Underrättelser

Uppsatser och essäer jag uppfattar som särskilt insiktsfulla eller användbara i arbetet med cyber-underrättelser.

Delning av cyber-underrättelser

Taxonomy Model for Cyber Threat Intelligence Information Exchange Technologies

Abstract: The cyber threat intelligence information exchange ecosystem is a holistic approach to the automated sharing of threat intelligence. For automation to succeed, it must handle tomorrow’s attacks, not just yesterday’s. There are numerous ontologies that attempt to enable the sharing of cyber threats, such as OpenIOC, STIX, and IODEF. To date, most ontologies are based on various use cases. Ontology developers collect threat indicators that through experience seem to be useful for exchange. This approach is pragmatic and offers a collection of useful threat indicators in real-world scenarios. However, such a selection method is episodic. What is useful today may not be useful tomorrow. What we consider to be chaff or too hard to share today might become a critically important piece of information. Therefore, in addition to use case-based ontology, ontologies need to be based on first principles. In this document we propose taxonomy for classifying threat-sharing technologies. The purpose of this taxonomy is to classify existing technologies using an agnostic framework, identify gaps in existing technologies, and explain their differences from a scientific perspective. We are currently working on a thesaurus that will describe, compare, and classify detailed cyber security terms. This paper focuses on the classification of the ontologies them-selves.

From Cyber Security Information Sharing to Threat Management

Abstract: There is a need for effective intelligence management platforms to facilitate the generation, refinement, and vetting of data, post sharing. In designing such a system, some of the key challenges that exist include: working with multiple intelligence sources, combining and enriching data for greater intelligence, determining intelligence relevance based on technical constructs, and organisational input, delivery into organisational workflows and into technological products. This paper discusses these challenges encountered and summarises the community requirements and expectations for an all-encompassing Threat Intelligence Management Platform. The requirements expressed in this paper, when implemented, will serve as building blocks to create systems that can maximise value out of a set of collected intelligence and translate those findings into action for a broad range of stakeholders.