CTI View: APT Threat Intelligence Analysis System

With the development of advanced persistent threat (APT) and the increasingly severe situation of network security, the strategic defense idea with the concept of “active defense, traceability, and countermeasures” arises at the historic moment, thus cyberspace threat intelligence (CTI) has become increasingly valuable in enhancing the ability to resist cyber threats. Based on the actual demand of defending against the APT threat, we apply natural language processing to process the cyberspace threat intelligence (CTI) and design a new automation system CTI View, which is oriented to text extraction and analysis for the massive unstructured cyberspace threat intelligence (CTI) released by various security vendors. The main work of CTI View is as follows: (1) to deal with heterogeneous CTI, a text extraction framework for threat intelligence is designed based on automated test framework, text recognition technology, and text denoising technology. It effectively solves the problem of poor adaptability when crawlers are used to crawl heterogeneous CTI; (2) using regular expressions combined with blacklist and whitelist mechanism to extract the IOC and TTP information described in CTI effectively; (3) according to the actual requirements, a model based on bidirectional encoder representations from transformers (BERT) is designed to complete the entity extraction algorithm for heterogeneous threat intelligence. In this paper, the GRU layer is added to the existing BERT-BiLSTM-CRF model, and we evaluate the proposed model on the marked dataset and get better performance than the current mainstream entity extraction mode.

Knowing the unknown: The hunting loop

There are several ways to improve an organization’s cybersecurity protection against intruders. One of the ways is to proactively hunt for threats, i.e., threat hunting. Threat Hunting empowers organizations to detect the presence of intruders in their environment. It identifies and searches the tactics, techniques, and procedures (TTP) of the attackers to find them in the environment. To know what to look for in the collected data and environment, it is required to know and understand the attacker's TTPs. An attacker's TTPs information usually comes from signatures, indicators, and behavior observed in threat intelligence sources. Traditionally, threat hunting involves the analysis of collected logs for Indicator of Compromise (IOCs) through different tools. However, network and security infrastructure devices generate large volumes of logs and can be challenging to analyze thus leaving gaps in the detection process. Similarly, it is very difficult to identify the required IOCs and thus sometimes makes it difficult to hunt the threat which is one of the major drawbacks of the traditional threat hunting processes and frameworks. To address this issue, intelligent automated processes using machine learning can improve the threat hunting process, that will plug those gaps before an attacker can exploit them. This paper aims to propose a machine learning-based threat-hunting model that will be able to fill the gaps in the threat detection process and effectively detect the unknown adversaries by training the machine learning algorithms via extensive datasets of TTPs and normal behavior of the system and target environment. The model is comprised of five main stages. These are Hypotheses Development, Equip, Hunt, Respond and Feedback stages. This threat hunting model is a bit ahead of the traditional models and frameworks by employing machine learning algorithms.

Informing Cyber Threat Intelligence through Dark Web Situational Awareness: The AZSecure Hacker Assets Portal

To increase situational awareness, major cybersecurity platforms offer Cyber Threat Intelligence (CTI) about emerging cyber threats, key threat actors, and their modus operandi. However, this intelligence is often reactive, as it analyzes event log files after attacks have already occurred, lacking more active scrutiny of potential threats brewing in cyberspace before an attack has occurred. One intelligence source receiving significant attention is the Dark Web, where significant quantities of malicious hacking tools and other cyber assets are hosted. We present the AZSecure Hacker Assets Portal (HAP). The Dark Web-based HAP collects, analyzes, and reports on the major Dark Web data sources to offer unique perspective of hackers, their cybercriminal assets, and their intentions and motivations, ultimately contributing CTI insights to improve situational awareness. HAP currently supports 200+ users internationally from academic institutions such as UT San Antonio and National Taiwan University, law enforcement entities such as Calgary and Ontario Provincial Police, and industry organizations including General Electric and PayPal.

APPLICATION OF THE THREAT INTELLIGENCE PLATFORM TO INCREASE THE SECURITY OF GOVERNMENT INFORMATION RESOURCES

With the development of information technology, the need to solve the problem of information security has increased, as it has become the most important strategic resource. At the same time, the vulnerability of the modern information society to unreliable information, untimely receipt of information, industrial espionage, computer crime, etc. is increasing. In this case, the speed of threat detection, in the context of obtaining systemic information about attackers and possible techniques and tools for cyberattacks in order to describe them and respond to them quickly is one of the urgent tasks. In particular, there is a challenge in the application of new systems for collecting information about cyberevents, responding to them, storing and exchanging this information, as well as on its basis methods and means of finding attackers using integrated systems or platforms. To solve this type of problem, the promising direction of Threat Intelligence as a new mechanism for acquiring knowledge about cyberattacks is studied. Threat Intelligence in cybersecurity tasks is defined. The analysis of cyberattack indicators and tools for obtaining them is carried out. The standards of description of compromise indicators and platforms of their processing are compared. The technique of Threat Intelligence in tasks of operative detection and blocking of cyberthreats to the state information resources is developed. This technique makes it possible to improve the productivity of cybersecurity analysts and increase the security of resources and information systems.

Threats from the Dark: A Review over Dark Web Investigation Research for Cyber Threat Intelligence

From proactive detection of cyberattacks to the identification of key actors, analyzing contents of the Dark Web plays a significant role in deterring cybercrimes and understanding criminal minds. Researching in the Dark Web proved to be an essential step in fighting cybercrime, whether with a standalone investigation of the Dark Web solely or an integrated one that includes contents from the Surface Web and the Deep Web. In this review, we probe recent studies in the field of analyzing Dark Web content for Cyber Threat Intelligence (CTI), introducing a comprehensive analysis of their techniques, methods, tools, approaches, and results, and discussing their possible limitations. In this review, we demonstrate the significance of studying the contents of different platforms on the Dark Web, leading new researchers through state-of-the-art methodologies. Furthermore, we discuss the technical challenges, ethical considerations, and future directions in the domain.