Measuring and visualizing cyber threat intelligence quality

Schlette, Daniel; Böhm, Fabian; Caselli, Marco; Pernul, Günther

doi:10.1007/s10207-020-00490-y

Cited by 48 publications

(23 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…If the information matches with that of the recipient, the CTIP is relevant to the recipient. Another notable effort is [ 21 ], which also suggested the use of specific characteristics, such as the industry sector in the Identity SDO, that are included in STIX objects to achieve filtering (similar to the domain-tagging approach). In case that a CTIP and an organization share the same characteristics, the CTIP is relevant to the organization.…”

Section: Discussionmentioning

confidence: 99%

“…Keyword searching is offered by most CTIP repositories [ 14 ]. Domain tagging concerns the categorization of shared CTIPs into domains, such as finance and education, with the utmost goal of presenting them to the organizations belonging to the same domain [ 21 ]. Keyword searching is labor-intensive, error-prone, and demands expertise in order to define the proper keywords [ 13 , 14 , 15 ], while the use of domain tagging is insufficient since current approaches only classify CTIP into a few arbitrary, high-level domains that are not sufficiently specific.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Contextualized Filtering for Shared Cyber Threat Information

Dimitriadis

Prassas

Flores

et al. 2021

Sensors

View full text Add to dashboard Cite

Cyber threat information sharing is an imperative process towards achieving collaborative security, but it poses several challenges. One crucial challenge is the plethora of shared threat information. Therefore, there is a need to advance filtering of such information. While the state-of-the-art in filtering relies primarily on keyword- and domain-based searching, these approaches require sizable human involvement and rarely available domain expertise. Recent research revealed the need for harvesting of business information to fill the gap in filtering, albeit it resulted in providing coarse-grained filtering based on the utilization of such information. This paper presents a novel contextualized filtering approach that exploits standardized and multi-level contextual information of business processes. The contextual information describes the conditions under which a given threat information is actionable from an organization perspective. Therefore, it can automate filtering by measuring the equivalence between the context of the shared threat information and the context of the consuming organization. The paper directly contributes to filtering challenge and indirectly to automated customized threat information sharing. Moreover, the paper proposes the architecture of a cyber threat information sharing ecosystem that operates according to the proposed filtering approach and defines the characteristics that are advantageous to filtering approaches. Implementation of the proposed approach can support compliance with the Special Publication 800-150 of the National Institute of Standards and Technology.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Contextualized Filtering for Shared Cyber Threat Information

Dimitriadis

Prassas

Flores

et al. 2021

Sensors

View full text Add to dashboard Cite

show abstract

“…To this end, a second future direction is how to assure CTI quality. Whereas first approaches aim to analyze and propose quality metrics for CTI (Schlette et al 2020), the subjective nature and the diversity of threat information demand further research. Based upon data analysis, a stronger data-centric focus must take the entire CTI life cycle and organizational dependencies into account.…”

Section: Open Problems and Future Directionsmentioning

confidence: 99%

Cyber Threat Intelligence

Schlette

2021

Encyclopedia of Cryptography, Security and Privacy

Self Cite

View full text Add to dashboard Cite

“…The verification needs to be as objective and meaningful as possible to provide guidance for buyers, since the actual data are encrypted. The following items serve as verification guidelines: -consistency with metadata of the seller's previous incidents -similarity check for incident metadata and verified incidents -assessment of various threat intelligence quality indicators [24] After receiving the incident data, each verifier independently performs a verification of the contained information. A basic consistency check using metadata of the seller's previous incidents verifies that the incident originates from the same industry.…”

Section: Verificationmentioning

confidence: 99%

“…To achieve this, the implemented questions are based on objective CTI data quality indicators developed for STIX2 [24]. The quality criteria are divided into three major domains.…”

Section: Verificationmentioning

confidence: 99%

DEALER: decentralized incentives for threat intelligence reporting and exchange

Menges

Putz

Pernul

2020

Int. J. Inf. Secur.

Self Cite

View full text Add to dashboard Cite

The exchange of threat intelligence information can make a significant contribution to improving IT security in companies and has become increasingly important in recent years. However, such an exchange also entails costs and risks, preventing many companies from participating. In addition, since legal reporting requirements were introduced in various countries, certain requirements must be taken into account in the exchange process. However, existing exchange platforms neither offer incentives to participate in the exchange process, nor fulfill requirements resulting from reporting obligations. With this work, we present a decentralized platform for the exchange of threat intelligence information. The platform supports the fulfillment of legal reporting obligations for security incidents and provides additional incentives for information exchange between the parties involved. We evaluate the platform by implementing it based on the EOS blockchain and IPFS distributed hash table. The prototype and cost measurements demonstrate the feasibility and cost-efficiency of our concept.

show abstract

Measuring and visualizing cyber threat intelligence quality

Cited by 48 publications

References 21 publications

Contextualized Filtering for Shared Cyber Threat Information

Contextualized Filtering for Shared Cyber Threat Information

Cyber Threat Intelligence

DEALER: decentralized incentives for threat intelligence reporting and exchange

Contact Info

Product

Resources

About