Data-Driven Threat Hunting Using Sysmon
Vasileios Mavroeidis
University of Oslo
Norway
vasileim@ifi.uio.no
ABSTRACT
Threat actors can be persistent, motivated and agile, and they lever-
age a diversified and extensive set of tactics, techniques, and pro-
cedures to attain their goals. In response to that, organizations
establish threat intelligence programs to improve their defense
capabilities and mitigate risk. Actionable threat intelligence is inte-
grated into security information and event management systems
(SIEM) forming a threat intelligence platform. A threat intelligence
platform aggregates log data from multiple disparate sources by
deploying numerous collection agents and provides centralized
analysis and reporting of an organization’s security events for iden-
tifying malicious activity. Sysmon logs is a data source that has
received considerable attention for endpoint visibility. Approaches
for threat detection using Sysmon have been proposed mainly fo-
cusing on search engines (NoSQL database systems). This paper
presents a new automated threat assessment system that relies on
the analysis of continuous incoming feeds of Sysmon logs. The sys-
tem is based on a cyber threat intelligence ontology and analyses
Sysmon logs to classify software in different threat levels and aug-
ment cyber defensive capabilities through situational awareness,
prediction, and automated courses of action.
CCS CONCEPTS
• Security and privacy → Intrusion/anomaly detection and
malware mitigation; • Computing methodologies → Ontol-
ogy engineering;
KEYWORDS
cyber threat intelligence, threat assessment, sysmon, threat hunting
ACM Reference Format:
Vasileios Mavroeidis and Audun Jøsang. 2018. Data-Driven Threat Hunting
Using Sysmon. In ICCSP 2018: 2018 the 2nd International Conference on
Cryptography, Security and Privacy, March 16–19, 2018, Guiyang, China.
ACM, Guiyang, China , 7 pages. https://doi.org/10.1145/3199478.3199490
1 INTRODUCTION
Threat Intelligence has become a priority in the cyber security
operations of every security aware organization as a way of pre-
venting an attack or decreasing the time needed to discover an
Permission to make digital or hard copies of all or part of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed
for profit or commercial advantage and that copies bear this notice and the full citation
on the first page. Copyrights for components of this work owned by others than the
author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or
republish, to post on servers or to redistribute to lists, requires prior specific permission
and/or a fee. Request permissions from permissions@acm.org.
ICCSP 2018, March 16–19, 2018, Guiyang, China
© 2018 Copyright held by the owner/author(s). Publication rights licensed to Associa-
tion for Computing Machinery.
ACM ISBN 978-1-4503-6361-7/18/03. . . $15.00
https://doi.org/10.1145/3199478.3199490
Audun Jøsang
University of Oslo
Norway
josang@ifi.uio.no
attack. In addition, cyber attacks are increasingly sophisticated,
posing significant challenges for organizations that must defend
their data and systems from capable threat actors. Threat actors
can be persistent, motivated and agile, and they use a variety of
tactics, techniques, and procedures to disrupt the confidentially,
integrity, and availability of systems and data. Given the risks of the
present cyber threat landscape, it is increasingly important for the
organizations to focus on cyber threat intelligence and participate
in threat information sharing to improve their security posture.
In a previous work [1], we discussed the importance of consum-
ing cyber threat information aggregated from different sources for
threat intelligence, and presented the Cyber Threat Intelligence
(CTI) model which enables cyber defenders to explore their threat
intelligence capabilities and understand their position against the
ever-changing cyber threat landscape. Furthermore, in the same
work, we remarked the importance of developing a multi-layered
cyber threat intelligence ontology based on the CTI model that
could improve the threat detection, prioritization, and response
capabilities of organizations. The results of [1] showed the lack of
a comprehensive ontology readily available for use within cyber
threat intelligence, although some holistic initiatives towards that
goal exist [2–4]. In addition, there is a plethora of ontological ap-
proaches related to cyber security focusing on specific sub-domains,
such as malware detection, vulnerability analysis and more [5–13].
Current threat detection analysis approaches include aggrega-
tion of log files in a centralized system known as security informa-
tion and event management (SIEM) which performs inspections
and flags anomalies. A SIEM system collects logs by deploying
multiple collection agents to gather security-related events from
end-user devices, servers, intrusion detection systems (IDS), intru-
sion prevention systems (IPS) and firewalls, network devices such as
routers and DNS servers and more. In particular, one resource that
has received considerable attention for endpoint visibility has been
Sysmon; a Windows system service and device driver that monitors
and logs system activity of Windows workstations. Approaches for
threat detection using Sysmon have been proposed mainly focusing
on search engines (NoSQL database systems) or graph databases.
Without any relevant academic publication, a comprehensive list
of related works can be found on GitHub 1 .
The contribution of this paper is twofold. First, we present the
Cyber Threat Intelligence Ontology (CTIO) which is based on the
CTI model and second, we introduce an alternative threat assess-
ment system that utilizes CTIO for analyzing Sysmon logs to clas-
sify software in different threat levels (high threat, medium threat,
low threat, or unknown) and augment cyber defensive capabilities
through situational awareness, prediction, and automated courses
of action.
1 https://github.com/MHaggis/sysmon-dfir
ICCSP 2018, March 16–19, 2018, Guiyang, China
The rest of the paper is organized as follows. Section 2 explains
the importance of cyber threat intelligence and cyber threat infor-
mation sharing in security operations and discusses how a knowl-
edge base would enable their combination to build a strong security
posture. Section 3 presents our developed cyber threat intelligence
ontology and explains its applications in incident response and
other security operations. Section 4 presents a threat assessment
system that utilizes cyber threat intelligence for analyzing Sysmon
logs. Section 5 discusses some observations regarding the threat
assessment system. Section 6 concludes the paper.
2 THREAT INTELLIGENCE AND THREAT
INFORMATION SHARING
Threat intelligence can be described as the aggregation, transforma-
tion, analysis, interpretation, and enrichment of threat information
to provide the necessary context that can aid decision making [14].
Threat information is any information that can help an organization
to protect itself against a threat or detect the activities of a threat
actor. Ryan Stillions 2 has remarked that security teams of low
detection maturity and low skills would be able to detect attacks
in terms of low-level technical observations, without necessarily
understanding the significance of these observations. On the other
hand, security teams of high detection maturity and high skills
are assumed to be able to interpret technical observations in the
sense that the type of attack, the attack methods used, and possi-
bly the identity of the attacker can be determined. Absorbing rich
threat intelligence shared by teams of high capability would en-
able improvements in threat detection, prioritization, and response
capabilities of teams of lower capability.
Threat information sharing allows one organization’s detection
to become another’s prevention by leveraging collective knowledge,
experience, and capabilities to gain a complete understanding of the
threats an organization might face. Benefits of threat information
sharing include greater insight into cyber threats and enhanced
detective and preventive capabilities of an entire community with
security teams of any maturity and skills. An organization can use
shared information in many different ways such us strategically,
operationally, tactically, and technically [15].
2.1 Knowledge Base of Threat Intelligence
A knowledge base is a repository of complex structured and un-
structured information that represents facts about the world. A
knowledge base can evolve over time and can suitably support
inference capabilities that can reason about those facts and use
rules and other forms of logic to deduce new facts or highlight
inconsistencies. Present threat information sharing is facilitated
by several sharing standards which are based on XML or JSON
(machine-readable) formats and can be seen as means of feeding
threat intelligence platforms. An example is structured threat in-
formation eXpression (STIX) language which based on a study
of existing threat intelligence sharing initiatives is currently the
most used standard for sharing structured threat information [16].
Asgarli and Burger [17] remark that semantic exchange formats
could be used instead of XML-based sharing formats without any
2 http://ryanstillions.blogspot.no/2014/04/the-dml-model_21.html
Vasileios Mavroeidis and Audun Jøsang
features being lost in the translation. In addition, JASON [18] rec-
ommended the construction of a common language and a set of
basic concepts about which the security community can develop a
shared understanding.
Threat intelligence initiatives include security products by ven-
dors that deliver threat intelligence tied tightly with their products
which is not easily accessible outside of their products and pure-
play threat intelligence vendors that charge a subscription to access
their information [19]. The latter can be a viable option but still the
information needs to be analyzed. In addition, several open source
approaches exist with variable success.
In a previous work [1] we argued that an ontology representing
the "full spectrum" of cyber threat intelligence would allow organi-
zations of any size to improve their threat detection, prioritization,
and response capabilities. Based on that we developed the cyber
threat intelligence ontology (CTIO).
Ontology is a form of knowledge representation (knowledge
base) based on well-defined semantic concepts and their relation-
ship. The agreed vocabulary of an ontology allows information
coming from different sources to be aggregated in a unique knowl-
edge base that can leverage reasoning capabilities using formal
logic to infer new information.
3 CYBER THREAT INTELLIGENCE
ONTOLOGY
Part of our work was the development of a cyber threat intelligence
ontology (CTIO) rich enough for consuming and representing infor-
mation from several different sources, such as taxonomies, sharing
standards, and domain expertise within cyber threat intelligence
with the purpose of supporting decision making. Our ontology
represents knowledge (information) from low-level technical ob-
servables to high-level goals and threat actors. Concisely, CTIO
includes facts about threat actors, their motivation, their goals and
their strategies, specific attack patterns and procedures (tactics,
techniques and procedures-TTPs), malware, general tools and in-
frastructures used in adversarial attacks, indicators of compromise,
atomic indicators, targets, software weaknesses and vulnerabilities
(identified weaknesses in specific software), and courses of action.
For developing the ontology we used the web ontology language
(OWL) and we followed an agile engineering approach. We created
and interconnected several modular sub-ontologies based on tax-
onomies, such as Common Vulnerabilities and Exposures (CVE),
National Vulnerability Database (NVD), Common Vulnerability
Scoring System (CVSS 2.0), Common Platform Enumeration (CPE),
Common Weakness Enumeration (CWE), Common Attack Patterns
Enumerations and Characteristics (CAPEC), Threat Agent Library
(TAL), Threat Agent Motivation (TAM), Adversarial Tactics, Tech-
niques and Common Knowledge (ATT&CK); sharing standards,
such as STIX 2.1 and OpenIOC; and domain expertise that allowed
us to create a malware ontology and an extension of CPE that we
named ExtendedCPE. A high-level diagram showing the interre-
lationships between the aforementioned concepts is presented in
Figure 1. For additional information regarding the purpose of the
aforementioned taxonomies, sharing standards and their relation
to the CTI model please refer to [1].
Data-Driven Threat Hunting Using Sysmon
Figure 1: High-Level Relationships of Cyber Threat Intelligence Ontology
The malware and the ExtendedCPE ontologies are the two ma-
jor ontologies queried in the threat assessment system (described
in the next section) and they are intended to represent accurate
knowledge of malicious and non-malicious software respectively.
All the aforementioned ontologies are interconnected to express
complete knowledge. In addition, conditions (constraints) were
defined and OWL constructs are used to enable automated classifi-
cation, consistency checking, and inference of new information by
using a reasoner. For example, indexing a software as ExtendedCPE
demands all the classification criteria of CPE to be met and addi-
tionally, a hash to be included followed by a verification confirming
that the software indexed is non-malicious. It is worth mention-
ing that ExtendedCPE aims to classify non-malicious software but
includes software with known or unknown vulnerabilities and le-
gitimate software that have been used by threat actors to perform
attacks (browsers, vulnerability scanners, network scanners, etc.);
hence ExtendedCPE supports different levels of trust for legitimate
software.
The malware ontology was initially developed based on STIX
2.1 as a reference to basic objects needed and later was enriched
with several new properties that would allow it to be used multi-
purposely, in our case in an automated threat assessment system.
For example, we included properties that would increase the pos-
sibilities of detecting malware based on information available in
ICCSP 2018, March 16–19, 2018, Guiyang, China
Sysmon logs, such as hashes and names of dynamic-link libraries
that were dynamically loaded during the execution of malware.
Because of the modularity of CTIO additional sub-ontologies
can be introduced and embedded in the main ontology with low en-
gineering complexity. Information and documentation about CTIO,
as well as the ontologies themselves, can be found on GitHub3 .
4 SOFTWARE THREAT ASSESSMENT SYSTEM
The second contribution of our paper is a threat assessment system
(Figure 2) that utilizes CTIO for analyzing Windows Sysmon logs
and classifying software (in real time) as of high threat, medium
threat, low threat, or unknown based on its identified characteristics
(Table 1). Thus, an organization can identify malicious activity,
understand how intruders and malware operate on their network
and defend against the threat.
The system handles available threat intelligence multi-purposely.
Not only can identify malware and adversarial indicators on work-
stations but enables advanced cyber defensive capabilities through
situational awareness, prediction, and descriptive or automated
courses of action.
Situational awareness: is achieved through the evidence-based
knowledge accumulated into our ontology. A simple observable
such as an IP, a domain name, a hash, or even a modified registry
3 https://github.com/Vasileios-Mavroeidis/CTIO
ICCSP 2018, March 16–19, 2018, Guiyang, China Vasileios Mavroeidis and Audun Jøsang

• By analyzing Sysmon logs we can detect threats that other-

wise could go undetected by traditional network intrusion
detection systems and firewalls, such as encrypted traffic.
• Ontologies have inference capabilities that are beneficial for
improving the quality of data integration (several different
sources). Rules concentrate on defining a general mechanism
for discovering and generating new relationships based on
existing ones. For example, a set of rules can be created
Table 1: Threat Level Classification to classify new malware instances based on the malicious
infrastructure they use. In addition, consistency checking is
vital to avoid misclassification of data.
key could be an indicator of compromise were when queried would • More sophisticated queries can be introduced to utilize all
allow as to see the bigger picture. For example, an identified mali- the information available in Sysmon logs. The higher the
cious hash could provide related information about command and domain expertise the more sophisticated and precise the
control (C2) servers that this malware instance has been observed queries and rules can become. For example, queries can be
connecting to or trying to connect to, the malware family that be- enriched with regular expressions (like signature detection).
longs to, the campaigns that have used this malware instance or • The system provides considerable advantages to teams of
another instance of the same family, maybe the threat actor behind lesser experience. The threat assessment system is automated
the identified campaign and malware, possibly the motivation and and utilizes a knowledge base of threat intelligence making
goal of the threat actor, as well as the target of the attack, such as threat hunting viable and enables situational awareness that
specific industry sectors the malware and the attacker are targeting. traditionally could only be achieved by teams of high skills
When the scope of an incident can be determined and taken into and high maturity.
account the response speed and effectiveness increases. • The cyber threat intelligence ontology could be deployed
Prediction: Threat intelligence is important for visibility into what on the cloud and could be maintained by an organization
happens inside and outside of an organization that might affect it; or a threat intelligence community. CTIO is accessed with
hence, enables guidance on how an organization should prioritize rest-style SPARQL queries over HTTP (API for Apache Jena
its next actions (security operations and incident response). In terms Fuseki server); thus, the software threat assessment system
of our threat assessment system an identified malware or unknown could be deployed massively in different organizations.
software related to a known malicious attribute such as a blacklisted
domain may reveal who is attacking the organization (attribution
of the attack), the goal of the attack, the attack pattern related to
this malware, and consequently, possibly predict the next steps of
a campaign targeting the organization. Thus, detection of ongoing
advanced persistent threats and anticipation of future events is
possible.
Course of action: is an action taken either to prevent an attack
or to respond to an attack that is in progress. Courses of action
into CTIO can be described in prose or in a standardized manner
that enables real-time automated and active cyber defence. For the
latter, our system utilizes OASIS "Open Command and Control"
(OpenC2) language (expressed in JSON format) that enables the
command and control of cyber defence components in a manner
that is agnostic of the underlying products, technologies, transport
mechanisms or other aspects of the implementation. An OpenC2
command is composed of an action, a target, an optional actuator
(what is executing the command), and command options, which
influence how the command is to be performed. The OpenC2 lan-
guage assumes that the event has been detected, a decision to act
has been made, the act is warranted, and the initiator and recipient
of the commands are authenticated and authorized [20].

Other advantages of this approach are the following:

• Automated consumption of updated taxonomies and threat
information from different sharing standards is viable due to
the open source environment of the system; thus, CTIO can Figure 2: Architecture of Threat Assessment System
be enriched in the light of new information and be up-to-date
to new emerging threats.
Data-Driven Threat Hunting Using Sysmon ICCSP 2018, March 16–19, 2018, Guiyang, China

4.1 Operational Flow of the System

The system (Figure 2) aggregates Sysmon logs from Windows-based
workstations and using a parsing engine automatically extracts
attributes (features) for querying CTIO based on the event id of
each log. For example, a log with "Event ID 1" provides detailed
information about a newly created process. In Figure 3, we can see
a "simplified" Sysmon log related to WannaCry ransomware attack
manifested in May 2017. From this log, the system extracts the
following element and attribute values; event id, computer name,
username, time of the event, calculated hashes of the particular
process, and command lines of both current and parent processes.
Figure 4: Basic queries in the SPARQL Engine
related to WannaCry ransomware that based on the actuator speci-
fied they call the appropriate APIs; a) allow traffic passing through
a firewall for a specific domain that acts as a kill-switch, b) block C2
communications to specific .onion domains c) for externally facing
servers and systems that are not using SMB or Windows Network
File Sharing capabilities, it is best practice to reduce the network
attack surface by configuring prevention policy rules to block SMB
network traffic, d) automatically restore infected systems to a pre-
vious state (point in time). Examples of OpenC2 are presented in
Figure 5.

Figure 3: Sysmon Log with Event ID 1 Related to WannaCry

Ransomware

Next, the system’s lookup engine checks whether the extracted

values have been observed and queried previously in a specific
adjustable time period to reduce the workload of the SPARQL engine.
In the sight of an already classified process the system pushes the
information directly in the decision making process engine and the
appropriate courses of action are applied or recommended. The
values that end up in the SPARQL engine become part of SPARQL
queries that perform a semantic search into CTIO.
For each Sysmon log the knowledge base is queried gradually
with different features (hashes, network connections, command
lines for parent and current processes, registry key modifications,
file creation timestamp changes, etc.) until information that allows
the classification (decision making process engine) of the process is
identified. In addition, the system recommends or applies courses of
action (OpenC2) and presents related threat information to ensure
access to the most up-to-date details and guided response steps to
the detected threat; thus, eliminating the time needed typically to
investigate the threat manually.
If we go back to the Sysmon log in Figure 3, the extracted val-
ues are seen for the first time, thus, they become part of SPARQL
queries. In Figure 4 a sequence of queries is presented. The first
query checks whether an indicator of compromise exists or not in Figure 5: Example OpenC2 Courses of Action for WannaCry
the knowledge base for a particular hash. In our case an IOC exists, Ransomware
thus, the system classifies the process as of high threat and pro-
ceeds by requesting related courses of action (second query). The Additionally, the system returns a single RDF graph (in triples)
knowledge base outputs the following automated courses of action presenting the complete known knowledge of the identified threat
ICCSP 2018, March 16–19, 2018, Guiyang, China
Figure 6: High-Level RDF Graph of WannaCry Ransomware
(third query). In Figure 6 a high-level graph of the identified Wan-
naCry ransomware is presented. In case of complete lack of infor-
mation related to a process, the decision making engine will classify
the process as unknown and further analysis can be performed,
such as automated malware analysis.
5 DISCUSSION
In the previous sections, we presented the cyber threat intelligence
ontology (CTIO) and a new system that uses CTIO for analyzing
Sysmon logs in real time for threat hunting and process classifi-
cation. In this section, we discuss some limitations, concerns, and
future work regarding our approach.
Our threat assessment system, the ontology, and a couple Win-
dows workstations were deployed in a controlled environment us-
ing several virtual machines. It is known that reasoners are resource
intensive and SPARQL queries can take a considerable amount of
time to produce results which could be problematic when hundreds
or thousands of machines generate Sysmon logs continuously. In
response to that, we included a lookup engine that reduces the load
of SPARQL queries. In addition, to reduce the amount of Sysmon
logs generated and consequently the performance impact in the
system it is recommended to use matching rules (filtering) in Sys-
mon configuration file to exclude or include events. Modifications
of the configuration file would require some domain expertise as
it would be easy to lose indicators of malicious activity because of
the blindness created.
Another important consideration is the visualization of RDF
graphs. Our system currently outputs only RDF graphs in triples.
Graph visualization methods would provide better and easier graph
Vasileios Mavroeidis and Audun Jøsang
exploration and consequently, the ability to convey key insights
more effectively.
The system detects malicious activity based on information avail-
able in the knowledge base. Even though it is possible to identify
"new malware", this would require an attribute of the software
under analysis to be already in the knowledge base. In response
to that behavioral rules could be constructed like in the work of
[9, 10], but attacks are getting increasingly sophisticated making
this method ineffective. Future work will focus on mitigating this
blind spot by using machine learning for Sysmon threat hunting.
6 CONCLUSION
The threats associated with cyber security are dynamic. The nature,
the agenda, and the attacks of adversaries are continuously chang-
ing and evolving partly in response to defensive actions. This paper
presented a new automated system for threat hunting that anal-
yses Sysmon logs to classify system processes in different threat
levels based on their identified characteristics. The system utilizes
continuously updated threat intelligence through an ontology and
performs automated courses of action in response to indicators of
compromise. To the extent of our knowledge, this paper is the first
one that presents an ontological approach for automated end-point
threat hunting using Sysmon in an automated manner.
ACKNOWLEDGMENTS
This research was supported by the research project Oslo Analytics
funded by the Research Council of Norway. IKTPLUSS project
number: 247648.
Data-Driven Threat Hunting Using Sysmon ICCSP 2018, March 16–19, 2018, Guiyang, China

REFERENCES
[1] Vasileios Mavroeidis and Siri Bromander. Cyber Threat Intelligence Model: An
Evaluation of Taxonomies, Sharing Standards, and Ontologies within Cyber
Threat Intelligence. In Proceedings of the European Intelligence and Security
Informatics Conference. IEEE, 2017.
[2] Michael Iannacone, Shawn Bohn, Grant Nakamura, John Gerth, Kelly Huffer,
Robert Bridges, Erik Ferragut, and John Goodall. Developing an Ontology for
Cyber Security Knowledge Graphs. In Proceedings of the 10th Annual Cyber and
Information Security Research Conference, page 12. ACM, 2015.
[3] Zareen Syed, Ankur Padia, M Lisa Mathews, Tim Finin, and Anupam Joshi. UCO:
A Unified Cybersecurity Ontology. In Proceedings of the AAAI Workshop on
Artificial Intelligence for Cyber Security. AAAI Press, 2016.
[4] Sean Barnum. Unified Cyber Ontology (UCO). https://github.com/ucoProject/uco,
2016.
[5] Ju An Wang and Minzhe Guo. OVM: An Ontology for Vulnerability Management.
In Proceedings of the 5th Annual Workshop on Cyber Security and Information
Intelligence Research: Cyber Security and Information Intelligence Challenges and
Strategies, page 34. ACM, 2009.
[6] Ontology-Based Security Assessment for Software Products, author=Wang, Ju
An and Guo, Minzhe and Wang, Hao and Xia, Min and Zhou, Linfeng, bookti-
tle=Proceedings of the 5th Annual Workshop on Cyber Security and Information
Intelligence Research: Cyber Security and Information Intelligence Challenges
and Strategies, pages=15, year=2009, organization=ACM.
[7] Leo Obrst, Penny Chase, and Richard Markeloff. Developing an Ontology of the
Cyber Security Domain. In STIDS, pages 49–56, 2012.
[8] Alessandro Oltramari, Lorrie Faith Cranor, Robert J Walls, and Patrick Drew
McDaniel. Building an Ontology of Cyber Security. In STIDS, pages 54–61.
Citeseer, 2014.
[9] André Grégio, Rodrigo Bonacin, Olga Nabuco, Vitor Monte Afonso, Paulo Lício
De Geus, and Mario Jino. Ontology for Malware Behavior: A Core Model Proposal.
In WETICE Conference (WETICE), 2014 IEEE 23rd International, pages 453–458.
IEEE, 2014.
[10] André Grégio, Rodrigo Bonacin, Antonio Carlos de Marchi, Olga Fernanda
Nabuco, and Paulo Lício de Geus. An Ontology of Suspicious Software Behavior.
Applied Ontology, 11(1):29–49, 2016.
[11] Malek Ben Salem and Chris Wacek. Enabling New Technologies for Cyber
Security Defense with the ICAS Cyber Security Ontology. In STIDS, pages 42–49,
2015.
[12] Daniel Popescu and Alexandru Citea. Malware OWL. https://pdan93.github.io/
MalwareOWL/scholarly.html, 2016.
[13] Marcus Pendleton, Richard Garcia-Lebron, Jin-Hee Cho, and Shouhuai Xu. A
Survey on Systems Security Metrics. ACM Computing Surveys (CSUR), 49(4):62,
2016.
[14] Chris Johnson, Lee Badger, David Waltermire, Julie Snyder, and Clem Skorupka.
Guide to Cyber Threat Information Sharing. NIST Special Publication, 800:150,
2016.
[15] David Chismon and Martyn Ruks. Threat Intelligence: Collecting, Analysing,
Evaluating, 2015.
[16] Clemens Sauerwein, Christian Sillaber, Andrea Mussmann, and Ruth Breu. Threat
Intelligence Sharing Platforms: An Exploratory Study of Software Vendors and
Research Perspectives. 2017.
[17] Elchin Asgarli and Eric Burger. Semantic Ontologies for Cyber Threat Sharing
Standards. In Technologies for Homeland Security (HST), 2016 IEEE Symposium on,
pages 1–6. IEEE, 2016.
[18] D McMorrow. Science of Cyber-Security. Technical report, MITRE CORP
MCLEAN VA JASON PROGRAM OFFICE, 2010.
[19] AlienVault. Beginner’s Guide to Threat Intelligence, 2017.
[20] OASIS. Open Command and Control (OpenC2), 2017.