“PURE: Generating Quality Threat Intelligence by Clustering and Correlating OSINT”
in In Proceedings of IEEE TrustCom, Aug. 2019.
Abstract: Cybersecurity has become a top priority for mostorganizations. To more aptly protect themselves, organizationsare moving from reactive to proactive defensive measures. Theyare investing in cyber threat intelligence (CTI) to provide themforewarning about the risks they face, as well as to acceleratetheir response times in the detection of attacks. A mean toobtain CTI is the collection of open source intelligence (OSINT)information via threat intelligence platforms and their repre-sentation as indicators of compromise (IoC). However, most ofthese platforms are providing threat information with little tono processing, presenting thus limitations on generating usefulquality data. This work presents an approach for improvingOSINT processing to generatethreat intelligence of qualityinthe form ofenriched IoCs. This improved intelligence is obtainedby correlating and combining IoCs coming from different OSINTfeeds that contain information about the same threat, aggregatingthem into clusters, and then representing the threat informationcontained within those clusters in a singleenriched IoC. Theapproach was implemented in the PURE platform and evaluatedwith 34 OSINT feeds, which allowed the creation of enrichedIoCs that permitted the identification of attacks not previouslypossible by analyzing the IoCs individuall
Research line(s): Fault and Intrusion Tolerance in Open Distributed Systems (FIT)