Global ETD Search

1	The Challenges in Leveraging Cyber Threat Intelligence / Utmaningarna med att bemöta cyberhot motunderrättelseinformation Gupta, Shikha, Joseph, Shijo, Sasidharan, Deepu January 2021 (has links) Today cyber attacks, incidents, threats, and breaches continue to rise in scale and numbers, as sophisticated attackers continuously break through conventional safeguards each day. Whether strategic, operational, or tactical, threat intelligence can be defined as aggregated information and analytics that feed the different pillars of any given company’s cybersecurity infrastructure. It provides numerous benefits, enabling improved prediction and detection of threats, empowering and informing organizations to make better decisions during as well as following any cyber attack and aiding them to develop a proactive cyber security posture. It helps provide actionable intelligence, which equips senior management to make timely actions and decisions that might otherwise have an impact on the company’s ability to keep ahead and defend against this growing sea of threats. Driving momentum in this area also helps reduce their reaction times, enabling a shift for organizations to become more proactive than reactive. Perimeter defenses seem to no longer suffice as threats are becoming more complex and escalating with no best practices and guidelines available for companies to follow after, during, or before the time of the threat and risk due to the multiple components involved, including the various standards and platforms. Sharing and analyzing threat data effectively requires standard formats, protocols, shared understanding of the relevant terminology, purpose, and representation. Threat intelligence and its analysis are seen as a vital component of cyber security and a tool that many companies cannot leverage and utilize fully. Securing today's organizations and businesses, therefore, will require a new approach. In our study with security executives working across multiple industries, we have identified the various challenges that prevent the successful adoption of threat intelligence and with the rising adoption of the multiple platforms, including issues related to data quality, absence of universal standard format and protocol, challenge enforcing data sharing based on CTI data attribute, lack of authentication and confidentiality preventing data sharing, missing API integration capability in conjunction with multi-vendor tools, lack of identification of tacticalIOCs, failure to define TTL value(s), lack of deep automation, analytical and visualization capabilities. Ensuring the right expertise and capabilities in these identified areas will help leverage threat intelligence effectively, help to sharpen the focus, and provide the needed competitive edge. Threat Intelligence Cyber Threat Intelligence Computer Systems Datorsystem
2	A Framework to Establish aThreat Intelligence Program Miranda Lopez, Erik January 2021 (has links) Threat Intelligence (TI) is a field that has been gaining momentum as an answer to theexponential growth in cyber-attacks and crimes experienced in recent years. The aim of TI is toincrease defender’s understanding of the threat landscape by collecting intelligence on howattackers operate. Simply explained, defenders use TI to identify their adversaries andcomprehend their attacking methods and techniques. With this knowledge, defenders cananticipate attackers’ moves and be one step ahead by reinforcing their infrastructure. Although research papers and surveys have explored the applications of TI and its benefits,there is still a lack of literature to address on how to establish a Threat Intelligence Program(TIP). This lack of guidance means that organisations wishing to start a TIP are on their own inthis challenging task. Thus, their TIP end generating too much or irrelevant data, and in manycases has led security professionals to ignore the intelligence provided by their TIP. This research aims to address this gap by developing an artefact that can guide organisations intheir quest of starting their own TIP. This research followed Design Science Research (DSR)methodology to design and develop a framework which can help organisations defining theirTI requirements and appropriately operationalising intelligence work to support differentInformation Security processes. Additionally, this thesis also contributes to the research fieldof Information Security by presenting a list of evaluation parameters that can be used to measurethe success of the establishment of a TIP. Three main parameters were identified: Quality ofIntelligence, which measures the value of the output produced by the TIP; Intelligence Usage,which evaluates how the intelligence is consumed and applied; and Legal, aspects concernedwith legal requirements. Threat Intelligence Threat Intelligence Program Information Security Computer Sciences Datavetenskap (datalogi)
3	Threat Intelligence in Support of Cyber Situation Awareness Gilliam, Billy Paul 01 January 2017 (has links) Despite technological advances in the information security field, attacks by unauthorized individuals and groups continue to penetrate defenses. Due to the rapidly changing environment of the Internet, the appearance of newly developed malicious software or attack techniques accelerates while security professionals continue in a reactive posture with limited time for identifying new threats. The problem addressed in this study was the perceived value of threat intelligence as a proactive process for information security. The purpose of this study was to explore how situation awareness is enhanced by receiving advanced intelligence reports resulting in better decision-making for proper response to security threats. Using a qualitative case study methodology a purposeful sample of 13 information security professionals were individually interviewed and the data analyzed through Nvivo 11 analytical software. The research questions addressed threat intelligence and its impact on the security analyst's cognitive situation awareness. Analysis of the data collected indicated that threat intelligence may enhance the security analyst's situation awareness, as supported in the general literature. In addition, this study showed that the differences in sources or the lack of an intelligence program may have a negative impact on determining the proper security response in a timely manner. The implications for positive social change include providing leaders with greater awareness through threat intelligence of ways to minimize the effects of cyber attacks, which may result in increasing business and consumer confidence in the protection of personal and confidential information. Cybersecurity Situation Awareness Threat Intelligence Databases and Information Systems
4	Towards Secure and Trustworthy Cyberspace: Social Media Analytics on Hacker Communities Li, Weifeng, Li, Weifeng January 2017 (has links) Social media analytics is a critical research area spawned by the increasing availability of rich and abundant online user-generated content. So far, social media analytics has had a profound impact on organizational decision making in many aspects, including product and service design, market segmentation, customer relationship management, and more. However, the cybersecurity sector is behind other sectors in benefiting from the business intelligence offered by social media analytics. Given the role of hacker communities in cybercrimes and the prevalence of hacker communities, there is an urgent need for developing hacker social media analytics capable of gathering cyber threat intelligence from hacker communities for exchanging hacking knowledge and tools. My dissertation addressed two broad research questions: (1) How do we help organizations gain cyber threat intelligence through social media analytics on hacker communities? And (2) how do we advance social media analytics research by developing innovative algorithms and models for hacker communities? Using cyber threat intelligence as a guiding principle, emphasis is placed on the two major components in hacker communities: threat actors and their cybercriminal assets. To these ends, the dissertation is arranged in two parts. The first part of the dissertation focuses on gathering cyber threat intelligence on threat actors. In the first essay, I identify and profile two types of key sellers in hacker communities: malware sellers and stolen data sellers, both of which are responsible for data breach incidents. In the second essay, I develop a method for recovering social interaction networks, which can be further used for detecting major hacker groups, and identifying their specialties and key members. The second part of the dissertation seeks to develop cyber threat intelligence on cybercriminal assets. In the third essay, a novel supervised topic model is proposed to further address the language complexities in hacker communities. In the fourth essay, I propose the development of an innovative emerging topic detection model. Models, frameworks, and design principles developed in this dissertation not only advance social media analytics research, but also broadly contribute to IS security application and design science research. Business Intelligence Cyber Threat Intelligence Social Media Analytics Text Mining
5	CSM Automated Confidence Score Measurement of Threat Indicators January 2017 (has links) abstract: The volume and frequency of cyber attacks have exploded in recent years. Organizations subscribe to multiple threat intelligence feeds to increase their knowledge base and better equip their security teams with the latest information in threat intelligence domain. Though such subscriptions add intelligence and can help in taking more informed decisions, organizations have to put considerable efforts in facilitating and analyzing a large number of threat indicators. This problem worsens further, due to a large number of false positives and irrelevant events detected as threat indicators by existing threat feed sources. It is often neither practical nor cost-effective to analyze every single alert considering the staggering volume of indicators. The very reason motivates to solve the overcrowded threat indicators problem by prioritizing and filtering them. To overcome above issue, I explain the necessity of determining how likely a reported indicator is malicious given the evidence and prioritizing it based on such determination. Confidence Score Measurement system (CSM) introduces the concept of confidence score, where it assigns a score of being malicious to a threat indicator based on the evaluation of different threat intelligence systems. An indicator propagates maliciousness to adjacent indicators based on relationship determined from behavior of an indicator. The propagation algorithm derives final confidence to determine overall maliciousness of the threat indicator. CSM can prioritize the indicators based on confidence score; however, an analyst may not be interested in the entire result set, so CSM narrows down the results based on the analyst-driven input. To this end, CSM introduces the concept of relevance score, where it combines the confidence score with analyst-driven search by applying full-text search techniques. It prioritizes the results based on relevance score to provide meaningful results to the analyst. The analysis shows the propagation algorithm of CSM linearly scales with larger datasets and achieves 92% accuracy in determining threat indicators. The evaluation of the result demonstrates the effectiveness and practicality of the approach. / Dissertation/Thesis / Masters Thesis Computer Science 2017 Computer science Confidence Score Graph Propagation Threat Indicators Threat Intelligence Threat Score
6	Cybersäkerhet: Från reaktiv till proaktiv Waregård, Ellen, Wilke, Frida January 2022 (has links) The number of reported cybercrimes in Sweden is increasing every year. Cybercrimes arebecoming more sophisticated and the attackers are more skilled than before. Attackers usedifferent tactics, techniques and procedures, TTP, to establish their goals. These TTP can beidentified and later used to combat future cyberattacks. This process is known as TacticalThreat Intelligence, TTI, and is characterized by the use of open source intelligence, OSINT, to gather information about previous attacks and TTP. This paper is a literature review toprovide a background of the topic. To further investigate the topic this paper also presents theanalyzis of three different threat intelligence sharing platforms to deepen the understanding ofhow TTI is used today. A statistical analysis is also presented in order to predict future ofcyberthreats. The results of the analysis of the threat intelligence sharing platforms clearly displays theneed to search for information in more than one source. This information will become thefoundation of intelligence, which makes information gathering one of the most importantsteps when working with TTI. The results of the statistical analysis show that cybercrime inSweden will continue to rise. One of the biggest challenges was to identify the current stateof the global cyberthreat landscape since global statistics for cybercrime could not be found.However, the Covid-19 pandemic has forced more people to work from home which hasincreased the number of potential cybercrime victims since home security tends to be lowerthan at a physical offic. Despite this, the number of reported cybercrimes has not increasedremarkably. Tactical Threat Intelligence Intelligence Cyberthreat TTP OSINT Other Computer and Information Science Annan data- och informationsvetenskap
7	Evaluation of Open-source Threat Intelligence Platforms Considering Developments in Cyber Security Andrén, Love January 2024 (has links) Background. With the increase in cyberattacks and cyber related threats, it is of great concern that the area still lacks the needed amount of practitioners. Open-source threat intelligence platforms are free platforms hosting related information to cyber threats. These platforms can act as a gateway for new practitioners and be of use during research on all levels. For this to be the case, they need to be up-to-date, active user base and show a correlation to commercial companies and platforms. Objectives. In the research, data will be gathered from a multitude of open-source threat intelligence platforms to determine if they have increased usage and correlation to other sources. Furthermore, the research will look at if there are overrepresentations for certain countries and if the platforms are affected by real world events. Methods. Platforms were gathered using articles and user curated lists, they were filtered based on if the data could be used and if they were free or partially free. The data was then, and processed to only include information from after 2017 and all be unique entries. It was then filtered through a tool to remove potential false positives. For IP addresses and domains, a WHOIS query was done for each entry to get additional information. Results. There was a noticeable increase in the amount of unique submission for the categories CVE and IP addresses, the other categories showed no clear increase or decrease. The United States was the most represented country when analyzing domains and IP addresses. The WannaCry ransomware had a notable effect on the platforms, with an increase in submission during the month of the attack and after, and samples of the malware making out 7.03\% of the yearly submissions. The Russian invasion of Ukraine did not show any effect on the platforms. Comparing the result to the annual Microsoft security reports, there was a clear correlation for some years and sources, while others showed none at all. This was the case for all the statistic applicable to, reported countries, noticeable trend increases and most prominent malware. Conclusions. While some results showed that there was an increase in cyberattacks and correlation to real world event, others did not. Open-Source threat intelligence platforms often provides the necessary data, but problems starts showing up when analyzing it. The data itself is extremely sensitive depending on what processing methods are used, which in turn can lead to varying results. / Bakgrund. Med den stora ökningen av cyberattecker och hot har det uppmärksammats att cybersäkerhets omårdet fortfarande saknar nog med utbildade individer. Open-source threat intelligence plattformar är gratis tjänster som innehåller information om cyberhot. Dessa platformar kan fungera som en inkörsport till cybersäkerhets området och ett stöd till alla nivåer av forskning samt utbildning. För att detta ska fungera, måste de vara uppdaterade, ha en aktiv användarbas och data ha liknande resultat som betaltjänster och stora företagsrapporter. Syfte. I arbetet kommer data samlas in från flertal open-source threat intelligence plattformar i syftet att avgöra om deras använding och bidrag har ökat. Vidare om informationen är liknande till det som rapporteras av företag. Utöver så kommer det undersökas om några länder är överrepresenterade bland datan och om verkliga händelser påverkade plattformarna. Metod. Möjliga plattformar samlades in genom artiklar och användarskapade listor. De filtrerades sedan baserat på om data kunde användas i arbetet och om det var gratis eller delvis gratis. Datan hämtades från plattformarna och filtrerades så enbart allt rapporterat efter 2017 och unika bidrag kvarstod. All data bearbetades genom ett verktyg för att få bort eventuella falskt positiva bidrag. Slutligen så gjordes WHOIS uppslag för IP adresser och domäner. Resultat. CVEs och IP-adresser visade en märkbar ökning av antalet unika bidrag. Resterande kategorier visade ingen direkt ökning eller minskning. Det mest överrepresenterade landet var USA för båda domäner och IP adresser. WannaCry viruset hade en märkbar påverkan på pattformarna, där månaden under attacken och efter hade ökningar av bidrag. Viruset utgjorde 7.03\% av de total årliga bidragen. Den ryska invasionen av Ukraina visade ingen direkt påverkan på plattformarna. När resultatet jämfördes med Microsots årliga säkerhetsrapporter fanns det en tydlig liknelse i resultat för vissa år och källor. Andra källor och år hade ingen liknande statistik. Den information från rapporten som kunde tillämpas var länder, märkbara ökningar i specifika kategorier och högst förekommande virus. Slutsatser. Vissa resultat visade att det fanns ökning av cyberattacker och att plattformarna hade en tydlig koppling till verkliga händelser, för andra resultat stämde det ej överrens. Open-source threat intelligence plattformar innehåller viktig och relevant data. Problem börjar dock uppstå när man ska analysera datan. Detta är eftersom datan är extremt känslig till hur den bearbetas den, som i tur kan leda till varierande resultat. Threat Intelligence Open-source Information Sharing Cyber Security Computer Sciences Datavetenskap (datalogi)
8	Cyber Threat Intelligence from Honeypot Data using Elasticsearch Al-Mohannadi, Hamad, Awan, Irfan U., Al Hamar, J., Cullen, Andrea J., Disso, Jules P., Armitage, Lorna 18 May 2018 (has links) yes / Cyber attacks are increasing in every aspect of daily life. There are a number of different technologies around to tackle cyber-attacks, such as Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), firewalls, switches, routers etc., which are active round the clock. These systems generate alerts and prevent cyber attacks. This is not a straightforward solution however, as IDSs generate a huge volume of alerts that may or may not be accurate: potentially resulting in a large number of false positives. In most cases therefore, these alerts are too many in number to handle. In addition, it is impossible to prevent cyber-attacks simply by using tools. Instead, it requires greater intelligence in order to fully understand an adversary’s motive by analysing various types of Indicator of Compromise (IoC). Also, it is important for the IT employees to have enough knowledge to identify true positive attacks and act according to the incident response process. In this paper, we have proposed a new threat intelligence technique which is evaluated by analysing honeypot log data to identify behaviour of attackers to find attack patterns. To achieve this goal, we have deployed a honeypot on an AWS cloud to collect cyber incident log data. The log data is analysed by using elasticsearch technology namely an ELK (Elasticsearch, Logstash and Kibana) stack. Cyber attacks Cyber threats Honeypot data Elasticsearch Cyber threat intelligence technique
9	Integration of CTI into security management Takacs, Gergely January 2019 (has links) Current thesis is a documentative approach to sum up experiences of a practical projectof implementing Cyber Threat Intelligence into an existing information securitymanagement system and delivering best practices using action design researchmethodology. The project itself was delivered to a multinational energy provider in 2017.The aim of the CTI-implementation was to improve the information security posture ofthe customer. The author, as participant of the delivery team presents an extensive reviewof the current literature on CTI and puts the need for threat intelligence into context. Theauthor claims that traditional security management is not able to keep up with currentcybersecurity threats which makes a new approach required. The thesis gives an insightof an actually working and continuously developed CTI-service and offers possible bestpractices for InfoSec professionals, adds theoretical knowledge to the body of knowledgeand opens up new research areas for researchers. Cyber Threat Intelligence CTI security management information security InfoSec operational CTI technical CTI threat intelligence TIP threat information portal cybersecurity threat management risk management InfoSec management Computer Systems Datorsystem
10	Architecture and design requirements forEnterprise Security Monitoring Platform : Addressing security monitoring challenges in the financial services industry Wierzbieniec, Gabriel January 2018 (has links) Security Monitoring Platform (SMP) represents multiple detective controls applied inthe enterprise to protect against cyberattacks. Building SMP is a challenging task, as itconsists of multiple systems that require integration. This paper introduces a framework thatcompiles various aspects of Security Monitoring and presents respective requirements sets.SMP framework provides guidance for establishing a risk-based detection platform,augmented with automation, threat intelligence and analytics capabilities. It provides morebroad view on the problem of Security Monitoring in the enterprise context and can assist inthe platform creation. The proposed solution has been built using Design Science ResearchMethodology and contains of twenty requirements for building SMP. Expert evaluation andcomparison with similar frameworks show potential value in holistic approach to the problem,as well as indicate the need for further research. Security Monitoring SIEM Log Management SOC Threat Intelligence Security Analytics Annan elektroteknik och elektronik

Search results