cyberaCTIve: a STIX-based Tool for Cyber Threat Intelligence in Complex Models

Abstract: Cyber threat intelligence (CTI) is practical realworld information that is collected with the purpose of assessing threats in cyber-physical systems (CPS). A practical notation for sharing CTI is STIX. STIX offers facilities to create, visualise and share models; however, even a moderately simple project can be represented in STIX as a quite complex graph, suggesting to spread CTI across multiple simpler sub-projects. Our tool aims to enhance the STIX-based modelling task in contexts when such simplifications … Show more

“…We base our contribution over STIX modelling, a popular ad-hoc notation for storing and sharing CTI across trustful counterparts. For this work, we have employed a tool based on STIX called cyberaCTIve [30], that offers two functionalities: a dashboard visualiser that is clear when managing complex models, as active buildings require, and a timed event list of model changes for basic forensic analysis. As active buildings are potential target of cyber-attacks that have serious repercussions to the power grid (a critical infrastructure), security officers would benefit from using IDS.…”

“…This allows for basic forensic analysis on the model, e.g., in our case the model of an active building. Unfortunately, cyberaCTIve [30] does not implement any automation for feeding the model with real-time incidents. So, we extended the tool to allow an external source of CTI to augment the STIX model (Observation: we shall release this extension as open-source in due course, adjusting it to include a link to it in the final version of this paper.).…”

“…This would clearly hinder timely interventions to real-time incursions. This is one of the reasons why we opted to use the tool cyberaCTIve [30].…”

“…To tame such complexity, we model a basic scenario to manage CTI in the context of active buildings. We used the tool cyberaCTIve [30] to create and manage our model. The model can be exported and it is fully compliant to the STIX format, so other tools can easily manipulate it.…”

Incorporating Cyber Threat Intelligence into Complex Cyber-Physical Systems: A STIX Model for Active Buildings

“…We base our contribution over STIX modelling, a popular ad-hoc notation for storing and sharing CTI across trustful counterparts. For this work, we have employed a tool based on STIX called cyberaCTIve [30], that offers two functionalities: a dashboard visualiser that is clear when managing complex models, as active buildings require, and a timed event list of model changes for basic forensic analysis. As active buildings are potential target of cyber-attacks that have serious repercussions to the power grid (a critical infrastructure), security officers would benefit from using IDS.…”

“…This allows for basic forensic analysis on the model, e.g., in our case the model of an active building. Unfortunately, cyberaCTIve [30] does not implement any automation for feeding the model with real-time incidents. So, we extended the tool to allow an external source of CTI to augment the STIX model (Observation: we shall release this extension as open-source in due course, adjusting it to include a link to it in the final version of this paper.).…”

“…This would clearly hinder timely interventions to real-time incursions. This is one of the reasons why we opted to use the tool cyberaCTIve [30].…”

“…To tame such complexity, we model a basic scenario to manage CTI in the context of active buildings. We used the tool cyberaCTIve [30] to create and manage our model. The model can be exported and it is fully compliant to the STIX format, so other tools can easily manipulate it.…”

Incorporating Cyber Threat Intelligence into Complex Cyber-Physical Systems: A STIX Model for Active Buildings