ABSTRACT
Threat actors can be persistent, motivated and agile, and they leverage a diversified and extensive set of tactics, techniques, and procedures to attain their goals. In response to that, organizations establish threat intelligence programs to improve their defense capabilities and mitigate risk. Actionable threat intelligence is integrated into security information and event management systems (SIEM) forming a threat intelligence platform. A threat intelligence platform aggregates log data from multiple disparate sources by deploying numerous collection agents and provides centralized analysis and reporting of an organization's security events for identifying malicious activity. Sysmon logs is a data source that has received considerable attention for endpoint visibility. Approaches for threat detection using Sysmon have been proposed mainly focusing on search engines (NoSQL database systems). This paper presents a new automated threat assessment system that relies on the analysis of continuous incoming feeds of Sysmon logs. The system is based on a cyber threat intelligence ontology and analyses Sysmon logs to classify software in different threat levels and augment cyber defensive capabilities through situational awareness, prediction, and automated courses of action.
- Vasileios Mavroeidis and Siri Bromander. Cyber Threat Intelligence Model: An Evaluation of Taxonomies, Sharing Standards, and Ontologies within Cyber Threat Intelligence. In Proceedings of the European Intelligence and Security Informatics Conference. IEEE, 2017.Google ScholarCross Ref
- Michael Iannacone, Shawn Bohn, Grant Nakamura, John Gerth, Kelly Huffer, Robert Bridges, Erik Ferragut, and John Goodall. Developing an Ontology for Cyber Security Knowledge Graphs. In Proceedings of the 10th Annual Cyber and Information Security Research Conference, page 12. ACM, 2015. Google ScholarDigital Library
- Zareen Syed, Ankur Padia, M Lisa Mathews, Tim Finin, and Anupam Joshi. UCO: A Unified Cybersecurity Ontology. In Proceedings of the AAAI Workshop on Artificial Intelligence for Cyber Security. AAAI Press, 2016.Google Scholar
- Sean Barnum. Unified Cyber Ontology (UCO). https://github.com/ucoProject/uco, 2016.Google Scholar
- Ju AnWang and Minzhe Guo. OVM: An Ontology for Vulnerability Management. In Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies, page 34. ACM, 2009. Google ScholarDigital Library
- Ontology-Based Security Assessment for Software Products, author=Wang, Ju An and Guo, Minzhe and Wang, Hao and Xia, Min and Zhou, Linfeng, booktitle= Proceedings of the 5th AnnualWorkshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies, pages=15, year=2009, organization=ACM. Google ScholarDigital Library
- Leo Obrst, Penny Chase, and Richard Markeloff. Developing an Ontology of the Cyber Security Domain. In STIDS, pages 49--56, 2012.Google Scholar
- Alessandro Oltramari, Lorrie Faith Cranor, Robert J Walls, and Patrick Drew McDaniel. Building an Ontology of Cyber Security. In STIDS, pages 54--61. Citeseer, 2014.Google Scholar
- André Grégio, Rodrigo Bonacin, Olga Nabuco, Vitor Monte Afonso, Paulo Lício De Geus, and Mario Jino. Ontology for Malware Behavior: A Core Model Proposal. In WETICE Conference (WETICE), 2014 IEEE 23rd International, pages 453--458. IEEE, 2014. Google ScholarDigital Library
- André Grégio, Rodrigo Bonacin, Antonio Carlos de Marchi, Olga Fernanda Nabuco, and Paulo Lício de Geus. An Ontology of Suspicious Software Behavior. Applied Ontology, 11(1):29--49, 2016.Google ScholarCross Ref
- Malek Ben Salem and Chris Wacek. Enabling New Technologies for Cyber Security Defense with the ICAS Cyber Security Ontology. In STIDS, pages 42--49, 2015.Google Scholar
- Daniel Popescu and Alexandru Citea. Malware OWL. https://pdan93.github.io/ MalwareOWL/scholarly.html, 2016.Google Scholar
- Marcus Pendleton, Richard Garcia-Lebron, Jin-Hee Cho, and Shouhuai Xu. A Survey on Systems Security Metrics. ACM Computing Surveys (CSUR), 49(4):62, 2016. Google ScholarDigital Library
- Chris Johnson, Lee Badger, David Waltermire, Julie Snyder, and Clem Skorupka. Guide to Cyber Threat Information Sharing. NIST Special Publication, 800:150, 2016.Google Scholar
- David Chismon and Martyn Ruks. Threat Intelligence: Collecting, Analysing, Evaluating, 2015.Google Scholar
- Clemens Sauerwein, Christian Sillaber, Andrea Mussmann, and Ruth Breu. Threat Intelligence Sharing Platforms: An Exploratory Study of Software Vendors and Research Perspectives. 2017.Google Scholar
- Elchin Asgarli and Eric Burger. Semantic Ontologies for Cyber Threat Sharing Standards. In Technologies for Homeland Security (HST), 2016 IEEE Symposium on, pages 1--6. IEEE, 2016.Google ScholarCross Ref
- D McMorrow. Science of Cyber-Security. Technical report, MITRE CORP MCLEAN VA JASON PROGRAM OFFICE, 2010.Google Scholar
- AlienVault. Beginner's Guide to Threat Intelligence, 2017.Google Scholar
- OASIS. Open Command and Control (OpenC2), 2017.Google Scholar
Index Terms
- Data-Driven Threat Hunting Using Sysmon
Recommendations
Accurify: Automated New Testflows Generation for Attack Variants in Threat Hunting
Foundations and Practice of SecurityAbstractIn the ever-evolving landscape of cyber security, threat hunting has emerged as a proactive defense line to detect advanced threats. To evade detection, the attackers constantly change their techniques and tactics creating new attack variants. ...
Threat led advanced persistent threat penetration test
Cyber security attacks have been on the rise in recent years. One of the most destructive attacks are known as advanced persistent threat (APT) attacks which can inflict massive damages to a network. A common approach of testing the security of an IT ...
Data-driven analytics for cyber-threat intelligence and information sharing
Efficient analysis of shared Cyber Threat Intelligence (CTI) information is crucial for network risk assessment and security hardening. There is a growing interest in implementing a proactive line of defense through threat profiling. However, ...
Comments