Using Social Network Analysis for Cyber Threat Intelligence
Authors: Vasileios Anastopoulos
Abstract:
Cyber threat intelligence assists organisations in understanding the threats they face and helps them make educated decisions on preparing their defences. Sharing of threat intelligence and threat information is increasingly leveraged by organisations and enterprises, and various software solutions are already available, with the open-source malware information sharing platform (MISP) being a popular one. In this work, a methodology for the production of cyber threat intelligence using the threat information stored in MISP is proposed. The methodology leverages the discipline of social network analysis and the diamond model, a model used for intrusion analysis, to produce cyber threat intelligence. The workings of the proposed methodology are demonstrated with a case study on a production MISP instance of a real organisation. The paper concludes with a discussion on the proposed methodology and possible directions for further research.
Keywords: Cyber threat intelligence, diamond model, malware information sharing platform, social network analysis.
Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 513References:
[1] C. S. Johnson, M. L. Badger, D. A. Waltermire, J. Snyder, and C. Skorupka, “Guide to Cyber Threat Information Sharing,” National Institute of Standards and Technology, NIST SP 800-150, Oct. 2016. doi: 10.6028/NIST.SP.800-150.
[2] R. Brown and R. M. Lee, “2021 SANS Cyber Threat Intelligence (CTI) Survey,” p. 20, 2021.
[3] “Introduction · User guide of MISP intelligence sharing platform.” https://www.circl.lu/doc/misp/ (accessed Nov. 03, 2021).
[4] “MISP Communities and MISP Feeds.” https://www.misp-project.org/communities/ (accessed Jan. 31, 2022).
[5] S. Caltagirone, A. Pendergast, and C. Betz, “The Diamond Model of Intrusion Analysis,” US Department of Defense, Technical Report OMB No. 0704-0188, May 2013.
[6] “Computer Incident Response Center Luxembourg (CIRCL).” https://misppriv.circl.lu/users/login (accessed Nov. 23, 2021).
[7] J. Zhao, Q. Yan, J. Li, M. Shao, Z. He, and B. Li, “TIMiner: Automatically extracting and analyzing categorized cyber threat intelligence from social data,” Comput. Secur., vol. 95, p. 101867, 2020, doi: https://doi.org/10.1016/j.cose.2020.101867.
[8] M. S. Ansari, V. Bartos, and B. Lee, “Shallow and Deep Learning Approaches for Network Intrusion Alert Prediction,” Procedia Comput. Sci., vol. 171, pp. 644–653, 2020, doi: https://doi.org/10.1016/j.procs.2020.04.070.
[9] P. Koloveas, T. Chantzios, S. Alevizopoulou, S. Skiadopoulos, and C. Tryfonopoulos, “inTIME: A Machine Learning-Based Framework for Gathering and Leveraging Web Data to Cyber-Threat Intelligence,” Electronics, vol. 10, no. 7, 2021, doi: 10.3390/electronics10070818.
[10] A. Mohasseb, B. Aziz, J. Jung, and J. Lee, “Cyber security incidents analysis and classification in a case study of Korean enterprises,” Knowl. Inf. Syst., vol. 62, no. 7, pp. 2917–2935, Jul. 2020, doi: 10.1007/s10115-020-01452-5.
[11] M. van Haastrecht et al., “A Shared Cyber Threat Intelligence Solution for SMEs,” Electronics, vol. 10, no. 23, p. 2913, Nov. 2021, doi: 10.3390/electronics10232913.
[12] S. Dutta, N. Rastogi, D. Yee, C. Gu, and Q. Ma, “Knowledge Graph for Malware Threat Intelligence,” p. 6.
[13] F. Böhm, F. Menges, and G. Pernul, “Graph-based visual analytics for cyber threat intelligence,” Cybersecurity, vol. 1, no. 1, p. 16, Dec. 2018, doi: 10.1186/s42400-018-0017-4.
[14] A. de Melo e Silva, J. J. Costa Gondim, R. de Oliveira Albuquerque, and L. J. García Villalba, “A Methodology to Evaluate Standards and Platforms within Cyber Threat Intelligence,” Future Internet, vol. 12, no. 6, p. 108, Jun. 2020, doi: 10.3390/fi12060108.
[15] V. Mavroeidis and S. Bromander, “Cyber Threat Intelligence Model: An Evaluation of Taxonomies, Sharing Standards, and Ontologies within Cyber Threat Intelligence,” in 2017 European Intelligence and Security Informatics Conference (EISIC), Athens, Sep. 2017, pp. 91–98. doi: 10.1109/EISIC.2017.20.
[16] D. Schlette, F. Böhm, M. Caselli, and G. Pernul, “Measuring and visualizing cyber threat intelligence quality,” Int. J. Inf. Secur., vol. 20, no. 1, pp. 21–38, Feb. 2021, doi: 10.1007/s10207-020-00490-y.
[17] H. Griffioen, T. Booij, and C. Doerr, “Quality Evaluation of Cyber Threat Intelligence Feeds,” in Applied Cryptography and Network Security, vol. 12147, M. Conti, J. Zhou, E. Casalicchio, and A. Spognardi, Eds. Cham: Springer International Publishing, 2020, pp. 277–296. doi: 10.1007/978-3-030-57878-7_14.
[18] A. Albakri, E. Boiten, and R. Smith, “Risk Assessment of Sharing Cyber Threat Intelligence,” in Computer Security, vol. 12580, I. Boureanu, C. C. Drăgan, M. Manulis, T. Giannetsos, C. Dadoyan, P. Gouvas, R. A. Hallman, S. Li, V. Chang, F. Pallas, J. Pohle, and A. Sasse, Eds. Cham: Springer International Publishing, 2020, pp. 92–113. doi: 10.1007/978-3-030-66504-3_6.
[19] T. D. Wagner, E. Palomar, K. Mahbub, and A. E. Abdallah, “A Novel Trust Taxonomy for Shared Cyber Threat Intelligence,” Secur. Commun. Netw., vol. 2018, pp. 1–11, Jun. 2018, doi: 10.1155/2018/9634507.
[20] A. Dulaunoy, G. Wagener, A. Iklody, S. Mokaddem, and C. Wagner, “An Indicator Scoring Method for MISP Platforms,” Trondheim, Norway, p. 15.
[21] A. Iklody, G. Wagener, A. Dulaunoy, S. Mokaddem, and C. Wagner, “Decaying Indicators of Compromise,” ArXiv180311052 Cs, Mar. 2018, Accessed: Jan. 14, 2022. (Online). Available: http://arxiv.org/abs/1803.11052
[22] M. Faiella, G. Gonzalez-Granadillo, I. Medeiros, R. Azevedo, and S. Gonzalez-Zarzosa, “Enriching Threat Intelligence Platforms Capabilities,” in Proceedings of the 16th International Joint Conference on e-Business and Telecommunications, Prague, Czech Republic, 2019, pp. 37–48. doi: 10.5220/0007830400370048.
[23] K. Faust and S. Wasserman, Social Network Analysis: Methods and Applications. Cambridge University Press, 1994.
[24] K. M. Carley, J. Pfeffer, J. Reminga, J. Storrick, and D. Columbus, “ORA User’s Guide 2013,” Institute for Software Research School of Computer Science Carnegie Mellon University, Pittsburgh, PA 15213, CMU-ISR-13-108, Jun. 2013.
[25] K. M. Carley and J. Reminga, “ORA: Organization Risk Analyzer*,” Carnegie Mellon University School of Computer Science, Institute for Software Research International, CASOS Technical Report CMU-ISRI-04-106, Jul. 2004.
[26] Borgatti SP, “The key player problem,” presented at the Dynamic social network modeling and analysis: workshop summary and papers, 2003.
[27] Wouter De Nooy, AndrejA Mrvar, and Vladimir Batagelj, Exploratory Network Analysis with Pajek, 2nd ed. Cambridge University Press, 2011.
[28] Paul Cichonski, Tom Millar, Tim Grance, and Karen Scarfone, “NIST SP 800-61, Computer Security Incident Handling Guide, Rev.2-SP800-61.pdf.” Aug. 2012. Accessed: Apr. 19, 2018. (Online). Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
[29] “Automation and MISP API · User guide of MISP intelligence sharing platform.” https://www.circl.lu/doc/misp/automation/ (accessed Nov. 23, 2021).
[30] PyMISP - Python Library to access MISP. MISP Project, 2021. Accessed: Nov. 23, 2021. (Online). Available: https://github.com/MISP/PyMISP
[31] “Projects - *ORA-LITE | CASOS.” http://www.casos.cs.cmu.edu/projects/ora/ (accessed Nov. 23, 2021).
[32] “Categories and Types · User guide of MISP intelligence sharing platform.” https://www.circl.lu/doc/misp/categories-and-types/#types (accessed Nov. 23, 2021).