The proposal was implemented in a prototype confirmed with 34 OSINT feeds, which allowed the creation of enriched IoCs that may enable the identification of cyber-attacks not previously possible by analyzing the received IoCs individually.
Research line(s): Fault and Intrusion Tolerance in Open Distributed Systems (FIT)