Threat intelligence is the provision of evidence-based knowledge about existing or potential threats. Benefits of threat intelligence include improved efficiency and effectiveness in security ...operations in terms of detective and preventive capabilities. Successful threat intelligence within the cyber domain demands a knowledge base of threat information and an expressive way to represent this knowledge. This purpose is served by the use of taxonomies, sharing standards, and ontologies. This paper introduces the Cyber Threat Intelligence (CTI) model, which enables cyber defenders to explore their threat intelligence capabilities and understand their position against the ever-changing cyber threat landscape. In addition, we use our model to analyze and evaluate several existing taxonomies, sharing standards, and ontologies relevant to cyber threat intelligence. Our results show that the cyber security community lacks an ontology covering the complete spectrum of threat intelligence. To conclude, we argue the importance of developing a multi-layered cyber threat intelligence ontology based on the CTI model and the steps should be taken under consideration, which are the foundation of our future work.
The amygdala-prefrontal-cortex circuit has long occupied the center of the threat system,1 but new evidence has rapidly amassed to implicate threat processing outside this canonical circuit.2–4 ...Through nonhuman research, the sensory cortex has emerged as a critical substrate for long-term threat memory,5–9 underpinned by sensory cortical pattern separation/completion10,11 and tuning shift.12,13 In humans, research has begun to associate the human sensory cortex with long-term threat memory,14,15 but the lack of mechanistic insights obscures a direct linkage. Toward that end, we assessed human olfactory threat conditioning and long-term (9 days) threat memory, combining affective appraisal, olfactory psychophysics, and functional magnetic resonance imaging (fMRI) over a linear odor-morphing continuum (five levels of binary mixtures of the conditioned stimuli/CS+ and CS− odors). Affective ratings and olfactory perceptual discrimination confirmed (explicit) affective and perceptual learning and memory via conditioning. fMRI representational similarity analysis (RSA) and voxel-based tuning analysis further revealed associative plasticity in the human olfactory (piriform) cortex, including immediate and lasting pattern differentiation between CS and neighboring non-CS and a late onset, lasting tuning shift toward the CS. The two plastic processes were especially salient and lasting in anxious individuals, among whom they were further correlated. These findings thus support an evolutionarily conserved sensory cortical system of long-term threat representation, which can underpin threat perception and memory. Importantly, hyperfunctioning of this sensory mnemonic system of threat in anxiety further implicates a hitherto underappreciated sensory mechanism of anxiety.
•Threat conditioning produces long-term affective and perceptual memory•Associative plasticity emerges in human primary olfactory (piriform) cortex•The piriform cortex exhibits long-term pattern differentiation and tuning shift•These sensory cortical underpinnings of threat memory are hyperactive in anxiety
Rapidly accruing evidence questions amygdala’s dominance in (human) threat processing. Favoring a distributed threat circuitry, You et al. identify long-term threat memory in human sensory (olfactory) cortex (but not amygdala or orbitofrontal cortex). Notably, this sensory cortical memory system hyperfunctions in anxiety.
Full text
Available for:
GEOZS, IJS, IMTLJ, KILJ, KISLJ, NLZOH, NUK, OILJ, PNG, SAZU, SBCE, SBJE, UILJ, UL, UM, UPCLJ, UPUK, ZAGLJ, ZRSKP
Cyber Threat Intelligence (CTI) sharing has become a novel weapon in the arsenal of cyber defenders to proactively mitigate increasing cyber attacks. Automating the process of CTI sharing, and even ...the basic consumption, has raised new challenges for researchers and practitioners. This extensive literature survey explores the current state-of-the-art and approaches different problem areas of interest pertaining to the larger field of sharing cyber threat intelligence. The motivation for this research stems from the recent emergence of sharing cyber threat intelligence and the involved challenges of automating its processes. This work comprises a considerable amount of articles from academic and gray literature, and focuses on technical and non-technical challenges. Moreover, the findings reveal which topics were widely discussed, and hence considered relevant by the authors and cyber threat intelligence sharing communities.
Full text
Available for:
GEOZS, IJS, IMTLJ, KILJ, KISLJ, NLZOH, NUK, OILJ, PNG, SAZU, SBCE, SBJE, UILJ, UL, UM, UPCLJ, UPUK, ZAGLJ, ZRSKP
Cyber Threat Management (CTM) involves prevention, detection, and response to cyber-attacks by identifying and understanding threats, and applying appropriate actions. This is not practical for an ...organization to perform these activities within the time-frame of an impending attack. Organizations should swiftly accumulate and share Cyber Threat Intelligence (CTI) with peers to make effective use of shared threat information. Efforts are underway for standardizing the expression of threats into a machine-understandable format. Structured Threat Information eXpression (STIX) is a comprehensive effort that structures CTI, enables its sharing, visualization, and analysis. Although a large volume of STIX reports is available publicly, their state remains poor. Reports are not appropriately formatted, use incorrect vocabulary, and mislabel or omit key components, which curtail their usefulness for effective cyber threat management. For a meaningful analysis, an analyst needs a curated document list categorized according to cyber threat management phases for the under-investigation threat. We believe that methods for valuation of structured threat documents based on cyber threat management phases are limited or non-existent. We present a novel framework named SCERM—Structured threat data Cleansing, Evaluation, and Refinement. SCERM formally models the STIX architecture and valuates reports on the basis of the use case “managing cyber threat response activities”. It uplifts CTI by remapping wrongly placed contents to the STIX data model. SCERM refines incomplete or missing components through a pre-prepared dataset of curated blog reports. This process is repeated until the reports improve to a threshold suitable for cyber threat management. A case study is presented to demonstrate the working of SCERM. The evaluation valuates publicly available STIXs for cyber threat management. It is observed that current STIX reports have limited information on prevention and almost none for the response phase of cyber threat management. The results demonstrate that SCERM significantly enriches STIX reports. The improvement in prevention is 73% and in the response is a 100%.
•SCERM is a novel framework for automated cyber threat management (CTM).•SCERM boosts, refines, and valuates structured threat data for CTM.•For the evaluation, publicly available STIXs are analyzed and valuated for CTM.•A major observation is that available STIX reports have limited information for CTM.•The results demonstrate that SCERM significantly enriches threat reports.•The improvement in prevention is 73% and in the response is a 100%.
Full text
Available for:
GEOZS, IJS, IMTLJ, KILJ, KISLJ, NLZOH, NUK, OILJ, PNG, SAZU, SBCE, SBJE, UILJ, UL, UM, UPCLJ, UPUK, ZAGLJ, ZRSKP
5.
Insight Into Insiders and IT Homoliak, Ivan; Toffalini, Flavio; Guarnizo, Juan ...
ACM computing surveys,
05/2019, Volume:
52, Issue:
2
Journal Article
Peer reviewed
Insider threats are one of today’s most challenging cybersecurity issues that are not well addressed by commonly employed security solutions. In this work, we propose structural taxonomy and novel ...categorization of research that contribute to the organization and disambiguation of insider threat incidents and the defense solutions used against them. The objective of our categorization is to systematize knowledge in insider threat research while using an existing grounded theory method for rigorous literature review. The proposed categorization depicts the workflow among particular categories that include incidents and datasets, analysis of incidents, simulations, and defense solutions. Special attention is paid to the definitions and taxonomies of the insider threat; we present a structural taxonomy of insider threat incidents that is based on existing taxonomies and the 5W1H questions of the information gathering problem. Our survey will enhance researchers’ efforts in the domain of insider threat because it provides (1) a novel structural taxonomy that contributes to orthogonal classification of incidents and defining the scope of defense solutions employed against them, (2) an overview on publicly available datasets that can be used to test new detection solutions against other works, (3) references of existing case studies and frameworks modeling insiders’ behaviors for the purpose of reviewing defense solutions or extending their coverage, and (4) a discussion of existing trends and further research directions that can be used for reasoning in the insider threat domain.
Full text
Available for:
IZUM, KILJ, NUK, PILJ, SAZU, UL, UM, UPUK
With the rapidly evolving technological landscape, the huge development of the Internet of Things, and the embracing of digital transformation, the world is witnessing an explosion in data generation ...and a rapid evolution of new applications that lead to new, wider, and more sophisticated threats that are complex and hard to be detected. Advanced persistence threats use continuous, clandestine, and sophisticated techniques to gain access to a system and remain hidden for a prolonged period of time, with potentially destructive consequences. Those stealthy attacks are often not detectable by advanced intrusion detection systems (e.g., LightBasin attack was detected in 2022 and has been active since 2016). Indeed, threat actors are able to quickly and intelligently alter their tactics to avoid being detected by security defense lines (e.g., prevention and detection mechanisms). In response to these evolving threats, organizations need to adopt new proactive defense approaches. Threat hunting is a proactive security line exercised to uncover stealthy attacks, malicious activities, and suspicious entities that could circumvent standard detection mechanisms. Additionally, threat hunting is an iterative approach to generate and revise threat hypotheses endeavoring to provide early attack detection in a proactive way. The proactiveness consists of testing and validating the initial hypothesis using various manual and automated tools/techniques with the objective of confirming/refuting the existence of an attack. This survey studies the threat hunting concept and provides a comprehensive review of the existing solutions for Enterprise networks. In particular, we provide a threat hunting taxonomy based on the used technique and a sub-classification based on the detailed approach. Furthermore, we discuss the existing standardization efforts. Finally, we provide a qualitative discussion on current advances and identify various research gaps and challenges that may be considered by the research community to design concrete and efficient threat hunting solutions.
With the boom in Internet and information technology, cyber-attacks are becoming more frequent and sophisticated, especially Advanced Persistent Threat (APT) attacks. Unlike traditional attacks, APT ...attacks are more targeted, stealthy, and adversarial, rendering it challenging to manually analyze threat behaviors for APT detection, attribution, and response. Therefore, the research community has focused on intelligent defense methods. Intelligent threat profiling is dedicated to analyzing APT attacks and improving defense capability with Knowledge Graph and Deep Learning methods. With this insight, this paper provides the first systematic review of intelligent threat profiling techniques for APT attacks, covering three aspects: data, methods, and applications. The contents include data processing techniques, threat modeling, representation, reasoning methods, etc. Furthermore, this paper summarizes the latest research in applications, proposes the research framework and technical architecture, and provides insights into future research trends. This paper contributes to recognizing the advantages and challenges of intelligent threat profiling. It paves the way for integrating knowledge graphs and deep learning to achieve intelligent security.
Display omitted
•The first review paper on intelligent threat profiling of Advanced Persistent Threat.•Summarizes the research findings on three aspects: data, methods and applications.•Proposes the research framework and technical architecture of intelligent threat profiling.•Analyzes the challenges and provides insights into future research trends.
Full text
Available for:
GEOZS, IJS, IMTLJ, KILJ, KISLJ, NLZOH, NUK, OILJ, PNG, SAZU, SBCE, SBJE, UILJ, UL, UM, UPCLJ, UPUK, ZAGLJ, ZRSKP
Cyber threat attribution identifies the source of a malicious cyber activity, which in turn informs cyber security mitigation responses and strategies. Such responses and strategies are crucial for ...deterring future attacks, particularly in the financial and critical infrastructure sectors. However, existing approaches generally rely on manual analysis of attack indicators obtained through approaches such as trace-back, firewalls, intrusion detection and honeypot deployments. These attack indicators, also known as low-level Indicators of Compromise (IOCs), are rarely re-used and can be easily modified and disguised resulting in a deceptive and biased cyber threat attribution. Cyber attackers, particularly financially-motivated actors, can use common high-level attack patterns that evolve less frequently as compared to the low-level IOCs. To attribute cyber threats effectively, it is necessary to identify them based on the high-level adversary’s attack patterns (e.g. tactics, techniques and procedures - TTPs, software tools and malware) employed in different phases of the cyber kill chain. Identification of high-level attack patterns is time-consuming, requiring forensic investigation of the victim network(s) and other resources. In the rare case that attack patterns are reported in cyber threat intelligence (CTI) reports, the format is textual and unstructured typically taking the form of lengthy incident reports prepared for human consumption (e.g. prepared for C-level and senior management executives), which cannot be directly interpreted by machines. Thus, in this paper we propose a framework to automate cyber threat attribution. Specifically, we profile cyber threat actors (CTAs) based on their attack patterns extracted from CTI reports, using the distributional semantics technique of Natural Language Processing. Using these profiles, we train and test five machine learning classifiers on 327 CTI reports collected from publicly available incident reports that cover events from May 2012 to February 2018. It is observed that the CTA profiles obtained attribute cyber threats with a high precision (i.e. 83% as compared to other publicly available CTA profiles, where the precision is 33%). The Deep Learning Neural Network (DLNN) based classifier also attributes cyber threats with a higher accuracy (i.e. 94% as compared to other classifiers).
•A machine learning-based FinTech cyber threat attribution framework.•Cyber threat attribution using high-level indicators of compromise.•Cyber threat data collection.•Automated cyber threat attribution framework using high-level compromise indicators.
Full text
Available for:
GEOZS, IJS, IMTLJ, KILJ, KISLJ, NLZOH, NUK, OILJ, PNG, SAZU, SBCE, SBJE, UILJ, UL, UM, UPCLJ, UPUK, ZAGLJ, ZRSKP
Research on how immigrants are perceived by locals has flourished extensively within the past decades. Through the lens of integrated threat theory and the threat benefit model, this study examines ...immigrants’ perceptions of how Finns tend to perceive them based on their lived experiences. In a sample of 103 immigrants from over 40 nationalities living in Finland, results indicate that overall, immigrants believe they are perceived more as a threat than a benefit to the Finnish society. Implications and opportunities for further research are discussed as well.
Full text
Available for:
GEOZS, IJS, IMTLJ, KILJ, KISLJ, NLZOH, NUK, OILJ, PNG, SAZU, SBCE, SBJE, UILJ, UL, UM, UPCLJ, UPUK, ZAGLJ, ZRSKP
Cyber security is attracting worldwide attention. With attacks being more and more common and often successful, no one is spared today. Threat modeling is proposed as a solution for secure ...application development and system security evaluations. Its aim is to be more proactive and make it more difficult for attackers to accomplish their malicious intents. However, threat modeling is a domain that lacks common ground. What is threat modeling, and what is the state-of-the-art work in this field? To answer these questions, this article presents a review of threat modeling based on systematic queries in four leading scientific databases. This is the first systematic literature review on threat modeling to the best of our knowledge. 176 articles were assessed, and 54 of them were selected for further analysis. We identified three separate clusters: (1) articles making a contribution to threat modeling, e.g., introducing a new method, (2) articles using an existing threat modeling approach, and (3) introductory articles presenting work related to the threat modeling process. The three clusters were analyzed in terms of a set of criteria, for instance: Is the threat modeling approach graphical or formal? Is it focused on a specific attack type and application? Is the contribution validated empirically or theoretically? We observe from the results that, most threat modeling work remains to be done manually, and there is limited assurance of their validations. The results can be used for researchers and practitioners who want to know the state-of-the-art threat modeling methods, and future research directions are discussed.
Full text
Available for:
GEOZS, IJS, IMTLJ, KILJ, KISLJ, NLZOH, NUK, OILJ, PNG, SAZU, SBCE, SBJE, UILJ, UL, UM, UPCLJ, UPUK, ZAGLJ, ZRSKP