Abstract
Cyber threat information sharing is an imperative process towards achieving collaborative security, but it poses several challenges. One crucial challenge is the plethora of shared threat information. Therefore, there is a need to advance filtering of such information. While the state-of-the-art in filtering relies primarily on keyword- and domain-based searching, these approaches require sizable human involvement and rarely available domain expertise. Recent research revealed the need for harvesting of business information to fill the gap in filtering, albeit it resulted in providing coarse-grained filtering based on the utilization of such information. This paper presents a novel contextualized filtering approach that exploits standardized and multi-level contextual information of business processes. The contextual information describes the conditions under which a given threat information is actionable from an organization perspective. Therefore, it can automate filtering by measuring the equivalence between the context of the shared threat information and the context of the consuming organization. The paper directly contributes to filtering challenge and indirectly to automated customized threat information sharing. Moreover, the paper proposes the architecture of a cyber threat information sharing ecosystem that operates according to the proposed filtering approach and defines the characteristics that are advantageous to filtering approaches. Implementation of the proposed approach can support compliance with the Special Publication 800-150 of the National Institute of Standards and Technology.
Highlights
Accurate and timely analysis of cyber-attacks is crucial for effective prevention, detection, and response [1]
This paper proposed an automated, contextualized cyber threat information filtering approach utilizing the Business Process Context
The Business Process Context was incorporated into the cyber threat information domain as a new user-defined object of the Structured Threat Information eXpression (STIX) expression language, which is a standard in the cyber threat information domain
Summary
Accurate and timely analysis of cyber-attacks is crucial for effective prevention, detection, and response [1]. A CTIP is relevant to an organization when its contained threat-related information relates to the organization’s context (e.g., location, domain, business process). We propose a novel, automated, contextualized filtering approach for shared cyber threat information. To this end, the contextual information of business. The proposed approach should be implemented at the server-side (i.e., within the CTIP repository) to foster trustworthiness, privacy, and ease organizations from the filtering process, allowing them to focus their efforts on the consumption of the received CTIPs only. The proposed approach deals with the challenge on CTI sharing identified in [11], in that organizations should find an effective way to identify the CTIPs that are applicable (i.e., actionable) to their environments.
Sign-in/Register to view highlights & summary 
Published Version (
Free)
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call