Managing Cyber Threat Activities through Formal Modeling of CTI Data

Abstract

Cyber-attackslaunchedbynation-states,organizations,andindividualswithinand acrossbordersareontherise.Modern-dayadversarieschangesignaturesanduse multiple malwaretolaunchattacks.SuchattacksaretermedasAdvancedPersistence Threats(APTs).Although,alargeamountofcyberthreatdataregardingtheseAPTsis available online,however,duetoitshighveracityandlargevolume,timelyanalysis of APTsisachallengingtaskforsecurityanalysts.Moreover,itisbeingwitnessedthat APTslaunchedagainstanorganizationsubsequentlysucceededwithhighprobability against othersimilarorganizations.Therefore,ithasbecomeaneedofthetimethator- ganizations accumulateandsharecyberthreatdatawithpeers.Furthermore,thisdata should incorporateinformationregardingvariousphasesofcyberthreatmanagement (CTM) namelycyberthreatprevention,detection,andtheresponse.Inthisregard,a few effortshavebeenmadetowardsthestructuringandsharingofcyberthreatdata. Noteworthy amongtheseistheStructuredThreatInformationExpression(STIX).Un- fortunately,thecurrentstateofthestructureddataispoor.Structuredreportsarenot appropriatelyformatted,useincorrectvocabulary,wronglylabelthreatdataorleave out keycomponents,whichcurtailtheirusefulnessforCTM.Thesolutionpresented in thisthesistoaddresstheaforesaidproblemscanbecategorizedunderthreeformal sub-frameworks namely STIXGEN, SCERM, and A2CS. Eachofthesesub-frameworks is designedtowardsobtainingthreeexclusivethesisgoals. The STIXGeneration(STIGEN)frameworkisproposedanditsprototypeisdevel- oped toautomaticallygeneratedistinct,threatrelevant,anderror-freestructureddata. A comprehensiveSTIXdatasetofwell-knownAPTshasbeengeneratedandshared with thecommunityforthebenefitofresearchers. The StructuredthreatdataCleansing,Evaluation,andRefinement(SCERM)frame- work hasbeendevelopedtoacquireSTIXreportsfromtheSTIXGENandotherre- i sourcesandupliftCyberThreatIntelligence(CTI)data,refiningincompleteormissing components, andvaluatingitfordifferentphasesofCTM.DuringSCERM’sevalua- tion, itisobservedthatcurrentSTIXreportshavelimitedinformationonprevention and almostnonefortheresponsephaseofCTM.Theresultsfurtherdemonstratethat SCERM significantlyenrichesSTIXreports.Theimprovementinpreventionis73% and intheresponseis100%. Subsequently,theAPTsAnalysisandClassificationSystem(A2CS)hasbeendevel- oped forautomaticanalysisofAPTs.Itemploysontologymodelingandsemanticrules for APTsanalysis,identificationoftheirmissingartifacts,andinferencingofthetac- tics, techniquesandprocedures(TTPs)beingemployed.A2CStakesrefinedstructured data asinputfromSCERMandextractsbothhighandlow-levelartifactsaccordingto the variousattackeranddefendermodels.Then,itmapsthisdataontheontologythat helps inidentificationofthemissingartifactsofAPTsandinferencingofhigh-level TTPs withhelpoflow-levelartifacts. Overall theproposedsolutiongeneratesrefined,distinct,error-free,andproperly labeled structuredthreatdata,valuatesitfordifferentphasesofCTMandemploys differentattackeranddefendermodelsforautomatedanalysisofAPTs,identification of missingartifacts,andinferencingofthehigh-levelartifacts.