Conception and Implementation of a Framework for Prioritizing CTI
| Thesis type | Master Thesis |
| Supervisor | Thomas Geras |
| Starting date | As soon as possible |
| Skills | LaTeX, Git, Any programming language |
| Language | German, English (preferred) |
| Industry cooperation | Not possible |
| Publish date | 2024-02-26 |
Problem and context
The term intelligence has its origin in the military jargon. Intelligence is actionable and context-related information created by gathering, proceeding, and analyzing data [1]. Cyber Threat Intelligence in this context is understood as evidence-based knowledge about existing and emerging threats [2]. Cyber Threat Intelligence can analyze how threat actors behave in the digital world to achieve their malicious goals [1]. Examples for CTI are the so-called Indicator of Compromise (IOC) or Tactics, Techniques, and Procedures (TTPs). IOCs are simple information like IP addresses, hash values, or web domains. More complex information about the behavior of threat actors like the used techniques and tactics are called TTPs [1]. There are several norms for the representation of CTI, whereby STIX has established itself as the unspoken standard. There are various options for procuring CTI, such as Open Source Intelligence (OSINT). Likewise, an exchange between two or more parties within a sharing community can be used to procure CTI. In this case, sharing platforms like MISP are used for procurement or exchange.
CTI can help to mitigate cyber attacks or even prevent potential attacks. However, research agrees that CTI has specific weaknesses. For example, inaccurate, incomplete, or outdated CTI poses a significant challenge [3, 4]. Therefore, the quality of CTI is a crucial factor in the success of the exchange and its actions [5, 6, 7].
Goals
In the evolving landscape of cybersecurity, organizations across various sectors face an array of sophisticated adversaries employing a multitude of attack vectors. The proactive use of Cyber Threat Intelligence is paramount in preempting and mitigating potential breaches. However, the sheer volume of threat data presents a significant challenge: the effective filtration and prioritization of intelligence to ensure resource allocation is both efficient and impactful. This thesis aims to address this critical need by developing a comprehensive framework that guides the prioritization of CTI, tailored to an organization’s specific context, such as industry sector and technological infrastructure.
The primary goal of this thesis is to design and implement a robust framework that systematically prioritizes CTI for organizational security teams. This framework should consider various influencing factors such as the organization’s sector, prevalent technologies, known vulnerabilities, adversaries’ focus areas, and the potential impact of specific threats etc. By integrating these aspects, the framework will enable security professionals to discern and address the most pertinent threats, thereby optimizing their defensive strategies and resource utilization.
Literature
- 1 Scott J. Roberts and Rebekah Brown., Intelligence-Driven Incident Response Outwitting the Adversary (1st. ed.). O’Reilly Media, Inc. (2017)
- 2 https://www.gartner.com/en/documents/2487216/definition-threat-intelligence
- 3 Ponemon Institute LLC. Live threat intelligence impact report 2013 (2013). https://www.ponemon.org/blog/live-threatintelligence-impact-report-2013-1
- 4 Ring, T., Threat intelligence Why people don’t share. Comput. Fraud Secur. (2014)
- 5 Sillaber, C., Sauerwein, C., Mussmann, A., Breu, R. Data quality challenges and future research directions in threat intelligence sharing practice. In Proceedings of the 2016 ACM on Workshop on Information Sharing and Collaborative Security - WISCS’16, pp. 65–70. ACM, New York (2016)
- 6 Sillaber, C., Sauerwein, C., Mussmann, A., Breu, R., Towards a maturity model for inter-organizational cyber threat intelligence sharing, A case study of stakeholder’s expectations and willingness to share. In Proceedings of Multikonferenz Wirtschaftsinformatik (MKWI 2018), pp. 6–9. Springer, Heidelberg (2018)
- 7 Tounsi, W., Rais, H. A survey on technical threat intelligence in the age of sophisticated cyber attacks. Comput. Secur. 72, 212–233 (2018)