Cyber Security

Threat Intelligence Platforms

Giuseppe Manco
• Research Manager at Institute for high performance computing and networking of the
National Research Council of Italy
• Head of the BMSA group
• Behavioral Modeling and Scalable Analytics
• 6 Researchers, 4 fellows, 2 associates
Agenda
• CTI: What and Why
• Threats, Sources, Intellignce
• Standards & Platforms
• Issues and Challenges
• The CS4E experience
What is Cyber Threat Intelligence?
• A concise definition:

evidence-based knowledge, including context, mechanisms, indicators,

implications and actionable advice, about an existing or emerging
menace or hazard to assets that can be used to inform decisions
regarding the subject’s response to that menace or hazard.
What is Cyber Threat Intelligence?
• The collection and analysis of information about threats and adversaries
and drawing patterns that provide an ability to make knowledgeable
decisions for the preparedness, prevention and response actions against
various cyber attacks.
• Involves collecting, researching and analyzing trends and technical
developments in the area of cyber threats and if often presented in the
form of Indicators of Compromise (IoCs) or threat feeds, provides evidence-
base knowledge regarding an organization's unique threat landscape.
• Analysis if performed based on the intent, capability and opportunity.
Experts can evaluate and make informed, forward-learning strategic,
operational and tactical decisions on existing or emerging threats to the
organization.
Motivations
• The static approach of traditional security based on heuristic and
signature does not match the dynamic nature of new generation of
threats that are known to be evasive, resilient and complex.
 Why is it important?
• The number of data breaches is increasing each year
• Reported breaches was up 54% in 2019 w.r.t 2018
• Average cost of a data breach is expected to surpass $150 million in 2020
• Sustaining cybersecurity is getting more and more difficult
• Cyber threats are getting more sophisticated
• Number of threats and types of threats are increasing
• Organizations face a shortage of sufficient skilled professionals

• With CTI, organizations gain a deeper understanding of threats and

respond to the concerns of the business more effectively
https://research.aimultiple.com/cti/
Threat Intelligence: How?
• Strategic - provides high-level information regarding cyber security
posture, threats and its impact on business.
• Operational - provides information about specific threats against the
organization.
• Tactical - provides information related to threat actor's Tactics,
Techniques and Procedures (TTPs) used to perform attacks.
• Technical - Actionable defense to reduce the gap between advanced
attacks and organization defenses means.
• Strategic threat intelligence
• high-level information consumed by decision-makers
• Help strategists understand current risks and identify further risks of which
they are yet unaware
• Generally in the form of reports, briefings or conversations
• Operational threat intelligence
• Information about specific impending attacks against the organization.
focuses on details of these attacks found in open source intelligence or
providers with access to closed chat forums.
• Tactical threat intelligence
• Tactics, Techniques, and Procedures and information about how threat actors are
conducting attacks
• Consumed by incident responders to ensure that their defenses and investigation are
prepared for current tactics
• Gained by reading technical press, white papers, communicating with peers in other
organizations to know what they are seeing attackers do, or by purchasing from a
provider of such intelligence.
• Technical threat intelligence (TTI)
• Information that is consumed through technical resources
• Feeds the investigative or monitoring functions of an organization
• e.g., firewalls and mail filtering devices.
• Also serves for analytic tools, or just for visualization and dashboards
 Strategic Operational Tactical Technical
Level High High Low Low

Security
Senior security
Operation Center
Audience The board Defenders management;
architects staff; incident
response team

Attackers’
High level
Details of specific tactics, Indicators of
Content information on
incoming attacks techniques and compromise
changing risks
procedures

Time
Long term Short term Long term Immediate
frame

[Tounsi, 2019]
 CTI process
Phase 2: Data Phase 4: Intel
Phase 1: Intel Phase 3: Threat
Collection and Usage and
Planning/Strategy Analytics
Aggregation Dissemination

Description: Identify Description: Analyze

Description: Identify Description: Mitigate
intelligence needs of collected data to
and collect relevant threats and
organization, critical develop relevant,
data for threat disseminate
assets, and their timely, and actionable
analytics intelligence
vulnerabilities intelligence

Approaches: threat Approaches: malware Approaches: manual

Data sources: internal
trending, vulnerability analysis, event and automated threat
network data, external
assessments, asset correlation, responses, intelligence
threat feeds, OSINT,
discovery, diamond visualizations, machine communication
human intelligence
modelling learning standards

16
Threats
A (simplified) taxonomy of threats
• multi-vectored
• attacks can use multiple means of propagation (e.g., web, email, applications)
• multi-staged
• attacks can infiltrate networks, spread, and ultimately exfiltrate the valuable
data
Prime threats in 2021

[ENISA 2021]
 Prime threats in 2021
• Ransomware
• A type of malicious attack where attackers encrypt an organisation’s data and demand payment to restore access
• Malware
• Software or firmware intended to perform an unauthorised process that will have an adverse impact on the confidentiality, integrity, or availability of a
system
• Cryptojacking
• A type of cybercrime where a criminal secretly uses a victim’s computing power to generate cryptocurrency
• E-mail related threats
• A bundle of threats that exploit weaknesses in the human psyche and in everyday habits, rather than technical vulnerabilities in
information systems
• Threats against data
• Data breaches/leaks. A data breach or data leak is the release of sensitive, confidential or protected data to an untrusted environment
• Threats against availability and integrity
• Denial of Service (DoS), Web Attacks. DDoS is one of the most critical threats to IT systems, targeting their availability by exhausting resources, causing
decreases in performance, loss of data, and service outages
• Disinformation – misinformation
• Disinformation and misinformation campaigns are on the rise, spurred by the increased use of social media platforms and online media, as well as a
result of the increase of people’s online presence due to the COVID-19 pandemic
• Non-malicious threats
• Threats where malicious intent is not apparent. Mostly based on human errors and system misconfigurations
 Top Trends
• Ransomware has been assessed as the prime threat for 2020-2021.
• Cybercriminals are increasingly motivated by monetisation of their activities, e.g.
ransomware. Cryptocurrency remains the most common pay-out method for threat
actors.
• Malware decline that was observed in 2020 continues during 2021.
• The volume of cryptojacking infections attained a record high in the first quarter of 2021
• COVID-19 is still the dominant lure in campaigns for e-mail attacks
• There was a surge in healthcare sector related data breaches
• Traditional DDoS (Distributed Denial of Service) campaigns in 2021 are more targeted,
more persistent and increasingly multivector.
• The IoT (Internet of Things) in conjunction with mobile networks is resulting in a new wave of
DDoS attacks.
• In 2020 and 2021 there has been a spike in non-malicious incidents, as the COVID-19
pandemic became a multiplier for human errors and system misconfigurations

[ENISA 2021]
Challenges
• Advanced persistent threats (APT)
• Sophisticated network attacks in which an attacker keeps trying until he gains access
to a network
• multi-vectored and multi-staged
• Polymorphic threats
• cyber attacks, such as viruses, worms or Trojans that constantly change
• filename changes, file compression, …
• Zero-day threats
• cyber threats on a publicly unknown vulnerability
• Composite threats
• exploit technical vulnerabilities in software and/or hardware
• exploit social vulnerabilities to gain personal information
• Phishing
Indicators of Compromise (IoC)
• Data fundamentals associated with cyber attacks
IoC: Network Indicators
• Found in URLs and Domain names used for
Command & Control (C&C) and link-based
malware delivery
• IP addresses used in detecting attacks from known
compromised servers, botnets and systems conducting
DDoS attacks
• Characterized by short lifetime
• Cloud-based hosting services
• It is no longer just compromised servers that are used, but
also legitimate IP addresses belonging to large corporations.
 IoC: Host-based indicators
• Obtained through analysis of an infected device
• Malware names, decoy documents, file hashes of
the malware
• MD5 or SHA-1 hashes of binaries
• Dynamic Link Libraries (DLLs) are also often targeted
• E.g., attackers replace Windows system files to ensure
that their payload executes each time Windows starts.
• Registry keys added by malicious code
• Common technique with Trojans
 IoC: email indicators
• Created typically when attackers use free email services
to send socially engineered emails to targeted
organizations and individuals
• Created from addresses that appear to belong to recognizable
individuals
• Containing intriguing email subject lines
• Often with attachments and links
• X-originating and X-forwarding IP addresses
• email headers identifying the originating IP address of:
• a client connecting to a mail server
• a client connecting to a web server through a HTTP proxy or load
balancer
• Monitoring these IP addresses when available provide
additional insight into attackers
Data Sources
IoC sources
• Commonly internal sources
• crowdsourcing, log and network data, honeynets
• Government-sponsored sources
• law enforcement, national security organizations
• industry sources
• Open Source INTelligence OSINT
• Public threat feeds
• Dshild, ZeuS Tracker, in-house intelligence collection such as attacker forums, social
media)
• commercial sources
• threat feeds, Software- as-a-Service (SaaS) threat alerting, security intelligence
providers.
Data Sources
• Open source or public CTI feeds (DNS, MalwareDomainList.com, …)
• Community or industry groups
• Security data gathered from IDS, firewall, endpoint and other security systems
• Media reports and news
Internal sources External sources • Incident response and live forencis
• SIEM platform
Structured (mainly) Structured Unstructured • Vulnerability data
• Network traffic analysis (packet and flow data)
Vulnerabilities
Firewall and router databases, IP blacklists Forums, news sites, • Forensics
Example logs, honeynets and whitelists, threat social media, dark web
data feeds • Application logs
• Closed or dark web sources
Collection: crawlers,
Technologies feed/web parsers • Security analytics platforms
for collecting Feed/web scraper,
Feed parser Processing: Natural
and parser
Language Processing
• User access and account information
processing
(NLP), machine learning • Honeypot data
• User behavior data
• Shared spreadsheeds or email
Internal sources
• Internal sources for threat data collected from within the organization
specifically internal network and SIEM that being implemented in
organization.
• Threat data from internal network can be in the form of email log, alerts,
incident response report, event logs, DNS logs, firewall log, etc.
CTI Systems Description
System activity, principally errors and security
System logs and events All systems
events
Network equipment, devices connecting/disconnecting, A CL alert,
Network events
(switches, routers, firewalls) login/failed login, etc.
Network utilisation and Network equipment, SNMP, NetFlow, R M O N, etc. to Network
tra c profiles (switches, routers, probes) management platform
Alerts from boundary Alerts/events collected and analysed by SIEM or
IDS/IPS, Firewall, WAF
devices vendor-specific management portal
Corporate AV software
Corporate AV system alerts from host AV
AV, system alerts installed on host systems,
software
(client and Server)
Human All systems Observed anomalies or events
Forensic All systems Artefacts and intelligence gathered after an event

[Ramsdale et al., 2020]

Internal sources

Source Examples

Network Data Sources

Router, firewall, Wi-Fi, remote Timestamp

services (such as remote login or Source and destination IP address
remote command execution), and Domain name
Dynamic Host Configuration TCP/UDP port number
Protocol (DHCP) server logs
Media Access Control (MAC) address
Hostname
Action (deny/allow)
Status code
Other protocol information
Diagnostic and monitoring tools Timestamp
(network intrusion detection and IP address, port, and other protocol information
prevention system, packet Network flow data
capture & protocol analysis) Packet payload
Application-specific information
Type of attack (e.g., SQL injection, buffer overflow)
Targeted vulnerability
Attack status (success/fail/blocked)

[NIST 2016]
Internal sources
Source Examples

Host Data Sources

Operating system and application Bound and established network connection and port
configuration settings, states, and Process and thread
logs Registry setting
Configuration file entry
Software version and patch level information
Hardware information
User and group
File attribute (e.g., name, hash value, permissions, timestamp, size)
File access
System event (e.g., startup, shutdown, failures)
Command history

Antivirus products Hostname

IP address
MAC address
Malware name
Malware type (e.g., virus, hacking tool, spyware, remote access)
File name
File location (i.e., path)
File hash
Action taken (e.g., quarantine, clean, rename, delete)

Web browsers Browser history and cache including:

 Site visited
 Object downloaded
 Object uploaded
 Browser extension installed or enabled
 Cookies

[NIST 2016]
Internal sources
Source Examples
Other Data Sources

Security Information and Event Summary reports synthesized from a variety of data sources (e.g., operating
Management (SIEM) system, application, and network logs)

Email systems Email messages:

Email header content
 Sender/recipient email address
 Subject line
 Routing information
Attachments
URLs
Embedded graphic
Help desk ticketing systems, Analysis reports and observations regarding:
incident management/tracking  TTPs
system, and people from within
the organization  Campaigns
 Affiliations
 Motives
 Exploit code and tools
 Response and mitigation strategies
 Recommended courses of action
User screen captures (e.g., error messages or dialog boxes)

Forensic toolkits and dynamic Malware samples

and/or virtual execution System artifacts (network, file system, memory)
environments

[NIST 2016]
External sources
• External sources have a wide coverage
• “Open source” intelligence
• Security researcher, vendor blogs, publicly available reputation and block lists
• Private or commercial sources
• threat intelligence feeds, structured data reports, and unstructured reports (such as PDF
and Word documents).

Source Description
News feeds News articles covering ongoing threats
Vulnerability Alerts and advisories
Search automation Using search technologies to find vulnerable systems: Google dorks, Shodan, etc.
Anti-virus vendors Information, alerts, news feeds on malware activity and threats
Communications Monitoring communication channels for intelligence: Slack, IRC, Twitter, etc.
Dark web Intelligence available directly from the criminal underworld

[Ramsdale et al., 2020]

Are external sources reliable?

[Sauerwein et al., 2019]

Are external sources reliable?

[Sauerwein et al., 2019]

Smart Crawlers: Hacker Community Platforms
Platform Data Sources Description Example
Platforms
CTI Value
• Underlying Mechanism:
• Hackers use forums and/or
Hacker Leaked forums Forums that have been Antichat, -Discussions mentioning past and
Forums leaked to the general public Blackhackerz, future attacks
Blackhat World -Advertisements for hacking
services (e.g., DDoS for hire) IRC to freely discuss and share
Seized forums Forums that have been shut
down and seized by law
Darkode,
shadowcrew,
-Free hacking tutorials and
exploits (e.g., SQLi, BlackPOS) Tools, Techniques, and
Active forums
enforcement
Active, accessible forums
cardersmarket
OpenSC, -Identify key threat actors Processes
that have not been seized
or are offiine
Ashiyane,
reverse4you,
-Discover emerging
hacking/threats • Hackers download tools or
Carding/Fullz Carding/Fullz Shops selling stolen
exelab
cardershop, -Identify breached individuals and
navigate to DNMs to purchase
Shops shops credit/debit cards and
sensitive information (e.g.,
BESTVALID,
rescatorccfullz,
organizations
-Discover trends of affiicted exploits
Social Security Numbers,
drivers licenses, insurance
fullzshop financial service industries
• These tools help hackers
Internet- Active IRC
cards)
Clear-text, instant Anonops, -Preferred method of conduct cyber-attacks to
Relay-Chat Channels messaging, communication
that is not stored
whyweprotest,
anonet,
communication for hacktivist
groups (e.g., Anonymous)
attain sensitive data such as
opddosisis -Since chats are not logged,
hackers more freely share hacking
credit card and SSN
DarkNet Grams Search engine for ¯
knowledge and targets
-Identify markets to collect to
• Finally, hackers load stolen
Markets identifying DNMs generate CTI data to DNMs and/or carding
Active market
website
Active marketplaces that
have not been seized
Minerva,
therealdeal,
-Identify new, emerging exploits
(0-days, ransomware)
-Discover breached content (e.g.,
shops for financial gain
dream market
logins)
-Early indicator for breached
companies
-Identify key sellers/buyers

[Samtani et al., 2021]

Hacker Forums
Ransomware
description

Poster
information

Ransomware
code

An example of a hacker forum member sharing ransomware code

[Du et al., 2018]

Data Collection Overview: IRC

An example of hackers sharing links containing illegal contents

An example of an IRC user demanding hacker service

[Du et al., 2018]
Data Collection Overview: DNM

An example of a product listing page on DNM

[Du et al., 2018]
 Data Collection Overview: Carding Shop
Card Type

Information of one
card for carders

[Du et al., 2018]

Collection Challenges
• Anti-crawling measures
• IP address blacklisting
• User-agent check
• User/password authentication & CAPTCHA validation
• Denial of service for too many requests
• Potential risks of retaliation
• Constantly probing underground economy platforms may spook platform
owners.
• These owners can trace back to us based on network traffic log.

• Need for secure, intelligent automated collection capabilities

Identifying threats, actors and targets
• Artificial intelligence tools based on machine learning
• Supervised learning (classification)
• Unsupervised learning
• NLP techniques (LDA, Named-Entity Recognition, …), Clustering, correlation
analysis
• Wrapping and information extraction
An example: identifying new threats
• An example architecture that
analyzes twitter data and
Darkweb hacker forums

[Adewopo et al., 2020]

An example: AZSecure Hacker Asset Portal

[Samtani et al., 2021]

An example: Malware spreading in app stores
• The number of frauds perpetrated by means of
mobile apps is continuously growing
• Several popular apps are cloned and modified
with malicious code
• These apps are spread via alternative markets
and app stores
 UASD - Unauthorized App Store Discovery
• Goal: Discovering alternative app stores on the (dark) web
• UASD is a ML-Based framework for the early detection of alternative
markets advertised through social media (e.g., Twitter or Facebook) or
hosted in the Dark Web
• UASD analyzes web pages extracted from Web pages and, by exploiting a
classification model, allows for distinguishing between real app stores and
similar pages (e.g., blogs, forums, etc.) which can be erroneously returned
by a common search engine

[Guarascio et al,. 2017]

 UASD - Details
• Three main macro components (Information Retrieval, Knowledge Discovery and Interaction with the
operator)
• Raw data, extracted from Web and Dark Web, are preprocessed and stored in a Knowledge Base
• An ensemble-based classification model exploiting a neural network to combine different methods provides a detection
score
• A set of Domain-Specific features are used to improve the classification performances
• Detection score is used to rank the web pages and to provide a view for the operator in charge of evaluating the
proposed links

Ensemble-based classification/prediction model

UASD Framework Architecture
 UASD – Human in the loop
• UASD learns in a continuous fashion
• The operator is the origin of this loop

• He/she asks a query to be performed and waits

for the system response
• UASD provides a ranked list on the basis of the
computed probability scores
• The domain expert analyzes the proposed web
pages and chooses to accept/refuse them
• The accepted sources are used to enrich the
knowledge base (KB) with further positive
examples for the learning phase
 UASD – Dashboard

Link to be verified Options for the operator

Queries to be processed
Dark Web CTI platforms
Sector Platform Dark Web Data Source Analytics* Operational Intel*
Forum DNM C. Shop IRC
Industry Verint √ √ NL NL Network/text Portal, API
Skybox Security √ √ NL NL NL Portal, Feeds
LookingGlass √ NL NL Yes ML Portal, API
Recorded Future √ √ √ NL ML, NLP Portal, Feeds
Blueliv NL √ NL NL NL Portal
Digital Shadows √ √ NL NL Basic search Portal, API
Flashpoint √ NL √ NL Search, SME API
Surfwatch Labs √ √ No No SME, search Portal
ZeroFox NL √ No No Search Portal, API
CYR3CON √ √ NL NL Rule-based Blogs, feeds
DarkOwl √ √ √ √ NL Portal, feeds
Experian NL √ √ NL Search Portal
Academic AZSecure DIBBs √ √ √ √ None Newsletters
Intl. CyberCrime √ √ No No NL Newsletters
Research
IARPA CAUSE √ √ √ √ ML Newsletters
Cambridge Cybercrime √ No No No None Newsletters
Centre
IMPACT No √ No No NL Papers/data
MEMEX √ √ NL √ NL Papers/data
*Note: NL = Not Listed; ML=Machine Learning; API=Application Programming Interface; SME=Subject Matter Expert; NLP=Natural
Language Processing.

[Samtani et al., 2021]

Standards and Platforms
Sharing is the key
Disjoint efforts to understand the complex nature of threats and the
tactics and techniques of threat actors behind them give rise to
insufficient and fragmented analysis
 Benefits and barriers
Category Benefits Barriers

Operational Reduces duplicate information handling Lack of standardisation

Supports breach detection and damage Capacity limits
Supports incident response Accuracy and quality
Supports deterrence efforts Ensuring timeliness
Interoperability and automation
Sensitive information

Organizational Expands professional networks Proliferation of redundant efforts

Validates intelligence derived from other sources Competition
Improves security posture and situational awareness The risk of reputation damage
Combats skills gap Establishing trust among participants
Lack of trained staff

Economic Cost savings Resource draining

Allows subsidies provision by governments Loss of clients confidence and satisfaction
Lowers cyber insurance premiums
Reduces uncertainty
investment decisions
Policy Reinforces relationship with government agencies The risk of violating privacy or antitrust laws
Offers liability protection Government over-classification
Upholding public values
Different legal frameworks across jurisdictions

[Zibak & Simpson, 2019]

 Incentives
High Medium Low

1. Economic incentives 3. The presence of trust among 7. Economic incentives from the provision
stemming from cost IE participants; of subsidies;
savings;
4. Incentives from receiving 8. Economic incentives stemming from
2. Incentives privileged information from gaining voice and influence;
stemming from the government or security
quality, value and services; 9. Economic incentives stemming from the
use of information use of cyber insurance;
shared; 5. Incentives deriving from the
processes and structures for 10. Incentives stemming from the
sharing; reputational benefits of participation;

6. Allowing IE participants‘ 11. Incentives from receiving the benefits

autonomy but ensuring of expert analysis, advice, and
company buy-in; knowledge;

12. Incentives stemming from participants‘

personal preferences, values, and
attitudes.

[ENISA. 2010]
 Challenges
Table 2 – Reasons for not to share.
1 Fearing negative publicity
2 Legal rules, Privacy issues

3 Quality issues

4 Untrusted participants

5 Believing that the incident is not worth to share

6 Budgeting issues
7 Natural instinct to not to share
8 Changing nature of cyber attacks
9 Unawareness of the victimized organization about a cyber
incident
10 Believing that there is a little chance of successful prosecution

[Tounsi, Rais, 2018]

Towards effective sharing
• Legal and regulatory landscape
• Regional and international implementation
• Standardization efforts
• Efficient cooperation and coordination
• Technology integration into organizations
TI sharing initiatives
• Computer Emergency Response Teams (CERTs)
• Regional coverage
• collect information on new threats, issue early warnings, provide help on request
• Forum for Incident Response and Security Teams (FIRST)
• formed in 1990 with the goal of establishing better communication and coordination
between incident response teams
• Task Force on Computer Security Incident Response Teams (TF-CSIRT)
• Sharing statistical data about incidents in order to observe common trends,
developing an European accreditation scheme, establishing education and training
and assisting new teams
• European Government CSIRTs group (EGC)
• informal group of governmental CERTs
TI Sharing initiatives
• Information Sharing and Analysis Centers (ISACs)
• collect, analyze and disseminate private-sector threat information to industry
and government and provide members with tools to mitigate risks and
enhance resiliency
• Financial, Oil&Gas, Aviation, Information Technologies, …
TI Sharing initiatives
• European Network and Information Security Agency (ENISA)
• Convergence of efforts from the different European institutions and Member
States by encouraging the exchange of network and information security
threats, methods and results and avoiding duplication of work

• National Institute of Standards and Technology (NIST)

• supports the coordination of existing CSIRTs
• identifies standards, methodologies, procedures, and processes related to
Computer Security Incident Coordination (CSIC)
• provides guidance and best practices on how to cooperate while handling
computer security incidents
Standards and protocols
• Several attempts
• IODEF/RID
• STIX (Structured Threat Information eXpression), TAXII (Trusted
Automated eXchange of Indicator Information),
• CybOX (Cyber Observable Experssion),
• OpenIOC (Open Incident of Compromise),
• VERIS (Vocabulary for Event Recording and Incident Sharing)
• CAPEC (Common Attack Pattern Enumeration and
Classification)
• MAEC (Malware Attribution and Enumeration Risk/Attack Asset
Characterization) Threat Indicators Definition

• ATT&CK (Adversarial Tactics, Techniques & Common

Alerts CyBOX SWID
Vulnerability CAPEC CEE CPE CPE

Knowledge)
Alerts

Configuration CVRF
Guidance CWE
CVSS
CVE Incident
XCCDF CCSS
Report
OCIL
CCE RID-T CYBEX
STIX RID
CWSS
IODEF IndEX
OVAL
MAEC

[Skopik et al., 2016]

 Data Model Architecture
Threat
Incident
Holistic Architecture
Threat Actor
Defense

Intelligence Process
Collection Common formatting
Structured format
Processing Low overhead
Machine readability
Unambiguous data model
Analysis
Relationship mechanisms
Deploy Interoperability
Transport mechanism
Dissemination
Practical application
STIXv2 [46,47] & TAXII [52] IODEFv2 [52] & RID [53] OpenIOC [54]
Holistc Architecture
Threat ++++ ++++ ++++
Incident ++++ ++++ +++
Threat Actor ++++ ++++ ++
Defense ++++ ++ +
Intelligence Process
Common formatting ++++ ++++ ++++
Structured format ++++ ++++ ++++
Low overhead +++ +++ +++
Machine readability ++++ +++ ++++
Unambiguous data model ++++ +++ ++++
Relationship mechanisms ++++ ++ +++
Interoperability ++++ +++ +++
Transport mechanism ++++ ++++ +
Practical application ++++ ++ +++
Legend: very high (++++) high (+++) medium (++) low (+).

[de Melo et al, 2020]

STIX
• A language and serialization format used to exchange cyber threat
intelligence (CTI).
• Modular architecture
• Can incorporate other standards efficiently
• Composed of a set of core cyber threat concepts
• Campaigns
• Indicators
• ThreatActors
• Vulnerabilities
• …
• Can embed CybOX, IODEF and some OpenIOC extensions
• XML namespaces, extensions for YARA rules, Snort rules and non-XML
bindings
https://oasis-open.github.io/cti-documentation/stix/intro
https://oasis-open.github.io/cti-documentation/examples/visualized-sdo-relationships
 A scenario consisting of an indicator for a
URL and a backdoor piece of malware
associated with it.
• The site has been shown to host this
backdoor malware
• the malware has been known to
download remote files.

https://oasis-open.github.io/cti-documentation/stix/intro
 A scenario representing an advanced
persistent threat (APT) intrusion set
• Suspected to be funded by the
country “Franistan”.
• Target is the Branistan People’s Party
(BPP),
• Two sophisticated campaigns and
attack patterns
• Insert false information into the BPP’s
web pages,
• DDoS effort against the BPP web
servers.

https://oasis-open.github.io/cti-documentation/stix/intro
 Threat Intelligence Platforms
• Designed to solve the collection and storing problems of TTI and to facilitate sharing
threat information with other organizations in the threat intelligence space
• An emerging technology discipline that supports organizations’ threat intelligence
programs and helps them to improve their cyber threat intelligence capabilities
• TIPs enable organizations to easily bootstrap the core processes of collecting, normalizing,
enriching, correlating, analyzing, disseminating and sharing of threat related information
• Generally organized as large repositories that often use big data technologies (e.g. graph analysis
and data warehousing) to draw links between types of TTI, allowing quicker response to detected
threats, as well as a historical record of an IOC
TIP: Threat Intelligence Platforms
 Role Contributions Needs and challenges

Who can SOC Analysts •

•
provide feedback on indicators
annotate indicators based on
• Enhanced context and low false positive
rate

use TIPs? observations, alerts and actions taken •

•
Automated data enrichment to reduce
repetitive work.
Good integration with SIEM tools
Incident • new indicators and malware samples • need tailored and ad-hoc intelligence
responders, coming from investigations • need detailed context and enrichment over
cyber fraud the indicators provided
analyss Lack of visibility into events across different
systems or domains

CTI analysts • Responsible for anything that goes in • centralised platform for managing TI
and out of the TIP • Too much threat intelligence information
• Enrich and analyse the data within TIP as • Lack of threat intelligence best practices
well as linking intelligence
Share intelligence with stakeholders

Threat • High quality original research • API support

researchers • Customization capabilities

Vulnerability • Provide insight on the vulnerability • Intelligence on high impact vulnerabilities

analysis exposures
Decision • Sharing policy • Need high level reports on exposures
makers • Security investment • Need to evidence of the ROI
[ENISA, 2017] • Assurance that intelligence sharing does
not expose the organisation.
 Commercial Threat Intelligence Information
Systems
• TruSTAR: https://www.trustar.co/
• EclecticIQ: https://www.eclecticiq.com/platform
• LookingGlass Cyber: https://www.lookingglasscyber.com
• ThreatQ: https://www.threatq.com/
• IBM: https://www.ibm.com/security/solutions/stop-threats
• Kaspersky: https://www.kaspersky.com/enterprise-security/threat-
intelligence
• FireEye: https://www.fireeye.com/solutions/cyber-threat-intelligence.html
• Cisco: https://www.cisco.com/c/en/us/products/security/threat-
response.html
•…
 Open Threat Intelligence Solutions
• MISP: https://www.misp-project.org/
• Open source software solution for collecting technical and non-technical information about malware and attacks, storing data in a
standardized format, and distributing and sharing cyber security indicators and malware analysis with trusted parties
• OpenCTI: https://www.opencti.io/
• An open source framework with the main objective of aggregating, in a comprehensive way, general and technical information from
the CTI context
• CRITs: https://crits.github.io/
• Provides analysts with the means to conduct collaborative research into malware and threats. Employs a simple but very useful
hierarchy to structure cyber threat information
• CIF: https://csirtgadgets.com/collective-intelligence-framework
• Assists users in formatting, normalizing, processing, storing, sharing and building threat data sets
• OTX: https://www.alienvault.com/open-threat-exchange
• Supports collection (via pulse), analysis and distribution of TI. Enables trust and privacy mechanisms
• Yeti: https://yeti-platform.github.io/
• a platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository.
Capable of automatially enriching observables.
• …
 Desiderata
• Which software functions are required by cyber threat intelligence
sharing platforms to support the processes of the intelligence cycle
Intelligence Processes Functions
Planning & Direction -
Manual Data Creation, Manual File Upload, Feed Import, Import
Collection
Connector, Import Agent, Web Collector
Data Cleaning, Data Normalization, Data Classication, Data
Pre-Processing
Editing
Expert Analysis, Collaborative Analysis, Data Investigation &
Sandboxing, Search, Statistical Analysis, Correlation, Pattern
Analysis
Recognition, Rating & Prioritization, White- & Blacklisting,
Monitoring, Prediction
Dissemination Feed Export, Alerting & Notications, Synchronization & Export
Connector, Manual Download
Evaluation & Feedback Dashboard, Standardized Reporting, Individual Reporting, Feedback
Data Security, Communication Security, Platform Security, Access
Control, Data Privacy, Group and Community Management,
Cross-Process Support
Communication & Messaging, Teamworking, Data Verication,
Data Validation, Rating, Reputation, Traceability

[Sauerwein at al., 2021]

The maturity level
Tool / Criteria Im por t for m at a Integr ati on with/ Suppor t of D a t a exc hange Analy si s G r a p h gener ati on L i c ense
expor t to standar d collaborati on standar ds
sec ur i ty tools b
MISP b u lk - i mp or t , batch- (1 ) ge n e r a t i n g O p e n I O C , Private i n s t a n c e or ST I X, C y b O X , TAXII c (1 ) A n a ly s i s of the mi s p - gr a p h to O p e n source (GNU
i mp or t , O p e n I O C p la i n text, C SV, MISP mu lt i p le instances history records and a n a ly z e a MISP XML, G e n e r a l Public
i mp or t , GFI s a n d b ox , X M L or JSO N ou t p u t to i n t e r c on n e c t e d w i t h a d i s p la y in g a trend export a n d generate License)
T h r e a t C on n e c t CSV, integrate w i t h network s e le c t e d c ommu n i t y (2) Correla ti on of gr a p h s from
JSO N, O C R , VM R A Y IDS, h os t IDS. (ma n y sharing a n a ly s i s finding correlation b e t w e e n
(2 ) ge n e r a t i n g network options) r e la t i on s h i p s b e t w e e n e v e n t s a n d I O C . The
I D S d a t a to export to attributes and export formats:
Su r i c a t a , Snort a n d Bro indicators G r a p h v i z a n d gexf
or RPZ zone. ( 3 ) M a y i n c lu d e any files
(3) integrati on with other result from
SIEM u s i n g a restful API a d d i t i on a l a n a ly s i s of
ma lw a r e like tools
output.
(1 ) ST I X C y b O x , TAXII, Private i n s t a n c e or (4 ) A n a ly s i s of mc r i t s to visualize
CRITs b u lk - i mp or t v i a C SV ST I X, TAXII, O p e n I O C ; O p e n source (GNU
C S V to export to s h a r e d w i t h a trusted u p loa d e d files with C R I T s D B v i a local
file, blob, and Send/receive G e n e r a l Public
n e t w or k I D S a n d host c ommu n i t y t h e possibility to link M a lt e go transforms.
s p r e a d s h e e t , STIX i n f or ma t i on through License)
IDS a C u c k oo s a n d b ox
C y b O x , TAXII Facebook’s
( 2 ) a RESTful API for (5 ) U p loa d threat data
ThreatExc ha n ge d
import/export/updates a n d automati ca lly
(3 ) O t h e r services u n c ov e r critical
readily available that informa tion
integrate w i t h external (6 ) A n a ly s i s of
s ou r c e s a n d services d Sa mp le s , PC A Ps , etc.
CIF v3 XM L, JSO N, Zip O u t p u t into multiple Private i n s t a n c e , or ST I X, C y b O X f , Feeds (1 ) Fi n d i n g related K i b a n a to generate O p e n source (GNU
archives, e f or ma t s (CSV, JSON, s h a r e d w i t h a trusted f r om a CIF i n s t a n c e threats e.g. different statistics, trends and G e n e r a l Public
h t ml, table) to integrate c o m m u n i t y a mon g c a n be added as a d oma i n s / U RLs that ma p s License)
w i t h various tools differen t CIF d a t a source to p oi n t to IP addresses
i n c lu d i n g Snort, Bro, instances via a a n ot h e r CIF i n s t a n c e i n t h e s a me
Bind, TippingPoint, Elsa, c e n t r a li z e d service. a u t on omo u s s y s t e m
Pa s s i v e D NS, FireEye (2) Whitelist
ob s e r v a t i on s from
e n t e r i n g a f e e d during
t h e f e e d generation
process
(3 ) Se t u p filters for
w h a t k i n d of d a t a to
pull f r om t h e i n s t a n c e

[Tounsi, Rais, 2018]

The maturity level
MISP [59] OpenCTI [62] CIF [63,64] CRITs [60,61]
Holistc Architecture
Use case applicability ++++ ++++ +++ +++
Adherence 5W3H method ++++ ++++ + ++
Intelligence Process
OpenIOC, STIX, Cy bOX , STIX, Cy bOX , J SON, CSV,
Import formats X M L , J SON, Zip CSV, STIX, Cy bOX
J SON, CSV, X ML X ML
Using connectors with Automatic synchronization Possible integration with
Automatic gathering Using MISP feeds
sources or other platforms with different sources gathering tools
MISP, OpenIOC, CSV, X ML ,
Export format CSV, STIX CSV, J SON, H T M L , XLS CSV, STIX, Cy bOX
J SON
Simple dashboard and
General and intuitive Command line interface
Diverse dashboards and an extension service for
Graphic visualization dashboard and relationship with possible integration
STIXv2 based graphics generating relationship
graphics with visualization tool
graphics
Automatic for every data Automatic for every data Necessary an extension
Correlation Not addressed
in platform in platform service

Based on the type of Based on the type of Based on a proposed data

Classification Based on STIXv2 objects
the indicator the indicator model

IDS, SIEMs and other TI IDSs (Snort, Splunk, Bro,

Integration Other TI platforms Not addressed
platforms Bind)
Reliable group of instances Particular instance to share Reliable group of instances
Sharing method Reliable group of instances
using different models between users using a centralized service
Additional
Extensive and well Extensive and well Limited detail with succinct Satisfactory quantity and
Documentation
elaborated elaborated descriptions detailing
Open Source ( G N U General Open Source (Apache Open Source ( G N U General Open Source ( G N U General
License model
Public License) License) Public License) Public License)
Legend: very high (++++) high (+++) medium (++) low (+).

[de Melo et al., 2020]

Some observations
• No common definition of threat intelligence sharing platforms
• Sharing and aggregating data vs. intelligence
• STIX is the de facto standard
• Focus primarily on sharing IoC
• Data collection instead of analysis
• Limited analysis and visualization capabilities
• browsing, attribute based filtering and searching of information
• Trust issues are mostly neglected
• Too many manual tasks, lack of automation
 An Example: MISP

By a group of developers from CIRCL, the Belgian

Defense and NATO / NCIRC (Computer Incident
Response Capability)
• https://www.misp-project.org
• https://github.com/misp/
• https://www.circl.lu
MISP: Open Source Threat Intelligence
Platform
• MISP (Malware Information Sharing Platform) is an IoC and threat
indicators sharing free software
• MISP has many functionalities e.g. flexible sharing groups, automatic
correlation, free-text import helper, event distribution and
collaboration
• Many export formats which support IDSes / IPSes, SIEMs, Host
scanners, analysis tools, DNS policies
MISP: Main features
• MISP sharing is a distributed model where technical and non-
technical information can be shared within closed, semi-private or
open communities

• With the focus on automation and standards, MISP provides:

• A powerful ReST API
• Extensibility (via misp-modules)
• Additional libraries such as PyMISP
MISP: Interfaces

Web interface
Multiple users and groups
Role based access

API access for automation

Integration with other tools
Synchronization with security controls
Python library

PyMISP
MISP: Basic Concepts
• All the malware data entered into MISP are made up of event objects
• Events are containers of contextually linked information
• From an incident, a security report or a threat actor analysis
• Contains attributes with indicators
• Indicators contain a pattern that can be used to detect suspicious or
malicious cyber activity
• IoCs are a subset of indicators
MISP: Basic Concepts: Proposals

• Each event can only be directly edited by users of the original creator
organization
• However, if another organization would like to amend an event with
extra information on an event, or if they'd like to correct a mistake in
an attribute, they can create a Proposal
• Proposals can be accepted by the original creator
• Proposals can be pulled to another server, allowing users on
connected instances to propose changes that, if accepted, can be
subsequently pushed back
MISP: Basic Concepts: Delegation

• The privacy of the reporting organization can be established

• to avoid the relation of an organization with the information shared

• MISP has a functionality to delegate the publication and completely

remove the binding between the information shared and its
organization
• If you want to publish an event without you or your organization being tied to
it, you can delegate the publication to an other organization
• The other organization can take over the ownership of an event and provide
pseudo-anonymity for the initial organization
MISP DB Format (complete)

1 * Indicator
Event (Attribute)

* *

TAGS Attach
MISP DB Format (complete)
Distribution Threat Level
Date Analysis

Category
Event Info Type

UUID 1 * Indicator
Distribution
Event (Attribute) Value

Contextual
Comment

For Intrusion
1 Detection System

* * Category

Name Distribution
Contextual
Color Comment
TAGS Attach FILE
Is a malware
sample
MISP DB Format (complete)
Network Activity
Distribution Threat Level
Date Analysis Payload Delivery
md5
Category Antivirus Detection hostname
... domain
Event Info Type ...
mac-address
UUID 1 * Indicator
Distribution regkey|value
Event (Attribute) Value Your Organization Only
This Community Only
Contextual
Comment
Connected Communities
For Intrusion
1 Detection System
All Communities

Antivirus
* * Category
Detection
Payload
Distribution Installation
Name ...
Contextual Network
Color Comment
Activity
TAGS Attach FILE
Is a malware
sample
MISP: Event Example
List of Event and Filters

MISP: Event Browsing and Export

Export functionality is designed to automatically generate signatures for intrusion detection systems
MISP: Remote Sync
• Two ways to get events from remote sources:
• From another MISP server (also called MISP instance), by synchronizing two
MISP servers
• From a link, by using Feeds
MISP Attributes

 For Intrusion Detection System: This option allows the attribute to be

used as an IDS signature when exporting the NIDS data, unless it is
being overruled by the white-list.
 If the IDS flag is not set, the attribute is considered as contextual
information and not to be used for automatic detection.
MISP: Event Indicator Examples

 Recommended IoCs for each Event (when possible)

 ip-src: source IP of attacker
 email-src: email used to send malware
 md5/sha1/sha256: checksum
 Hostname: full host/dnsname of attacker
 Domain: domain name used in malware
Correlating data
• Correlate on indicators and context
The CS4E Experience
Context: CyberSec4Europe
• A research-based consortium with 43 participants from 22 EU
Member States
• The project addresses key EU Directives and Regulations, such as the
GDPR, PSD2, eIDAS, and ePrivacy, and tries to implement the EU
Cybersecurity Act including the development of the European skills
base, the certification framework and ENISA role
• EU H2020-SU-ICT-03-2018
WP3
Global Architecture and Tasks Block
Administration Plane

User Domain User-friendly

Risk & Incident Policy-Based Security Security Regulatory
Dashboards UI
User-Side Management Management Modelling Management
Tools
Security/privacy
tools

Intelligence Plane
User-friendly Legal -privacy compliance
tools assessment Threat
Risk Analysis/ Threat/Incident Security
Usable consent Intelligence
Assessment Detection Analytics
Incident/ Impact Assessment Sharing
Blockchain Privacy-Preserving SSI Layer

Adaptive Security Control and Management Plane

-AAA MAPE Loop IdPs Verifiers TTE
-TTE /TPM CyberSecurity Awareness - SIEMs Reaction
-PET clients Indentity-Trust
Management
Services Blockchain
Self-Sovereign User-Centric System Certification
Continuous Supply Chain Security
Security
Monitoring Analysis Enforcement
Products

Managed Domain
Security/
Privacy-
preservation
tools
Task 3.2 - Privacy-preservation

Task 3.3 - Software Development Lifecycle (SDL)

Task 3.4 -Security Intelligence

Task 3.5 - Adaptive Security

Task 3.6 - Usable Security

Task 3.7 - Regulatory Management

Task 3.4 Security Intelligence

“We will enhance the state of the art for reliability, safety and
privacy guarantees of security intelligence techniques based
on artificial intelligence, machine learning and data analytics.”
Objectives and scope
• Define requirements and mechanisms to share digital evidence between expert
systems

• Interoperability through unification of language, format, interface, or trusted

intermediaries with respect for privacy, business requirements and national
regulations

• Interact with Threat Intelligence Information Services for early malware activity
detection

• Log/event management, threat detection and security analytics with privacy-

respecting big data analytics

• Fortify underpinning security intelligence in defensive systems

Starting observations
• Fast sharing of TI is not sufficient to avoid targeted attacks
• Choosing the best threat intelligence tool depends on the
organization objectives
• standardization and automatic analytics needs versus high speed
requirements
A high level overview
• A collaborative security intelligence platform that aims to manage digital evidence
• The platform covers the whole life cycle of
security related information

1. Raw data ingestion

2. Sharing data among trusted stakeholders

3. Covering all the levels of collaboration

(technical and regulation)

4. Robustness with respect to the introduction

of new components
Mechanisms to share digital evidence
• Goal: enabling the collaboration among organizations for defining
defensive actions against complex attack vectors
• How: Sharing information and knowledge about threats, sightings, indicators of
compromise (IoC) and mitigation strategies

• Challenges:
• Issues with IoC
• Network indicators: “the faster you share, the more you theoretically will stop”
• cumulative uniqueness, time of spread, time of validity
• Malware indicators
• Obfuscation techniques
• Indicators such as created registry keys or file artifacts are less commonly changed by attackers but
they can be given random or pseudorandom component in their names

• the sharing of IoC (typically event-based) is incompatible with data-driven machine

learning approaches incorporated in advanced monitoring and detection products
Threat intelligence information systems and
services
• Goal: preventing the same incident from happening elsewhere
• How: The usage of enabling technologies for managing digital evidence, i.e. tools to
collect, examine, analyze and share digital evidence from heterogenous data sources

• Challenges:
• Traditional solutions (e.g., SIEM and SOAR solutions) may lack the necessary
capabilities to quickly adapt to new and/or evolving threats. They should integrate
intelligent components to automatize the process.
• Quality over quantity
• The daily dump of indicators seen as suspicious in Internet, provides information
approximating 250 to millions of indicators per day
• A common standardized format for sharing TI minimizes the risk of losing the quality of threat
data
• Provides better automated analytics solutions on large volumes of TTI
• customization, filtering, aggregation, search
Reducing the quantity of threat feeds
• Identifying the mutations of malware variants is essential in order to
recognize those belonging to the same family
• Data science and machine-learning models are looking to deliver
entirely new ways of searching malwares.
• Analyzing a huge amount of threats, to learn shared patterns
• Malware analysis, detection, classification, and clustering can help this
automation
Examples: Malheur
• collects behavioral analysis data inside sandbox
• malware binaries are collected in the wild and executed
• The execution of each malware binary results in a report of recorded behavior
• Extraction of prototypes from reports
• Automatic identification of groups (clusters) of reports containing similar behavior
• Classification of behavior based on a set of previously clustered reports
• Incremental analysis, by processing reports in chunks
Interoperability in privacy, requirements and
regulation
• Goal: Sharing trusted, reliable and privacy-preserving information
• How: Enforcing appropriate security and privacy policies to enforce sharing requirements of
threat intelligence and alerts

• Challenges:
• ensuring that information collected within TIPs is reliable and accurate
• Example: TIPs allow to export a subset of the data into Intrusion Detection System (IDS) rules that can be
inserted in solutions like Snort or Suricata. Malicious or unreliable input may compromise such HIDS and
NIDS
• Enhance the privacy and trust capabilities to overcome concerns

• Further requirements: The procedures for handling sensitive data should be

compliant with relevant regulations and directives e.g., the EU General Data
Protection Regulation (GDPR) or the Payment Service Directive 2 (PSD2)
Security intelligence in defensive systems
• Goal: Preventing data exfiltration from TIP
• Gathered threat data can be exploited for both, preventing or performing
effective attacks

• Requirement 1: the security intelligence platform must implement

appropriate measures to ensure that the platform itself does not
increase the overall attack surface of the cybersecurity infrastructure

• Requirement 2: the security intelligence platform must be robust

against adversarial attacks aiming at feeding the system with false
information
Challenges – A summary
• Reducing the amount of false positive threat or attack alerts
• Lowering the time to threat detection amidst the growing amounts of data to
analyze
• Contextualizing threat data to support analysis of disparate information sources
• Boosting trust among organization belonging to the sharing networks
• Defining flexible strategies, methodologies and data formats for collaborative TI
• Enhancing cyberthreat analysis and digital investigation techniques when privacy
techniques are used
• Improving the notification mechanisms and automatization by introducing
intelligent components
• Minizing the attack surface by strengthening the robustness of ML and DL models
adopted by security applications
Assets and contributions
• CS4E has integrated several
assets and mapped them
within the overall scheme
 A Demonstration Platform
• Integrates different type of security services
• E.g., risk indicators, enriched IoC, privacy-preserving utilities, etc.
• Aims at enriching TIP (MISP) events
• Three main scenarios
• Sharing cyberthreat intelligence in a confidential and privacy-preserving manner
• Enriching the information on detected threats via TDS cooperation and gathered by means of honeypot instances
• Adaptive deployment
• https://github.com/cs4ewp3t4
MISP Event
sharing data concerning Reliable CTI
Honeypot new attack types TATIS Trust DB
Sharing
MISP Event
Privacy-Preserving CTI Sharing Enriched Trust
Honeypot risk assessment
... MISP indicators RoCe APT DB
MISP MISP
Honeypot Instance 1 Instance 2 Instance k
IDS and TIP information are MISP Event
. used by the operator to
deploy new honeypots TIE Inventory DB
. Threat Intelligence Platform (TIP)
MISP Event
. alarms, Enriched Threat Score
Honeypot security events Briareos
pcap, TCP flow,
Honeynet
other exchange
formats

TDS TDS ... TDS

EBIDS Method_ 1 Other IDS input: Network Traffic
IDS output: Alarms
NetGen
Computer Network
Threat Detection System (TDS) Layer
Cooperation with Threat
Intelligence Services
A case study
Focus
• Scenario: Timely sharing threat events and indicators of compromise (IoCs) among
organizations is crucial in order to make quick decisions and set up effective countermeasures

• Goal: Designing a solution meant for gathering and managing threat information from
different data sources

• Main objectives:
• Improving the accuracy of Threat Detection Systems in detecting incoming attacks
• Enabling the sharing of trusted, reliable and relevant threat information among
organizations
Our proposal
• Defining a distributed platform enabling the sharing of reliable and privatized data

• Main capabilities
• Threat Detection Systems cooperation
• Human in the loop (Active Learning)
• Data enrichment from different sources
• E.g., TDS, honeypots, etc
Active Learning
• Active Learning (AL) refers a family of approaches and algorithms wherein new instances to be labelled are
interactively chosen by means of a query
• Idea: providing unknown examples (extracted with different strategies) to an oracle that will correctly label them

• Usage Scenario: AL can is used when data are hard to label or highly skewed and allows for making sense of data
faster and more efficiently
• E.g., intrusion detection, fraud detection, fault detection, etc.

• Strategies:
• Uncertainty Sampling, Query-by-Committee, Expected Model changes, etc.
Platform overview
• There are essentially three actors

• Distributed TIP (Threat Intelligence Platform)

• Core component
• Two-folds role
• Storing data coming from heterogeneous sources in an encrypted and distributed way
• Delivering the gathered information to the other components

• TDS Layer
• Different types of Threat Detection Systems (e.g., IDS, IPS, etc) can interface with the TIP
• TDSs provide information concerning incoming attacks
• TDSs feed the TIP with new intrusion events/statistic

• Honeynet
• Honeypots are deployed with the aim to collect additional information concerning new attacks
 Platform: main actors
Distributed TIP
sharing data concerning
new attacks MISP Event
Honeypot MISP MISP ... MISP Security Service
Instance 1 Instance 2 Instance k Providers/Consumers
Honeypot
Enriched IoCs, privatized data,
. Threat Intelligence Platform (TIP)
Risk Indicators, etc.
TIP information is used to
. deploy new honeypots alarms, pcap, TCP flow,
. security events other exchange
formats
Honeypot
TDS TDS ... TDS
Honeynet EBIDS Method 1 Method N
TDS input: Network Traffic
Threat Detection System (TDS) Layer TDS output: Alarms Computer Network
TIP Details
• A network of MISP instances
• Motivation
• Open source
• Strong underlying community
• Extensible (MISP Objects)
• Good documentation
• Support to different standards
Data exchange format
• The assets interface among them by using a custom MISP Object in JSON format
• The MISP object represents the data structure adopted by MISP to store
shared threat events
• The general template can be extended so as to include further relevant
information on specific threat events
 Platform in action: TDS Cooperation
Distributed TIP
5 1 Network flow (pcap) is sent to TDS 1

MISP WEB
...

Interface
MISP MISP MISP
6 TDS 1 detects an anomaly and shares it with a MISP
Instance 1 Instance 2 Instance k 2 instance by sending a security event object (SEO)
TDS 2 gathers information from MISP
2 MISP Network 3 to update its classifier
TDS 2 classifies the new threat and updates
3 4 4 the SEO on MISP
An expert (either user or automated) checks
1 5
TDS TDS ... TDS the new threat via MISP Web Interface
Method 1 Method 2 Method N
6 The expert validates the threat event
Computer Network Threat Detection System (TDS) Layer
Benefits
• The amount of false positive reduced
• The sharing protocol allows different actors (either AI or humans) to validate
threat evidence and mutually benefit from feedbacks provided by other peers
• time to threat detection lowered
• Collaboration among automated predictive models allows for reducing the
average time to detect an intrusion
• Threat information better contextualized with additional IoCs coming
from other assets
• Privacy enhancement via cooperation with other assets in a seamless
integration
Concluding remarks
• Security intelligence platforms and sharing mechanisms can
substantially improve the security capabilities of cybersecurity
applications in various vertical domains and use cases
• Current Threat Intelligence platforms can take advantage from the
adoption of AI/ML tools
• Knowledge extraction from different sources
• Improving the quality of data via AI powered tools
• The need for strengthenining the collaborative mechanisms to include
• data-driven and AI powered threat detection systems
• Sophisticated refinements of IoCs
• privacy enabling techniques and methods to guarantee trust and confidence
Concluding remarks
• The CS4E contribution
• A research roadmap
• Vertical demonstrations with measurable benefits
• false positive alerts reduction
• contextualizing threat data
• boosting trust among producers and consumers of threat data
• strengthening the robustness of ML models
References
• V. Adewopo, B. Gonen and F. Adewopo, "Exploring Open Source Information for Cyber Threat Intelligence," 2020 IEEE International Conference on Big Data (Big Data), 2020, pp.
2232-2241,
• S. Barnum. Standardizing cyber threat intelligence information with the structured threat information expression (stix). Mitre Corporation 11 (2012), 1–22.
• E.W. Burger, M.D. Goodman, P . Kampanakis, K. A. Zhu. Taxonomy model for cyber threat intelligence information exchange technologies, in: Proceedings of the 2014 ACM
Workshop on Information Sharing & Collaborative Security, ACM, pp. 51–60; 2014.
• D . Chismon, M . Ruks. Threat intelligence: Collecting, analysing, evaluating, MWR Infosecurity, UK Cert, United Kingdom; 2015.
• A. de Melo e Silva, J.Costa Gondim, R. de Oliveira Al- buquerque, and L. J. García Villalba. 2020. A methodology to evaluate standards and platforms within cyber threat
intelligence. Future Internet 12, 6 (2020), 1–23
• P. -Y. Du et al., "Identifying, Collecting, and Presenting Hacker Community Data: Forums, IRC, Carding Shops, and DNMs," 2018 IEEE International Conference on Intelligence and
Security Informatics (ISI), 2018, pp. 70-75
• ENISA. 2010. Incentives and Challenges for Information Sharing in the Context of Network and Information Security. https://www.enisa.europa.eu/publications/incentives-and-
barriers-to-information-sharing
• ENISA. 2018. Exploring the opportunities and limitations of current Threat Intelligence Platforms. https://www.enisa.europa.eu/publications/exploring-the-opportunities-and-
limitations-of-current-threat-intelligence-platforms
• ENISA. 2021. Threat Landscape. https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends
• V . Ghanaei, C.S. Iliopoulos, R.E. Overill. Statistical approach towards malware classification and detection, in: SAI Computing Conference (SAI), 2016, IEEE, pp. 1093–1099; 2016.
• M. Guarascio, E. Ritacco, D. Biondo, R. Mammoliti, A. Toma. Integrating a Framework for Discovering Alternative App Stores in a Mobile App Monitoring Platform. In: NFMCP 2017.
LNCS, vol 10785.
• R. Holland, S. Balaouras, K. Mak. Five Steps To Build An Effective Threat Intelligence Capability, Forrester research, inc.; 2013.
• NIST 2016. Guide to Cyber Threat Information Sharing. NIST Special Publication 800-150. http://dx.doi.org/10.6028/NIST.SP.800-150
• O. Or-Meir, N. Nissim, Y. Elovici, and L. Rokach. 2019. Dynamic Malware Analysis in the Modern Era—A State of the Art Survey. ACM Comput. Surv. 52
References
• S. Piper Definitive guide to next generation threat protection, CyberEdge Group, LLC, 2013.
• A. Ramsdale S. Shiaeles, N. Kolokotronis, A Comparative Analysis of Cyber-Threat Intelligence Sources, Formats and Languages. Electronics. 2020; 9(5):824.
• S. Samtani, W. Li, V. Benjamin, and H. Chen. 2021. Informing Cyber Threat Intelligence through Dark Web Situational Awareness: The AZSecure Hacker Assets Portal. Digit. Threat.: Res. Pract. 2, 4,
2021

• S. Samtani, K. Chinn, C. Larson and H. Chen, "AZSecure Hacker Assets Portal: Cyber threat intelligence and malware analysis," 2016 IEEE Conference on Intelligence and Security Informatics (ISI),
2016, pp. 19-24
• W, Tounsi, H Rais, A survey on technical threat intelligence in the age of sophisticated cyber attacks, Computers & security, 2018 - Elsevier
• W. Tounsi, What is Cyber Threat Intelligence and How is it Evolving? In: Cyber-Vigilance and Digital Trust: Cyber Security in the Era of Cloud Computing and IoT, Wiley, 2019
• C. Sauerwein, I. Pekaric, M. Felderer, R. Breu, An analysis and classification of public information security data sources used in research and practice, Computers & Security, 82, 2019, Pages 140-
155,
• C. Sauerwein, C. Sillaber, A. Mussmann, R. Breu, 2017. Threat intelligence sharing platforms: An exploratory study of software vendors andresearch perspectives. Wirtschaftsinformatik und
Angewandte Informatik
• C. Sauerwein, D. Fischer, M. Rubsamen, G. Rosenberger, D. Stelzer, and R. Breu. 2021. From Threat Data to Actionable Intelligence:An Exploratory Analysis of the Intelligence Cycle Implementation
in Cyber Threat Intelligence Sharing Platforms. In The 16th International Conference on Availability, Reliability and Security (ARES 2021).
• M. Sahin and S. Bahtiyar. A Survey on Malware Detection with Deep Learning. In 13th International Conference on Security of Information and Networks (SIN 2020).
• F . Skopik, G . Settanni, R. Fiedler. A problem shared is a problem halved: a survey on the dimensions of collective cyber defense through security information sharing. Comput Secur 2016;60:154–
76.
• B. Stojkovski, G. Lenzini, V. Koenig, and S. Rivas. What’s in a Cyber Threat Intelligence sharing platform? A mixed-methods user experience investigation of MISP. In Annual Computer Security
Applications Conference (ACSAC 2021).

• Wagner et al. 2016. MISP: The Design and Implementation of a Collaborative Threat Intelligence Sharing Platform. In Proceedings of the 2016 ACM on Workshop on Information Sharing and
Collaborative Security (WISCS ‘16).
• A. Zibak and A. Simpson. 2019. Cyber Threat Information Sharing: Perceived Benefits and Barriers. In Proceedingsof the 14th International Conference on Availability, Reliability and Security (ARES
'19).
 References
• A curated list of pointers on threat intelligence:
https://github.com/hslatman/awesome-threat-intelligence
• Collection of Cyber Threat Intelligence sources from the Deep and Dark Web
https://github.com/fastfire/deepdarkCTI
• Github topic: threat intelligence
https://github.com/topics/threat-intelligence
• CS4E deliverables:
• Deliverable D3.3: Research Challenges and Requirements to Manage Digital Evidence
• https://cybersec4europe.eu/wp-content/uploads/2020/02/D3.3-Research-challenges-and-
requirements-to-manage-digital-evidence-Submitted.pdf
• Deliverable D3.14: Cooperation With Threat Intelligence Services For Deploying
Adaptive Honeypots
• https://cybersec4europe.eu/wp-content/uploads/2021/10/D3.14-Cooperation-with-Threat-
Intelligence-Services-for-deploying-adaptive-honeypots_2.05_submitted.pdf