The Quest for the Appropriate Cyber-threat Intelligence Sharing Platform

Chantzios, Thanasis; Koloveas, Paris; Skiadopoulos, Spiros; Kolokotronis, Nicholas; Tryfonopoulos, Christos; Bilali, Vasiliki-Georgia; Kavallieros, Dimitris

doi:10.5220/0007978103690376

Cited by 6 publications

(3 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…[5]). Modern studies which evaluate tools either do so via a literature based evaluation [7], or by surveying organisations [10], rather than direct empiric testing.…”

Section: Evaluation Of Sharing Methods and Platformsmentioning

confidence: 99%

“…The reputation of stakeholders is gained over time, but is damaged easily [42] and is even harder to re-accumulate. Some form of anonymisation and unattributed information could help solve this worry [17], however there is currently no complete solution to the problem [10,20,32,34].An additional concern is that the sharing of raw data could expose details of the victim's infrastructure and encourage other threat actors to attack based on the information presented [41].…”

Section: Barriers To Cti Sharingmentioning

confidence: 99%

See 1 more Smart Citation

Practical Cyber Threat Intelligence in the UK Energy Sector

Paice

McKeown

2023

Springer Proceedings in Complexity

View full text Add to dashboard Cite

The UK energy sector is a prime target for cyber-attacks by foreign states, criminals, 'hacktivist' groups and terrorists. As Critical National Infrastructure (CNI), the industry needs to understand the threats it faces to mitigate risks and make efficient use of limited resources. Cyber Threat Intelligence (CTI) sharing is one means of achieving this, by leveraging sector wide knowledge to combat ongoing mutual threats. However, being unable to segregate intelligence or to control what is disseminated to which parties, and by which means, has impeded industry cooperation thus far. The purpose of this study is to investigate the barriers to sharing and to add to the body of knowledge of CTI in the UK energy sector, while providing some level of assurance that existing tooling is fit for purpose. We achieve these aims by conducting a multivocal literature review and by experimentation using a simulated Malware Information Sharing Platform (MISP) community in a virtual environment. This work demonstrates that trust can be placed in the open-source MISP platform, with the caveat that the sharing models and tooling limitations are understood, while also taking care to create appropriate deployment taxonomies and sharing rules. It is hoped that some of the identified barriers are partially alleviated, helping to lay the foundations for a UK Energy sector CTI sharing community.

show abstract

“…[5]). Modern studies which evaluate tools either do so via a literature based evaluation [7], or by surveying organisations [10], rather than direct empiric testing.…”

Section: Evaluation Of Sharing Methods and Platformsmentioning

confidence: 99%

Section: Barriers To Cti Sharingmentioning

confidence: 99%

Practical Cyber Threat Intelligence in the UK Energy Sector

Paice

McKeown

2023

Springer Proceedings in Complexity

View full text Add to dashboard Cite

show abstract

“…The Data Management and Sharing module of INTIME extends MISP [5,6] that takes the lead in the CTI life-cycle support platforms' race [102,103]. MISP models CTI using security events that contain objects and attributes.…”

mentioning

confidence: 99%

inTIME: A Machine Learning-Based Framework for Gathering and Leveraging Web Data to Cyber-Threat Intelligence

et al. 2021

Self Cite

View full text Add to dashboard Cite

In today’s world, technology has become deep-rooted and more accessible than ever over a plethora of different devices and platforms, ranging from company servers and commodity PCs to mobile phones and wearables, interconnecting a wide range of stakeholders such as households, organizations and critical infrastructures. The sheer volume and variety of the different operating systems, the device particularities, the various usage domains and the accessibility-ready nature of the platforms creates a vast and complex threat landscape that is difficult to contain. Staying on top of these evolving cyber-threats has become an increasingly difficult task that presently relies heavily on collecting and utilising cyber-threat intelligence before an attack (or at least shortly after, to minimize the damage) and entails the collection, analysis, leveraging and sharing of huge volumes of data. In this work, we put forward inTIME, a machine learning-based integrated framework that provides an holistic view in the cyber-threat intelligence process and allows security analysts to easily identify, collect, analyse, extract, integrate, and share cyber-threat intelligence from a wide variety of online sources including clear/deep/dark web sites, forums and marketplaces, popular social networks, trusted structured sources (e.g., known security databases), or other datastore types (e.g., pastebins). inTIME is a zero-administration, open-source, integrated framework that enables security analysts and security stakeholders to (i) easily deploy a wide variety of data acquisition services (such as focused web crawlers, site scrapers, domain downloaders, social media monitors), (ii) automatically rank the collected content according to its potential to contain useful intelligence, (iii) identify and extract cyber-threat intelligence and security artifacts via automated natural language understanding processes, (iv) leverage the identified intelligence to actionable items by semi-automatic entity disambiguation, linkage and correlation, and (v) manage, share or collaborate on the stored intelligence via open standards and intuitive tools. To the best of our knowledge, this is the first solution in the literature to provide an end-to-end cyber-threat intelligence management platform that is able to support the complete threat lifecycle via an integrated, simple-to-use, yet extensible framework.

show abstract