EVACTI: evaluating the actionability of cyber threat intelligence

EVACTI: evaluating the actionability of cyber threat intelligence

연구 분야: Safety

학회: International Journal of Information Security

Cyber Threat Intelligence (CTI) plays a vital role in enhancing cybersecurity by enabling organizations to leverage insights from the analysis of past incidents to better manage future threats. Evaluating the actionability of CTI products (CTIPs), namely CTI in a structured format, is essential for prioritizing intelligence and implementing effective security measures. However, existing methodologies often fall short in evaluating the actionability of CTI by focusing on isolated criteria without considering the full context of the CTI sharing lifecycle, which includes production, dissemination, and consumption stages. Additionally, these methodologies suffer from variability issues, referring to the inconsistent selection and application of actionability criteria by different organizations, as well as subjectivity issues, which arise from a lack of standardized assessment approaches. This paper introduces a novel methodology designed to comprehensively evaluate the actionability of CTIPs across all stages of a proposed CTI sharing lifecycle; the proposed methodology is referred to as Evaluating the Actionability of Cyber Threat Intelligence (EVACTI). EVACTI employs the standardized set of actionability criteria of the European Union Agency for Cybersecurity (ENISA) and considers the CTI sharing lifecycle to ensure consistency and mitigate the variability and subjectivity issues prevalent in existing approaches. By considering the operational context of both producers and consumers, EVACTI offers a more accurate and practical evaluation of CTIP actionability. EVACTI also enhances the effectiveness of cybersecurity efforts by impelling producers to refine CTIPs before sharing them and enabling consumers to make decisions about the use and prioritization of CTIPs. Lastly, EVACTI integrates the actionability into the CTI sharing lifecycle through a custom CTI object, further supporting transparent dissemination of actionability values.