On the Automated Assessment of Open-Source Cyber Threat Intelligence Sources

Tundis, Andrea; Ruppert, Samuel; Mühlhäuser, Max

doi:10.1007/978-3-030-50417-5_34

Cited by 17 publications

(8 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Within these, they found that the majority of indicators were active for at least 20 days before they are listed, and that some data were biased towards certain countries. Tundis et al [18] also surveyed existing open source threat intelligence sources, and, based on interviews with 30 experts (i.e., cyber security professionals and academic researchers), they proposed an approach for the automated assessment of such sources.…”

Section: Related Workmentioning

confidence: 99%

A Systematic Mapping Study on Cyber Security Indicator Data

et al. 2021

View full text Add to dashboard Cite

A security indicator is a sign that shows us what something is like or how a situation is changing and can aid us in making informed estimations on cyber risks. There are many different breeds of security indicators, but, unfortunately, they are not always easy to apply due to a lack of available or credible sources of data. This paper undertakes a systematic mapping study on the academic literature related to cyber security indicator data. We identified 117 primary studies from the past five years as relevant to answer our research questions. They were classified according to a set of categories related to research type, domain, data openness, usage, source, type and content. Our results show a linear growth of publications per year, where most indicators are based on free or internal technical data that are domain independent. While these indicators can give valuable information about the contemporary cyber risk, the increasing usage of unconventional data sources and threat intelligence feeds of more strategic and tactical nature represent a more forward-looking trend. In addition, there is a need to take methods and techniques developed by the research community from the conceptual plane and make them practical enough for real-world application.

show abstract

Section: Related Workmentioning

confidence: 99%

A Systematic Mapping Study on Cyber Security Indicator Data

et al. 2021

View full text Add to dashboard Cite

show abstract

“…Quality of CTIbased feeds is a topic of wide interest [10], [11] in attempts to determine best data sources with high-quality curated cyber-security withholding crucial elements to make decisions. Tundis et al (2019) [12], for instance, investigated automated assessment of sources and computed a relevance score index to reduce the time needed to verify gathered intelligence.…”

Section: Cyber Threat Intelligencementioning

confidence: 99%

“…We implemented a standard web-based system with so called responsive browser window elements, i.e., flexible hypertext elements that adapts the interface it to fit in different screens (tablets, PC desktops, and even cell phones) and browsers (Opera, IE, Safari, Firefox, or Edge). For this we have used the framework provided by W3-CSS (from the World-Wide Web consortium, using cascading style sheets) 12 . The advantage of using W3-CSS over other similar alternatives is due to its simplicity and lack of jQuery/JavaScript elements that were not required by our application.…”

Section: User Interface and Extended List Of Featuresmentioning

confidence: 99%

cyberaCTIve: a STIX-based Tool for Cyber Threat Intelligence in Complex Models

Czekster¹,

Metere²,

Morisset³

2022

Preprint

View full text Add to dashboard Cite

Cyber threat intelligence (CTI) is practical realworld information that is collected with the purpose of assessing threats in cyber-physical systems (CPS). A practical notation for sharing CTI is STIX. STIX offers facilities to create, visualise and share models; however, even a moderately simple project can be represented in STIX as a quite complex graph, suggesting to spread CTI across multiple simpler sub-projects. Our tool aims to enhance the STIX-based modelling task in contexts when such simplifications are infeasible. Examples can be the microgrid and, more in general, the smart grid.

show abstract

“…Examples of data sources [33] combine technical, human, and internal domains, and the knowledge could be both structured and unstructured [19,34]. This naturally raises concerns about the quality of CTI-based feeds: indeed, it is a topic of wide interest [35,36]; Tundis et al [37], for instance, investigated automated assessment of sources and computed a relevance score index to reduce the time needed to verify gathered intelligence. Another task on the same line is that of assessing and evaluating data made available from various sources: open (publicly available) CTI feeds, data from security vendors, industry reports on vulnerabilities, open-source intelligence (OSINT) reports [38], security data extracted from IDS or firewall, data from the security, information, and event management (SIEM) platform, incident response systems, and network traffic and flow logs, to mention a few.…”

Section: Cyber Threat Intelligence and Active Buildingsmentioning

confidence: 99%

Incorporating Cyber Threat Intelligence into Complex Cyber-Physical Systems: A STIX Model for Active Buildings

2022

View full text Add to dashboard Cite

Active buildings can be briefly described as smart buildings with distributed and renewable energy resources able to energise other premises in their neighbourhood. As their energy capacity is significant, they can provide ancillary services to the traditional power grid. As such, they can be a worthy target of cyber-attacks potentially more devastating than if targeting traditional smart buildings. Furthermore, to handshake energy transfers, they need additional communications that add up to their attack surface. In such a context, security analysis would benefit from collection of cyber threat intelligence (CTI). To facilitate the analysis, we provide a base active building model in STIX in the tool cyberaCTIve that handles complex models. Active buildings are expected to implement standard network security measures, such as intrusion-detection systems. However, to timely respond to incidents, real-time detection should promptly update CTI, as it would significantly speed up the understanding of the nature of incidents and, as such, allow for a more effective response. To fill this gap, we propose an extension to the tool cyberaCTIve with a web service able to accept (incursion) feeds in real-time and apply the necessary modifications to a STIX model of interest.

show abstract

On the Automated Assessment of Open-Source Cyber Threat Intelligence Sources

Cited by 17 publications

References 12 publications

A Systematic Mapping Study on Cyber Security Indicator Data

A Systematic Mapping Study on Cyber Security Indicator Data

cyberaCTIve: a STIX-based Tool for Cyber Threat Intelligence in Complex Models

Incorporating Cyber Threat Intelligence into Complex Cyber-Physical Systems: A STIX Model for Active Buildings

Contact Info

Product

Resources

About