Actionable Cyber Threat Intelligence for Automated Incident Response

Actionable Cyber Threat Intelligence for Automated Incident Response

연구 분야: Safety

학회: Nordic Conference on Secure IT Systems

Applying Cyber Threat Intelligence for active cyber defence, while potentially very beneficial, is currently limited to predominantly manual use. In this paper, we propose an automated approach for using Cyber Threat Intelligence during incident response by gathering Tactics, Techniques and Procedures available on intelligence reports, mapping them to network incidents, and then using this map to create attack patterns for specific threats. We consider our method actionable because it provides the operator with contextualised Cyber Threat Intelligence related to observed network incidents in the form of a ranked list of potential related threats, all based on patterns matched with the incidents. We evaluate our approach with publicly available samples of different malware families. Our analysis of the results shows that our method can reliably match network incidents with intelligence reports and relate them to these threats. The approach allows increasing the automation of its use, thus addressing one of the major limiting factors of effective use of suitable Cyber Threat Intelligence.