Automated Cyber Threat Intelligence Generation on Multi-Host Network Incidents

Cristoffer Leite; Jerry Den Hartog; Daniel R. Dos Santos; Elisa Costante

doi:10.1109/BigData59044.2023.10386324

Automated Cyber Threat Intelligence Generation on Multi-Host Network Incidents

Cristoffer Leite, Jerry Den Hartog, Daniel R. Dos Santos, Elisa Costante

Security

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

13 Downloads (Pure)

Abstract

The lack of automation is one of the main issues hindering the broad usage of high-level Cyber Threat Intelligence (CTI). Creating and using such information by capturing Tactics, Techniques and Procedures (TTPs) is currently an arduous manual task for Cyber Security Incident Response Teams (CSIRT). For CSIRTs, a Network Intrusion Detection System (NIDS) automates the detection of cyber threats. It provides relevant information about alerts to the analysts. This information could generate CTI reports to help others better protect themselves from similar attacks. Due to the demanding work involved in manually creating high-level CTI reports for multi-host incidents, automating this process has become increasingly important.In this paper, a solution is presented to automate the creation of verifiable high-level cyber threat intelligence reports by mapping chains of alerts to TTPs. The solution enables visualisation of attack chains and tactics used, but also manual analysis and validation of the reports created. The proposed approach is evaluated by comparing generating reports with existing CTI, validating any additional TTPs found. The evaluation shows that, not only it was able to match existing reports, but it was also able to improve the knowledge about these threats.

Original language	English
Title of host publication	2023 IEEE International Conference on Big Data, BigData 2023
Editors	Jingrui He, Themis Palpanas, Xiaohua Hu, Alfredo Cuzzocrea, Dejing Dou, Dominik Slezak, Wei Wang, Aleksandra Gruca, Jerry Chun-Wei Lin, Rakesh Agrawal
Publisher	Institute of Electrical and Electronics Engineers
Pages	2999-3008
Number of pages	10
ISBN (Electronic)	979-8-3503-2445-7
DOIs	https://doi.org/10.1109/BigData59044.2023.10386324
Publication status	Published - 22 Jan 2024
Event	2023 IEEE International Conference on Big Data, BigData 2023 - Sorrento, Italy Duration: 15 Dec 2023 → 18 Dec 2023

Conference

Conference	2023 IEEE International Conference on Big Data, BigData 2023
Country/Territory	Italy
City	Sorrento
Period	15/12/23 → 18/12/23

Keywords

Automation
Cyber Threat Intelligence (CTI)
Tactics
Techniques and Procedures

Access to Document

10.1109/BigData59044.2023.10386324

pdfFinal published version, 2.3 MBLicence: TAVERNE

Cite this

Leite, C., Den Hartog, J., Dos Santos, D. R., & Costante, E. (2024). Automated Cyber Threat Intelligence Generation on Multi-Host Network Incidents. In J. He, T. Palpanas, X. Hu, A. Cuzzocrea, D. Dou, D. Slezak, W. Wang, A. Gruca, J. C.-W. Lin, & R. Agrawal (Eds.), 2023 IEEE International Conference on Big Data, BigData 2023 (pp. 2999-3008). Article 10386324 Institute of Electrical and Electronics Engineers. https://doi.org/10.1109/BigData59044.2023.10386324

Leite, Cristoffer ; Den Hartog, Jerry ; Dos Santos, Daniel R. et al. / Automated Cyber Threat Intelligence Generation on Multi-Host Network Incidents. 2023 IEEE International Conference on Big Data, BigData 2023. editor / Jingrui He ; Themis Palpanas ; Xiaohua Hu ; Alfredo Cuzzocrea ; Dejing Dou ; Dominik Slezak ; Wei Wang ; Aleksandra Gruca ; Jerry Chun-Wei Lin ; Rakesh Agrawal. Institute of Electrical and Electronics Engineers, 2024. pp. 2999-3008

@inproceedings{3f009078526a4577b0904fd602f48b5a,

title = "Automated Cyber Threat Intelligence Generation on Multi-Host Network Incidents",

abstract = "The lack of automation is one of the main issues hindering the broad usage of high-level Cyber Threat Intelligence (CTI). Creating and using such information by capturing Tactics, Techniques and Procedures (TTPs) is currently an arduous manual task for Cyber Security Incident Response Teams (CSIRT). For CSIRTs, a Network Intrusion Detection System (NIDS) automates the detection of cyber threats. It provides relevant information about alerts to the analysts. This information could generate CTI reports to help others better protect themselves from similar attacks. Due to the demanding work involved in manually creating high-level CTI reports for multi-host incidents, automating this process has become increasingly important.In this paper, a solution is presented to automate the creation of verifiable high-level cyber threat intelligence reports by mapping chains of alerts to TTPs. The solution enables visualisation of attack chains and tactics used, but also manual analysis and validation of the reports created. The proposed approach is evaluated by comparing generating reports with existing CTI, validating any additional TTPs found. The evaluation shows that, not only it was able to match existing reports, but it was also able to improve the knowledge about these threats.",

keywords = "Automation, Cyber Threat Intelligence (CTI), Tactics, Techniques and Procedures",

author = "Cristoffer Leite and {Den Hartog}, Jerry and {Dos Santos}, {Daniel R.} and Elisa Costante",

year = "2024",

month = jan,

day = "22",

doi = "10.1109/BigData59044.2023.10386324",

language = "English",

pages = "2999--3008",

editor = "Jingrui He and Themis Palpanas and Xiaohua Hu and Alfredo Cuzzocrea and Dejing Dou and Dominik Slezak and Wei Wang and Aleksandra Gruca and Lin, {Jerry Chun-Wei} and Rakesh Agrawal",

booktitle = "2023 IEEE International Conference on Big Data, BigData 2023",

publisher = "Institute of Electrical and Electronics Engineers",

address = "United States",

note = "2023 IEEE International Conference on Big Data, BigData 2023 ; Conference date: 15-12-2023 Through 18-12-2023",

}

Leite, C , Den Hartog, J, Dos Santos, DR & Costante, E 2024, Automated Cyber Threat Intelligence Generation on Multi-Host Network Incidents. in J He, T Palpanas, X Hu, A Cuzzocrea, D Dou, D Slezak, W Wang, A Gruca, JC-W Lin & R Agrawal (eds), 2023 IEEE International Conference on Big Data, BigData 2023., 10386324, Institute of Electrical and Electronics Engineers, pp. 2999-3008, 2023 IEEE International Conference on Big Data, BigData 2023, Sorrento, Italy, 15/12/23. https://doi.org/10.1109/BigData59044.2023.10386324

Automated Cyber Threat Intelligence Generation on Multi-Host Network Incidents. / Leite, Cristoffer ; Den Hartog, Jerry; Dos Santos, Daniel R. et al.
2023 IEEE International Conference on Big Data, BigData 2023. ed. / Jingrui He; Themis Palpanas; Xiaohua Hu; Alfredo Cuzzocrea; Dejing Dou; Dominik Slezak; Wei Wang; Aleksandra Gruca; Jerry Chun-Wei Lin; Rakesh Agrawal. Institute of Electrical and Electronics Engineers, 2024. p. 2999-3008 10386324.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Automated Cyber Threat Intelligence Generation on Multi-Host Network Incidents

AU - Leite, Cristoffer

AU - Den Hartog, Jerry

AU - Dos Santos, Daniel R.

AU - Costante, Elisa

PY - 2024/1/22

Y1 - 2024/1/22

N2 - The lack of automation is one of the main issues hindering the broad usage of high-level Cyber Threat Intelligence (CTI). Creating and using such information by capturing Tactics, Techniques and Procedures (TTPs) is currently an arduous manual task for Cyber Security Incident Response Teams (CSIRT). For CSIRTs, a Network Intrusion Detection System (NIDS) automates the detection of cyber threats. It provides relevant information about alerts to the analysts. This information could generate CTI reports to help others better protect themselves from similar attacks. Due to the demanding work involved in manually creating high-level CTI reports for multi-host incidents, automating this process has become increasingly important.In this paper, a solution is presented to automate the creation of verifiable high-level cyber threat intelligence reports by mapping chains of alerts to TTPs. The solution enables visualisation of attack chains and tactics used, but also manual analysis and validation of the reports created. The proposed approach is evaluated by comparing generating reports with existing CTI, validating any additional TTPs found. The evaluation shows that, not only it was able to match existing reports, but it was also able to improve the knowledge about these threats.

AB - The lack of automation is one of the main issues hindering the broad usage of high-level Cyber Threat Intelligence (CTI). Creating and using such information by capturing Tactics, Techniques and Procedures (TTPs) is currently an arduous manual task for Cyber Security Incident Response Teams (CSIRT). For CSIRTs, a Network Intrusion Detection System (NIDS) automates the detection of cyber threats. It provides relevant information about alerts to the analysts. This information could generate CTI reports to help others better protect themselves from similar attacks. Due to the demanding work involved in manually creating high-level CTI reports for multi-host incidents, automating this process has become increasingly important.In this paper, a solution is presented to automate the creation of verifiable high-level cyber threat intelligence reports by mapping chains of alerts to TTPs. The solution enables visualisation of attack chains and tactics used, but also manual analysis and validation of the reports created. The proposed approach is evaluated by comparing generating reports with existing CTI, validating any additional TTPs found. The evaluation shows that, not only it was able to match existing reports, but it was also able to improve the knowledge about these threats.

KW - Automation

KW - Cyber Threat Intelligence (CTI)

KW - Tactics

KW - Techniques and Procedures

UR - http://www.scopus.com/inward/record.url?scp=85184988644&partnerID=8YFLogxK

U2 - 10.1109/BigData59044.2023.10386324

DO - 10.1109/BigData59044.2023.10386324

M3 - Conference contribution

AN - SCOPUS:85184988644

SP - 2999

EP - 3008

BT - 2023 IEEE International Conference on Big Data, BigData 2023

A2 - He, Jingrui

A2 - Palpanas, Themis

A2 - Hu, Xiaohua

A2 - Cuzzocrea, Alfredo

A2 - Dou, Dejing

A2 - Slezak, Dominik

A2 - Wang, Wei

A2 - Gruca, Aleksandra

A2 - Lin, Jerry Chun-Wei

A2 - Agrawal, Rakesh

PB - Institute of Electrical and Electronics Engineers

T2 - 2023 IEEE International Conference on Big Data, BigData 2023

Y2 - 15 December 2023 through 18 December 2023

ER -

Leite C , Den Hartog J, Dos Santos DR, Costante E. Automated Cyber Threat Intelligence Generation on Multi-Host Network Incidents. In He J, Palpanas T, Hu X, Cuzzocrea A, Dou D, Slezak D, Wang W, Gruca A, Lin JCW, Agrawal R, editors, 2023 IEEE International Conference on Big Data, BigData 2023. Institute of Electrical and Electronics Engineers. 2024. p. 2999-3008. 10386324 doi: 10.1109/BigData59044.2023.10386324

Automated Cyber Threat Intelligence Generation on Multi-Host Network Incidents

Abstract

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this