A survey on technical threat intelligence in the age of sophisticated cyber attacks

Tounsi, Wiem; Rais, Helmi Md

doi:10.1016/j.cose.2017.09.001

Cited by 311 publications

(256 citation statements)

References 14 publications

Supporting

Mentioning

230

Contrasting

Unclassified

Order By: Relevance

“…These sources can include data generated outside of an organization such as governmental projects, open source, and publiclyavailable databases, as well as commercial providers [21]. However, data for a security threat intelligence program can also be generated internally within an organization [10,12,21]. For example, network monitors, host-based indicators, and an organization's security incident response team [10,12,21].…”

Section: Related Workmentioning

confidence: 99%

“…However, data for a security threat intelligence program can also be generated internally within an organization [10,12,21]. For example, network monitors, host-based indicators, and an organization's security incident response team [10,12,21]. The purpose of this team is to minimize the effects of an incident and manage an organization's return to an acceptable security posture [14].…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

How Good is Your Data? Investigating the Quality of Data Generated During Security Incident Response Investigations

Grispos¹,

Glisson

Storer

2019

Proceedings of the Annual Hawaii International Conference on System Sciences

View full text Add to dashboard Cite

An increasing number of cybersecurity incidents prompts organizations to explore alternative security solutions, such as threat intelligence programs. For such programs to succeed, data needs to be collected, validated, and recorded in relevant datastores. One potential source supplying these datastores is an organization's security incident response team. However, researchers have argued that these teams focus more on eradication and recovery and less on providing feedback to enhance organizational security. This prompts the idea that data collected during security incident investigations may be of insufficient quality for threat intelligence analysis.While previous discussions focus on data quality issues from threat intelligence sharing perspectives, minimal research examines the data generated during incident response investigations. This paper presents the results of a case study identifying data quality challenges in a Fortune 500 organization's incident response team. Furthermore, the paper provides the foundation for future research regarding data quality concerns in security incident response.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

How Good is Your Data? Investigating the Quality of Data Generated During Security Incident Response Investigations

Grispos¹,

Glisson

Storer

2019

Proceedings of the Annual Hawaii International Conference on System Sciences

View full text Add to dashboard Cite

show abstract

“…Attacks have changed visibly with respect to their target, function, range, and form. Modern, advanced threats are multivectored and multistaged as they utilize various attack vectors, including email, portable media, or vulnerable web protocols, and are conducted in several stages, often extending over a longer time ( advanced persistent threats or APTs ) . Next to classical, general attacks that affect large numbers of arbitrary computer systems, highly targeted and specialized cyberthreats have been introduced ( targeted attacks ) .…”

Section: Introductionmentioning

confidence: 99%

“…Such attacks are not any longer conducted by malevolent individuals. Large, organized groups of specialists that aim at gaining real financial profits or political benefits stay behind them instead . Also, the extensive expertise necessary for conducting such sophisticated attacks campaigns within a reasonable time can be only acquired by teams.…”

Section: Introductionmentioning

confidence: 99%

Threat intelligence platform for the energy sector

Wróbel

2019

Softw Pract Exp

View full text Add to dashboard Cite

In recent years, critical infrastructures and power systems in particular have been subjected to sophisticated cyberthreats, including targeted attacks and advanced persistent threats. A promising response to this challenging situation is building up enhanced threat intelligence (TI) that interlinks information sharing and fine-grained situation awareness. In this paper, a framework that integrates all levels of TI, ie, strategic, tactical, operational, and technical, is presented. The platform implements the centralized model of information exchange with peer-to-peer interactions between partners as an option. Several supportive solutions were introduced, including anonymity mechanisms or data processing and correlation algorithms. A data model that enables communication of cyberincident information, both in natural language and machine-readable formats, was defined. Similarly, security requirements for critical components were devised. A pilot implementation of the platform was developed and deployed in the operational environment, which enabled practical evaluation of the design. Also, the security of the anonymity architecture was analyzed.

show abstract

“…Although TI is being increasingly adopted, there is little consensus on what it actually is or how to use it. Without any real understanding of this need, organizations risk investing large amounts of time and money without solving existing security problems [16][17][18].…”

Section: Related Workmentioning

confidence: 99%

Presenting a method to perform cyber maneuvers

Shakibazad¹,

Rashidi²

2018

Turk J Elec Eng & Comp Sci

View full text Add to dashboard Cite

Performing cyber maneuvers in an operational environment is not easy. We need a cyber-situational awareness framework to perform its maneuvers to protect the cyberspace and to cope with its attacks. The battlefield provided has essential information for detecting cybercrime events. The present study resolved the challenges of implementing these maneuvers through dynamic simulation of the cyber battlefield. The cyber battlefield contains detailed information on cyberspace elements, including the vulnerability knowledge repository, the tangible and intangible components of the cyberspace allowing maneuvering, penetration testing, injection attacks, tracking attacks, visualization, evaluation of the impact of cyberattacks, and risk evaluation. By injecting attacks and using the proposed algorithms, an impact assessment of each attack step on each of the elements of the environment has been done to identify potential threats.Using the proposed algorithms, an impact assessment has been performed on each of the environmental elements in order to identify potential threats. A dynamic updating simulator engine has been designed to update the vulnerability knowledge base automatically and change the topology and features of elements, accesses, services, hosts, and users.Modeling and simulation were evaluated using a qualitative research method and creating a focus group.

show abstract

A survey on technical threat intelligence in the age of sophisticated cyber attacks

Cited by 311 publications

References 14 publications

How Good is Your Data? Investigating the Quality of Data Generated During Security Incident Response Investigations

How Good is Your Data? Investigating the Quality of Data Generated During Security Incident Response Investigations

Threat intelligence platform for the energy sector

Presenting a method to perform cyber maneuvers

Contact Info

Product

Resources

About