“Enriching Threat Intelligence Platforms Capabilities”
in In Proceedings of the International Conference on Security and Cryptography, Prague, Czech Republic (SECRYPT), Jul. 2019.
Abstract: One of the weakest points in actual security detection and monitoring systems is the data retrieval from OpenSource Intelligence (OSINT), as well as how this kind of information should be processed and normalized,considering their unstructured nature. This cybersecurity related information (e.g., Indicator of Compromise -IoC) is obtained from diverse and different sources and collected by Threat Intelligence Platforms (TIPs). Inorder to improve its quality, such information should be correlated with real-time data coming from the moni-tored infrastructure, before being further analyzed and shared. In this way, it could be prioritized, allowing afaster incident detection and response. This paper presents anEnriched Threat Intelligence Platformas a wayto extend import, quality assessment processes, and information sharing capabilities in current TIPs. The plat-form receives structured cyber threat information from multiple sources, and performs the correlation amongthem with both static and dynamic data coming from the monitored infrastructure. This allows the evaluationof a threat score through heuristic-based analysis, used for enriching the information received from OSINTand other sources. The final result, expressed in a well defined format, is sent to external entities, which isfurther used for monitoring and detecting incidents (e.g., SIEMs), or for more in-depth analysis, and sharedwith trusted organizations
Research line(s): Fault and Intrusion Tolerance in Open Distributed Systems (FIT)