SCERM—A novel framework for automated management of cyber threat response activities

Abstract

Cyber Threat Management (CTM) involves prevention, detection, and response to cyber-attacks by identifying and understanding threats, and applying appropriate actions. This is not practical for an organization to perform these activities within the time-frame of an impending attack. Organizations should swiftly accumulate and share Cyber Threat Intelligence (CTI) with peers to make effective use of shared threat information. Efforts are underway for standardizing the expression of threats into a machine-understandable format. Structured Threat Information eXpression (STIX) is a comprehensive effort that structures CTI, enables its sharing, visualization, and analysis. Although a large volume of STIX reports is available publicly, their state remains poor. Reports are not appropriately formatted, use incorrect vocabulary, and mislabel or omit key components, which curtail their usefulness for effective cyber threat management. For a meaningful analysis, an analyst needs a curated document list categorized according to cyber threat management phases for the under-investigation threat. We believe that methods for valuation of structured threat documents based on cyber threat management phases are limited or non-existent. We present a novel framework named SCERM—Structured threat data Cleansing, Evaluation, and Refinement. SCERM formally models the STIX architecture and valuates reports on the basis of the use case “managing cyber threat response activities”. It uplifts CTI by remapping wrongly placed contents to the STIX data model. SCERM refines incomplete or missing components through a pre-prepared dataset of curated blog reports. This process is repeated until the reports improve to a threshold suitable for cyber threat management. A case study is presented to demonstrate the working of SCERM. The evaluation valuates publicly available STIXs for cyber threat management. It is observed that current STIX reports have limited information on prevention and almost none for the response phase of cyber threat management. The results demonstrate that SCERM significantly enriches STIX reports. The improvement in prevention is 73% and in the response is a 100%.