“Generating Quality Threat Intelligence Leveraging OSINT and a Cyber Threat Unified Taxonomy”
ACM Transactions on Privacy and Security, vol. 25-3, no. 19, May 2022.
Abstract: Today’s threats use multiple means of propagation, such as social engineering, email, and application vulnerabilities, and often operate in different phases, such as single device compromise, lateral network movement and data exfiltration. These complex threats rely on advanced persistent threats (APTs) supported by well-advanced tactics for appear unknown to traditional security defences. As organisations realise that attacks are increasing in size and complexity, cyber threat intelligence (TI) is growing in popularity and use. This trend followed the evolution of APTs as they require a different level of response that is more specific to the organisation. TI can be obtained via many formats, being open-source intelligence (OSINT) one of the most common; and using threat intelligence platforms (TIPs) that aid organisations to consume, produce and share TI. TIPs have multiple advantages that enable organisations to quickly bootstrap the core processes of collecting, analysing and sharing threat-related information. However, current TIPs have some limitations that prevent their mass adoption. This paper proposes AECCP, a platform that addresses some of the TIPs limitations. AECCP improves quality TI by classifying it accordingly to a single unified taxonomy, removing the information with low value, enriching it with valuable information from OSINT sources, and aggregating it for complementing information associated with the same threat. AECCP was validated and evaluated with three datasets of events and compared with two other platforms, showing that it can generate quality TI automatically and help security analysts analyse security incidents in less time.
Research line(s): Fault and Intrusion Tolerance in Open Distributed Systems (FIT)