02 November 2021
The CTI Landscape: Limitations and Opportunities
Sharing threat events and indicators of compromise (IoCs), such as the source IP address of an attack, the hash of a malicious executable file or the URL of a phishing website, enables quick and crucial decisions to be made in relation to effective countermeasures against cyber attacks.
Cyber threat intelligence (CTI) platforms are widely considered to be valuable tools for easing the management of threat information: these solutions allow organisations to easily handle the whole process of gathering, pre-processing, enriching, correlating, analysing and sharing threat events and associated data.
However, the current platforms do not allow easy communication and knowledge sharing among threat detection systems (TDS) which exploit machine learning capabilities. Privacy and trust in the shared information are further examples of the open challenges in defining a fully operational platform. Moreover, the lack of standards and solid approaches have resulted in different combinations of products and methodologies (sometimes erroneously) labelled as threat intelligence.
Finally, the situation is further exacerbated by some specific challenges when artificial intelligence (AI) technologies have to be integrated:
- The quality of threat feeds and events is not guaranteed and there is a need for a reliable and automated threat analysis and mitigation which is particularly problematic for AI-based IDS, typically affected by high false alarm rates (FAR);
- The event-based sharing philosophy of threat intelligence platforms does not match well with data-driven and AI-powered threat intelligence.
Designing and developing a versatile and comprehensive framework
CyberSec4Europe’s research activities have sought to address these challenges by defining a comprehensive platform for information sharing and awareness capable of providing privacy-preserving key information about the threats suffered by a monitored system such as a computer network).
The developed prototype has the twofold objective of
- improving the accuracy of TDS in detecting incoming attacks by exploiting threat information gathered from different sources (for example, honeypots); and
- enabling the sharing of reliable and relevant threat information and threat detection algorithms among organisations in a confidential and privacy-preserving manner.
The devised solution integrates and enables the communication of several tools developed by the project partners focused on addressing the above-mentioned challenges. IDS based on machine learning and deep learning, privacy-preserving and encryption technologies as well as methods for estimating the risk of compromise are just some examples of the components cooperating to improve the degree of security of the organisations belonging to the network.
To demonstrate the potential of the developed prototype, three relevant use cases concerning the cooperation of TDSs and other cybersecurity tools have been set up. The main idea involves highlighting how the cooperation can:
- improve the performance of the threat prevention and detection systems and minimise the attack surface by strengthening the robustness of machine learning and deep learning models, making them more robust to new threats, false positives and lowering the time to threat detection; and
- enable more robust threat intelligence by allowing a better contextualisation of threat data and devising of flexible strategies, methodologies and data formats for collaborative threat intelligence.
Sharing CTI in a confidential and privacy-preserving manner.
The focus of the first scenario is on the sharing of CTI within and across communities, as this is a key enabler for cooperation between threat intelligence services and triggering the deployment of adaptive honeypots. By sharing cyber threat information, other stakeholders or systems can leverage the shared information and collaborate to further analyse the data, increase confidence in the shared intelligence or to augment it with additional information such as the reputation and trustworthiness of the reporting entities.
Enriching the information on detected threats via TDS cooperation gathered by means of honeypot instances.
The main idea consists in enriching the information on detected threats with further details provided by different TDSs, several of which belong to the cooperation network sharing data on detected cyberattacks. Moreover, a honeynet allows for gathering further attack instances which will be used in the learning phase of the AI-based TDSs to improve their effectiveness.
Gathering relevant information on attack strategies and sharing precious IoCs to improve the degree of security of the entities belonging to a cooperation network is the main objective of this use case. The scenario aims at demonstrating how internal information gathered by means of a pool of honeypots can be used in the context of the security of an infrastructure.
You can read more about Cooperation with Threat Intelligence Services for deploying adaptive honeypots here.
Massimo Guarascio, Giuseppe Manco, CNR Italy