A Reference Model for Cyber Threat Intelligence (CTI) Systems
Abstract
:1. Introduction
- The aggregation and classification of the complexity factors that affect CTI and the design of CTI systems.
- A set of definitions for CTI key concepts.
- The development of an eight-layer CTI reference model.
- A systematic requirements analysis method for the design of CTI reference architectures.
2. Definitions of Key Consepts
- A threat intelligenceprocess is any process consisting of those actions taken by the security analyst to transform raw data into usable information.
- A CTI source is any data source that can contribute to the situational awareness of defense capabilities against cyber threats.
- A CTI product is the outcome of any threat intelligence process meeting a set of predefined quality characteristics.
- A CTI producer is any entity that applies a threat intelligence process to produce CTI products.
- A CTI consumer is any entity able to use CTI products to increase its defense capabilities or take decisions about issues relevant to cybersecurity.
- A CTI system is any cybersecurity system, tool, or system capable of performing or supporting part of or all the actions of a threat intelligence process.
3. Methodology
3.1. CTI Problem Identification
3.2. CTI Frame of Reference Construction
3.3. CTI Reference Model Construction
3.4. Validation
4. CTI Problem Identification
4.1. CTI Problem Identification
- CTI intelligence views
- CTI intelligence cycle
- CTI complexity factors
4.1.1. CTI Intelligence Views
4.1.2. CTI Intelligence Cycle
4.1.3. Complexity Classes
- CTI Information Sharing
- CTI Security Operations
- CTI Big Data
- CTI Representation
- CTI Quality of Intelligence
CTI Information Sharing
- Information Sharing community factors. This group includes the factors: regional and international implementations of information sharing [41], maturity level [32], trustworthiness [29], stakeholders’ reputation [44], efficient cooperation and coordination [41], and collaboration [44] of information sharing community members.
- Information sharing quality factors. This group includes factors related to the CTI quality of intelligence class, but specialized in information sharing. These factors are: consumer-based evaluation of intelligence [32], quality of shared information [29], traceability and provenance of threat intelligence [43], and uncertainty of sharing [46].
- Technical implementation factors. This group includes factors that, in some cases, are also related to other classes such as CTI big data; these factors are: on-time distribution of relevant threat intelligence products [43], noise data sharing [43], and massive exchange of data [9]. Note that the factors of sharing architectures also belong to this group [47].
CTI Security Operations
- Quality factors of security operations. This group contains: performance, interoperability, adaptability, modifiability, and stealthiness [51].
CTI Big Data
- Data operations factors. This group contains the factors: data collection [9,52,53], data analysis [8], data visualization [8], reasoning [46], knowledge discovery [46,52], attribution [46], data enrichment [54], feature extraction [52,54], data correlation [55], and application of machine learning (e.g., model construction and validation) [52].
CTI Representation
CTI Quality of Intelligence
- Quality metrics factors. According to [31], quality metrics are considered essential in CTI. This group includes factors related to the measurement of intelligence quality. These factors are objectivity, subjectivity, performance, behavior, accuracy of metrics [60], and organization’s relevance [40] of produced intelligence.
- Quality factors of collected data. This group’s factors are related to the quality of the data collected to be processed for intelligence purposes. These factors are: collected data accuracy (e.g., dates, incident type, contact details) [61], timeliness [61], completeness, [61], consistency [61], relevance [27], actionability [27], and value [27].
- Quality factors of produced intelligence. The group includes factors related to the quality characteristics of the CTI products. These factors are: the accuracy [32,33,44,62,63], clarity, [62], utility of the products [62], relevance [32,43,44,63], timeliness [32,33,43,44,63], actionability [32,33,44], completeness [33,44,63], ingestibility [44] and trustworthiness [44] of threat intelligence.
4.1.4. CTI Related Standards
4.1.5. CTI Problem Definition
4.2. CTI Frame of Reference Construction
4.2.1. Model Elements Identification
4.2.2. CTI Frame Reference Construction
- Criterion 1: Separation of model elements from the CTI intelligence cycle into managerial and practical. We consider as practical the model elements that play a part in data processing, and as managerial the model elements related to the governance of the CTI intelligence cycle. Criterion 1 allows us to distinguish between those model elements that a CTI system can implement and those that it cannot (since they constitute the management framework of CTI).
- Criterion 2: Time-based division of model elements from CTI intelligence views into long- and short-term. According to the bibliography [28,29,31,32], CTI intelligence views affect both the kind and the lifetime of CTI products. Therefore, criterion 2 allows us to distinguish model elements of the CTI intelligence views class according to their effect on CTI products’ ephemerality.
- Criterion 3: Origin-based division of model elements from CTI complexity factors into internal and external. We consider such model elements as either internal (emanating from CTI itself), or external (imposed externally on CTI), because a CTI reference model (at a minimum) should be able to deal with internal complexity factors.
- Criterion 4: Identification of unique processes. Specifically, we identify model elements corresponding to unique processes, typically undertaken by a security analyst.
- Criterion 5: Identification of relation paths between model elements representing a unique process. This criterion identifies the relation paths connecting unique processes in a logical sequence, which, when implemented by a CTI system, can produce CTI Products.
- The model elements comprising the relation path can be identified in it (e.g., a collection module exists in a CTI system).
- The CTI system can produce CTI products by combining their functionality following this relation path.
4.3. CTI Reference Model Construction
4.3.1. Complexity Factors concerning CTI Frame of Reference Layers
4.3.2. CTI Scenarios
- Collect raw data and produce CTI products.
- Use of CTI products to create new or enrich existing CTI products.
- Use of CTI products as feed-in defense mechanisms.
- Use of CTI products to produce no CTI products.
4.3.3. CTI Reference Model
5. Validation
- (1)
- the REvil gang attack on Quanta (Revil gang attack on Quanta);
- (2)
- the social engineering attack on Boshoku (Social engineering attack on Boshoku);
- (3)
- the DDoS attack launched against the Boston Children’s Hospital (DDoS Case Study: DDoS Attack Mitigation Boston Children’s Hospital).
5.1. Description of Case Studies
5.1.1. Case Study 1
5.1.2. Case Study 2
5.1.3. Case Study 3
5.2. Applying the CTI Reference Model to Case Studies
5.2.1. Application on Case Study 1
5.2.2. Application on Case Study 2
5.2.3. Application on Case Study 3
5.3. Comparison of the Resulting CTI Architectures with Existing CTI Systems
6. Conclusions and Future Work
- it introduces a systematic requirements analysis for the design of CTI systems’ reference architectures;
- it integrates the CTI complexity factors in the CTI systems requirements analysis following a holistic approach to the design of CTI systems;
- it simplifies the way a CTI system’s designer selects the components of the reference architecture by posing a set of closed-ended questions.
Supplementary Materials
Author Contributions
Funding
Conflicts of Interest
References
- Bissell, K.; Fox, J.; LaSalle, R.M.; Cin, P.D. State of Cybersecurity Report 2021. Technical Report. Accenture Security. 2021. Available online: https://www.accenture.com/_acnmedia/PDF-165/Accenture-State-Of-Cybersecurity-2021.pdf (accessed on 5 April 2022).
- Ardagna, C.; Corbiaux, S.; Sfakianakis, A.; Douligeris, C. ENISA Threat Landscape 2021; Technical Report; European Union Agency for Cybersecurity (ENISA): Athens, Greece, 2021.
- X Force. IBM X-Force Threat Intelligence Index|IBM. Technical Report. IBM Security. 2020. Available online: https://www.ibm.com/downloads/cas/DEDOLR3W (accessed on 5 April 2022).
- Accenture. Third Annual State of Cyber Resilience Innovate for Cyber Resilience Lessons from Leaders to Master Cybersecurity Execution; Technical Report; Accenture Security; Accenture: Dublin, Ireland, 2020. [Google Scholar]
- Directorate-General for Communication; Leyen, U.v.d. A Union That Strives for More–Publications Office of the EU. 2019. Available online: https://op.europa.eu/en/publication-detail/-/publication/43a17056-ebf1-11e9-9c4e-01aa75ed71a1 (accessed on 5 April 2022).
- CheckPoint. Security Report 2020|Check Point Software. 2020. Available online: https://resources.checkpoint.com/cyber-security-resources/cyber-security-report-2020 (accessed on 5 April 2022).
- Ramsdale, A.; Shiaeles, S.; Kolokotronis, N. A Comparative Analysis of Cyber-Threat Intelligence Sources, Formats and Languages. Electronics 2020, 9, 824. [Google Scholar] [CrossRef]
- Dauda, A.; Mclean, S.; Almehmadi, A.; El-Khatib, K. Big Data Analytics Architecture for Security Intelligence. In Proceedings of the 11th International Conference on Security of Information and Networks–SIN ’18, Cardiff, UK, 10–12 September 2018; ACM Press: New York, NY, USA, 2018; pp. 1–4. [Google Scholar] [CrossRef]
- Beard, C.; Brown, S.; Dulaunou, A.; Ginn, J.; Stipraro, P. Exploring the Opportunities and Limitations of Current Threat Intelligence Platforms; Technical Report; ENISA: Athens, Greece, 2017. [Google Scholar]
- Tolstykh, T.; Gamidullaeva, L.; Shmeleva, N.; Lapygin, Y. Blockchain-Based Cyber Threat Intelligence System Architecture for Sustainable Computing. Sustainability 2020, 12, 6401. [Google Scholar] [CrossRef]
- DTIC. JP 2-0 Joint Intelligence; US Department of Defense: Fort Lee, VA, USA, 2007; pp. 1–144.
- de Melo e Silva, A.; Gondim, J.J.C.; de Oliveira Albuquerque, R.; Villalba, L.J.G. A Methodology to Evaluate Standards and Platforms within Cyber Threat Intelligence. Future Internet 2020, 12, 108. [Google Scholar] [CrossRef]
- Bauer, S.; Fischer, D.; Sauerwein, C.; Latzel, S.; Stelzer, D.; Breu, R. Towards an evaluation framework for threat intelligence sharing platforms. In Proceedings of the Annual Hawaii International Conference on System Sciences, Maui, HI, USA, 7–10 January 2020; pp. 1947–1956. [Google Scholar] [CrossRef] [Green Version]
- Camarinha-Matos, L.M.; Afsarmanesh, H. Reference modeling: Needs and basic terminology. In Collaborative Networks: Reference Modeling; Springer: Boston, MA, USA, 2008; Chapter 2; pp. 33–50. [Google Scholar] [CrossRef]
- Thomas, O. Version management for reference models: Design and implementation. In Reference Modeling: Efficient Information Systems Design Through Reuse of Information Models; Physica-Verlag HD: Heidelberg, Germany, 2007; pp. 1–26. [Google Scholar] [CrossRef]
- Schmid, B.; Lindemann, M. Elements of a Reference Model for Electronic Markets. In Thirty-First Annual Hawaii International Conference on System Sciences-Volume 4; IEEE Computer Society: St. Gallen, Switzerland, 1998; pp. 193–201. [Google Scholar]
- Helm, J. RUP Artifact: Reference Architecture. 2001. Available online: https://sceweb.uhcl.edu/helm/RationalUnifiedProcess/process/artifact/ar_refarch.htm (accessed on 5 April 2022).
- Rosemann, M.; van der Aalst, W.M.P. A configurable reference modelling language. Infor. Syst. 2007, 32, 1–23. [Google Scholar] [CrossRef]
- Shackleford, D. CTI in Security Operations: SANS 2018 Cyber Threat Intelligence Survey; SANS Institute: Bethesda, MD, USA, 2018. [Google Scholar]
- EC-Counsil. Certified Threat Intelligence Analyst; EC-Council: Albuquerque, NM, USA, 2018. [Google Scholar]
- Ahlemann, F.; Gastl, H. Process Model for an Empiracally Grounded Reference Model Construction. In Reference Modeling for Business Systems Analysis; Fettke, P., Loos, P., Eds.; IGI Global: Hershey, PA, USA, 2006; pp. 77–97. [Google Scholar] [CrossRef]
- Pajk, D.; Indihar-Stemberger, M.; Kovacic, A. Reference model design: An approach and its application. In Proceedings of the ITI 2012 34th International Conference on Information Technology Interfaces, Cavtat, Croatia, 25–28 June 2012; IEEE: New York, NY, USA, 2012; pp. 455–460. [Google Scholar] [CrossRef]
- IBM. UML Model Elements. Available online: https://www.ibm.com/docs/en/rational-soft-arch/9.7.0?topic=models-uml-model-elements (accessed on 1 April 2022).
- Schuette, R.; Rotthowe, T. The guidelines of modeling—An approach to enhance the quality in information models. In Conceptual Modeling—ER’98; Springer: Berlin/Heidelberg, Germany, 1998; Volume 1507, pp. 240–254. [Google Scholar] [CrossRef]
- Merriam-Webster. Frame of Reference. Available online: https://www.merriam-webster.com/dictionary/frame%20of%20reference (accessed on 1 April 2022).
- Fettke, P.; Loos, P. Multiperspective evaluation of reference models—Towards a framework. In International Conference on Conceptual Modeling; Springer: Berlin/Heidelberg, Germany, 2003. [Google Scholar] [CrossRef]
- Dalziel, H. How to Define and Build an Effective Cyber Threat Intelligence Capability; Syngress, an Imprint of Elsevier: London, UK, 2015. [Google Scholar]
- Chismon, D.; Ruks, M. Threat Intelligence: Collecting, Analysing, Evaluating; Technical Report; MWR InfoSecurity: London, UK, 2015. [Google Scholar]
- Tounsi, W.; Rais, H. A survey on technical threat intelligence in the age of sophisticated cyber attacks. Comput. Secur. 2018, 72, 212–233. [Google Scholar] [CrossRef]
- Ahrend, J.M.; Jirotka, M.; Jones, K. On the collaborative practices of cyber threat intelligence analysts to develop and utilize tacit Threat and Defence Knowledge. In Proceedings of the 2016 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (CyberSA), London, UK, 13–14 June 2016; IEEE: New York, NY, USA, 2016; pp. 1–10. [Google Scholar] [CrossRef]
- Gundert, L. Producing a World-Class Threat Intelligence Capability; Technical Report; Recorded Future: Somerville, MA, USA, 2016. [Google Scholar]
- Ernst & Young Global Limited. Cyber Threat Intelligence—How To Get Ahead Of Cybercrime. In Insights on Goverance, Risk and 686 Compliance; Ernst and Young: London, UK, 2014; Volume 1, pp. 1–16. [Google Scholar]
- Jasper, S.E. Cyber Threat Intelligence Sharing Frameworks. Int. J. Intell. Count. 2017, 30, 53–65. [Google Scholar] [CrossRef] [Green Version]
- Caltagirone, S.; Pendergast, A.; Betz, C. The Diamond Model of Intrusion Analysis; Technical Report; Defense Technical Information Center: Fort Belvoir, VA, USA, 2013.
- Lockheed Martin. Cyber Kill Chain®|Lockheed Martin. Available online: https://www.lockheedmartin.com/en-us/capabilities/cyber/cyberkill-chain.html (accessed on 24 March 2022).
- Can, M. Joint Intelligence Doctrine; Canadian Forces: Ottawa, ON, Canada, 2003; p. 100. [Google Scholar]
- Mod, U.K. Understanding and Intelligence Support to Joint Operations (JDP 2-00); Joint Doctrine Publication: Bicester, UK, 2011; Volume 3, p. 155. [Google Scholar]
- Davies, P.; Gustafson, K.; Ridgen, I. The Intelligence Cycle is dead, long live the Intelligence Cycle: Rethinking intelligence fundamentals for a new intelligence doctrine. In Understanding the Intelligence Cycle; Phythian, M., Ed.; Routledge: Leicester, UK, 2013; pp. 67–105. [Google Scholar]
- Gill, P.; Phythian, M. From Intelligence Cycle to web of intelligence. In Understanding the Intelligence Cycle; Phythian, M., Ed.; Routledge: Leicester, UK, 2015; pp. 35–54. [Google Scholar]
- Aviad, A.; Wȩcel, K. Cyber Treat Intelligence Modeling. In Business Information Systems; Abramowicz, W., Corchuelo, R., Eds.; Springer International Publishing: Cham, Switzerland, 2019; pp. 361–370. [Google Scholar] [CrossRef]
- Skopik, F.; Settanni, G.; Fiedler, R. A problem shared is a problem halved: A survey on the dimensions of collective cyber defense through security information sharing. Comput. Secur. 2016, 60, 154–176. [Google Scholar] [CrossRef]
- Sullivan, C.; Burger, E. In the public interest: The privacy implications of international business-to-business sharing of cyber-threat intelligence. Comput. Law Secur. Rev. 2017, 33, 14–29. [Google Scholar] [CrossRef] [Green Version]
- Sillaber, C.; Sauerwein, C.; Mussmann, A.; Breu, R. Data Quality Challenges and Future Research Directions in Threat Intelligence Sharing Practice. In Proceedings of the 2016 ACM on Workshop on Information Sharing and Collaborative Security–WISCS’16, Vienna, Austria, 24 October 2016; ACM Press: New York, NY, USA, 2016; pp. 65–70. [Google Scholar] [CrossRef]
- Wagner, T.D.; Mahbub, K.; Palomar, E.; Abdallah, A.E. Cyber threat intelligence sharing: Survey and research directions. Comput. Secur. 2019, 87, 101589. [Google Scholar] [CrossRef]
- Menges, F.; Sperl, C.; Pernul, G. Unifying Cyber Threat Intelligence. In Trust, Privacy and Security in Digital Business; Gritzalis, S., Weippl, E., Katsikas, S., Anderst-Kotsis, G., Tjoa, M., Khalil, I., Eds.; Springer International Publishing: Cham, Switzerland, 2019; pp. 161–175. [Google Scholar] [CrossRef]
- Mavroeidis, V.; Bromander, S. Cyber threat intelligence model: An evaluation of taxonomies, sharing standards, and ontologies within cyber threat intelligence. In Proceedings of the 2017 European Intelligence and Security Informatics Conference (EISIC), Athens, Greece, 11–13 September 2017; IEEE: Athens, Greece, 2017; pp. 91–98. [Google Scholar] [CrossRef] [Green Version]
- Skopik, F.; Qin, L. Trustworthy incident information sharing in social cyber defense alliances. In Proceedings of the 2013 IEEE Symposium on Computers and Communications (ISCC), Split, Croatia, 7–10 July 2013; IEEE: Split, Croatia, 2013; pp. 233–239. [Google Scholar] [CrossRef]
- Peterson, J.J. Appropriate Factorsto Consider When Assessing Analytics Confidence in Intelligence Analysis; Technical Report; Mercyhurst College Institute for Intelligence Studies (MCIIS): Erie, PA, USA, 2008. [Google Scholar]
- Obitade, P.O. Big data analytics: A link between knowledge management capabilities and superior cyber protection. J. Big Data 2019, 6, 71. [Google Scholar] [CrossRef] [Green Version]
- Al-Mohannadi, H.; Mirza, Q.; Namanya, A.; Awan, I.; Cullen, A.; Disso, J. Cyber-Attack Modeling Analysis Techniques: An Overview. In Proceedings of the 2016 IEEE 4th International Conference on Future Internet of Things and Cloud Workshops (FiCloudW), Vienna, Austria, 22–24 August 2016; IEEE: Vienna, Austria, 2016; pp. 69–76. [Google Scholar] [CrossRef] [Green Version]
- Ullah, F.; Babar, M.A. Architectural Tactics for Big Data Cybersecurity Analytics Systems: A Review. J. Syst. Softw. 2019, 151, 81–118. [Google Scholar] [CrossRef]
- Pacheco, F.; Exposito, E.; Gineste, M.; Baudoin, C.; Aguilar, J. Towards the deployment of Machine Learning solutions in network traffic classification: A systematic survey. IEEE Commun. Surv. Tutor. 2018, 21, 1988–2014. [Google Scholar] [CrossRef] [Green Version]
- Zuech, R.; Khoshgoftaar, T.M.; Wald, R. Intrusion detection and Big Heterogeneous Data: A Survey. J. Big Data 2015, 2, 41. [Google Scholar] [CrossRef] [Green Version]
- Lankau, J.; Smith, K.; Deason, L.; Geide, M.; Baxter, J. Lessons Learned From Data Science Application to Cyber Security Network Logs; Technical Report; Punch Cyber Analytics Group: Reston, VA, USA, 2018. [Google Scholar]
- Settanni, G.; Shovgenya, Y.; Skopik, F.; Graf, R.; Wurzenberger, M.; Fiedler, R. Acquiring cyber threat intelligence through security information correlation. In Proceedings of the 2017 3rd IEEE International Conference on Cybernetics (CYBCONF), Exeter, UK, 21–23 June 2017; Institute of Electrical and Electronics Engineers Inc.: Vienna, Austria, 2017; pp. 1–7. [Google Scholar] [CrossRef]
- Iqbal, Z.; Anwar, Z.; Mumtaz, R. STIXGEN—A Novel Framework for Automatic Generation of Structured Cyber Threat Information. In Proceedings of the 2018 International Conference on Frontiers of Information Technology (FIT), Islamabad, Pakistan, 17–19 December 2018; IEEE: Islamabad, Pakistan, 2018; pp. 241–246. [Google Scholar] [CrossRef]
- Zhang, H.; Yi, Y.; Wang, J.; Cao, N.; Duan, Q. Network security situation awareness framework based on threat intelligence. Comput. Mater. Contin. 2018, 56, 381–399. [Google Scholar] [CrossRef]
- Menges, F.; Pernul, G. A comparative analysis of incident reporting formats. Comput. Secur. 2018, 73, 87–101. [Google Scholar] [CrossRef]
- Casey, E.; Barnum, S.; Griffith, R.; Snyder, J.; van Beek, H.; Nelson, A. The Evolution of Expressing and Exchanging Cyber-Investigation Information in a Standardized Form. In Handling and Exchanging Electronic Evidence Across Europe; Springer: Cham, Switzerland, 2018; pp. 43–58. [Google Scholar] [CrossRef] [Green Version]
- Cheng, Y.; Deng, J.; Li, J.; DeLoach, S.A.; Singhal, A.; Ou, X. Metrics of Security. In Cyber Defense and Situational Awareness; Kott, A., Wang, C., Erbacher, R., Eds.; Springer International Publishing: Cham, Switzerland, 2014; pp. 263–295. [Google Scholar] [CrossRef]
- Grispos, G.; Glisson, W.B.; Storer, T. How Good is Your Data? Investigating the Quality of Data Generated During Security Incident Response Investigations. In Proceedings of the 52nd Hawaii International Conference on System Sciences, Maui, HI, USA, 4–7 January 2012; Scholar Space Hawaii International: Honolulu, HI, USA, 2019; p. 10. [Google Scholar] [CrossRef] [Green Version]
- Friedman, J.A.; Zeckhauser, R. Assessing uncertainty in intelligence. Int. J. Inf. Secur. 2012, 27, 824–847. [Google Scholar] [CrossRef] [Green Version]
- Schlette, D.; Böhm, F.; Caselli, M.; Pernul, G. Measuring and visualizing cyber threat intelligence quality. Int. J. Inf. Secur. 2020, 20, 1–18. [Google Scholar] [CrossRef] [Green Version]
- Virustotal. YARA—The Pattern Matching Swiss Knife for Malware Researchers. Available online: https://virustotal.github.io/yara/ (accessed on 20 February 2022).
- MITRE. CWE–Common Weakness Enumeration. Available online: https://cwe.mitre.org/ (accessed on 2 February 2022).
- MITRE. CVE–CVE. Available online: https://cwe.mitre.org/ (accessed on 20 February 2022).
- NIST. NVD–CCE. Available online: https://nvd.nist.gov/config/cce (accessed on 20 February 2022).
- NIST. NVD– CPE. Available online: https://nvd.nist.gov/products/cpe (accessed on 20 February 2022).
- MITRE. About MAEC|MAEC Project Documentation. Available online: https://maecproject.github.io/about-maec/ (accessed on 20 February 2022).
- MITRE. CAPEC–Common Attack Pattern Enumeration and Classification (CAPEC™). Available online: https://capec.mitre.org/ (accessed on 20 February 2022).
- MITRE. MITRE ATT&CK®. Available online: https://attack.mitre.org/ (accessed on 20 February 2022).
- MITRE. CybOX–Cyber Observable Expression|CybOX Project Documentation. Available online: https://cyboxproject.github.io/ (accessed on 20 February 2022).
- OASIS. Introduction to STIX. Available online: https://oasis-open.github.io/cti-documentation/stix/intro (accessed on 20 February 2022).
- Gibb, W.; Kerr, D. OpenIOC: Back to the Basics|FireEye Inc. Available online: https://www.fireeye.com/blog/threat-research/2013/10/openiocbasics.html (accessed on 20 February 2022).
- FIRST. Traffic Light Protocol (TLP). Available online: https://www.first.org/tlp/ (accessed on 20 February 2022).
- OASIS. Introduction to TAXII. Available online: https://oasis-open.github.io/cti-documentation/taxii/intro (accessed on 20 February 2022).
- IETF. RFC 7970—The Incident Object Description Exchange Format Version 2. Available online: https://datatracker.ietf.org/doc/rfc7970/ (accessed on 20 February 2022).
- VerisCommunity. The VERIS Framework. Available online: http://veriscommunity.net/ (accessed on 20 February 2022).
- Bass, L.; Clements, P.; Kazman, R. Software Architecture in Practice, 3rd ed.; Addison-Wesley Professional: London, UK, 2013. [Google Scholar]
- The Open Group. The Open Group Architecture Framework (TOGAF) Version 9; The Open Group: San Francisco, CA, USA, 2009. [Google Scholar]
- YETI. Available online: https://yeti-platform.github.io/ (accessed on 20 February 2022).
- MISP. MISP Open Source Threat Intelligence Platform and Open Standards For Threat Information Sharing. Available online: https://www.mispproject.org/ (accessed on 20 February 2022).
- CRITS. CRITs: Collaborative Research Into Threats. Available online: https://crits.github.io/ (accessed on 20 February 2022).
CTI Related Standards | Description |
---|---|
YARA [64] | It provides the means of malware description, identification and classification. |
CWE [65] | A language and a list of software and hardware weaknesses. |
CVE [66] | A language (catalog) for identified and defined cybersecurity vulnerabilities. |
CCE [67] | It provides identifiers for common configuration issues. |
CPE [68] | A language and dictionary for information systems, software, and packages naming. |
MAEC [69] | Malware attributes enumeration and characterization provides a structured way to describe a malware. |
CAPEC [70] | A dictionary and a hierarchy of common attack patterns. |
ATT&CK [71] | A knowledge base and a common language for attack tactics and techniques. |
Cyber Kill Chain [35] | A framework that models the adversary activities to succeed his objectives. |
CybOX [72] | A common language for the description of cyber observable. |
STIX [73] | A CTI information exchange language and serialization format. |
Diamond Model [34] | It provides an intrusion analysis approach and methodology. |
OpenIOC [74] | It provides a standard for the description of artifacts during an investigation. |
TLP [75] | A protocol ensuring the information sharing of sensitive data. |
TAXII [76] | A CTI information exchange protocol and standard. |
IODEF [77] | A framework for data representation of cyber security incidents. |
VERIS [78] | A common language for describing security incidents. |
Collection | Processing | Exploitation | Analysis | Production | Dissemination | Integration | Evaluation | Feedback | |
---|---|---|---|---|---|---|---|---|---|
CTI Information Sharing | |||||||||
CTI Security Operations | |||||||||
CTI Big Data | |||||||||
CTI Representation | |||||||||
CTI Quality of Intelligence |
CTI Scenarios | ||||
---|---|---|---|---|
Case Study # | 1 | 2 | 3 | 4 |
1 | X | X | ||
2 | X | |||
3 | X | X | X | X |
Open-Source CTI Systems | ||||||||
---|---|---|---|---|---|---|---|---|
Layer | Function | Case Studies | YETI | MISP | CRITS | Requirement Coverage (%) by Open-Source CTI Systems | ||
1 | 2 | 3 | ||||||
Selection | CTI Products Selection | X | X | X | X | X | 100% | |
Traceability | X | X | X | X | X | 100% | ||
Trustworthiness | X | X | X | X | X | 100% | ||
Raw Data Selection | X | X | 0% | |||||
Stealthiness | X | 0% | ||||||
Surveillance | Automatic Data Collection | X | X | X | X | 33% | ||
Manual Data Collection | X | X | X | X | X | 66% | ||
Large Volume of Data Collection | X | 0% | ||||||
Processing | Data Aggregation | X | X | X | X | X | X | 100% |
Data Enrichment | X | X | X | 66% | ||||
Analytics | Manual Analysis | X | X | X | X | X | 100% | |
Attack Modeling | X | 0% | ||||||
Knowledge Discovery | X | X | X | X | 100% | |||
Presentation | Visualization | X | X | X | 66% | |||
Anonymization | X | 0% | ||||||
Communication | CTI Products Exchange | X | X | X | X | X | X | 100% |
Privacy Protection | X | 0% | ||||||
Quality Control | Feedback Collection | X | X | 33% | ||||
Quality Metrics Calculation | X | 0% | ||||||
CTI Products Evaluation | X | X | 33% | |||||
Collaboration | CTI Operations Planning | X | X | 0% | ||||
Analysts Collaboration | X | X | 0% |
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Sakellariou, G.; Fouliras, P.; Mavridis, I.; Sarigiannidis, P. A Reference Model for Cyber Threat Intelligence (CTI) Systems. Electronics 2022, 11, 1401. https://doi.org/10.3390/electronics11091401
Sakellariou G, Fouliras P, Mavridis I, Sarigiannidis P. A Reference Model for Cyber Threat Intelligence (CTI) Systems. Electronics. 2022; 11(9):1401. https://doi.org/10.3390/electronics11091401
Chicago/Turabian StyleSakellariou, Georgios, Panagiotis Fouliras, Ioannis Mavridis, and Panagiotis Sarigiannidis. 2022. "A Reference Model for Cyber Threat Intelligence (CTI) Systems" Electronics 11, no. 9: 1401. https://doi.org/10.3390/electronics11091401
APA StyleSakellariou, G., Fouliras, P., Mavridis, I., & Sarigiannidis, P. (2022). A Reference Model for Cyber Threat Intelligence (CTI) Systems. Electronics, 11(9), 1401. https://doi.org/10.3390/electronics11091401