Professional Documents
Culture Documents
The rest of the paper is organized as follows. Section 2 explains features being lost in the translation. In addition, JASON [18] rec-
the importance of cyber threat intelligence and cyber threat infor- ommended the construction of a common language and a set of
mation sharing in security operations and discusses how a knowl- basic concepts about which the security community can develop a
edge base would enable their combination to build a strong security shared understanding.
posture. Section 3 presents our developed cyber threat intelligence Threat intelligence initiatives include security products by ven-
ontology and explains its applications in incident response and dors that deliver threat intelligence tied tightly with their products
other security operations. Section 4 presents a threat assessment which is not easily accessible outside of their products and pure-
system that utilizes cyber threat intelligence for analyzing Sysmon play threat intelligence vendors that charge a subscription to access
logs. Section 5 discusses some observations regarding the threat their information [19]. The latter can be a viable option but still the
assessment system. Section 6 concludes the paper. information needs to be analyzed. In addition, several open source
approaches exist with variable success.
2 THREAT INTELLIGENCE AND THREAT In a previous work [1] we argued that an ontology representing
INFORMATION SHARING the "full spectrum" of cyber threat intelligence would allow organi-
zations of any size to improve their threat detection, prioritization,
Threat intelligence can be described as the aggregation, transforma-
and response capabilities. Based on that we developed the cyber
tion, analysis, interpretation, and enrichment of threat information
threat intelligence ontology (CTIO).
to provide the necessary context that can aid decision making [14].
Ontology is a form of knowledge representation (knowledge
Threat information is any information that can help an organization
base) based on well-defined semantic concepts and their relation-
to protect itself against a threat or detect the activities of a threat
ship. The agreed vocabulary of an ontology allows information
actor. Ryan Stillions 2 has remarked that security teams of low
coming from different sources to be aggregated in a unique knowl-
detection maturity and low skills would be able to detect attacks
edge base that can leverage reasoning capabilities using formal
in terms of low-level technical observations, without necessarily
logic to infer new information.
understanding the significance of these observations. On the other
hand, security teams of high detection maturity and high skills
are assumed to be able to interpret technical observations in the
sense that the type of attack, the attack methods used, and possi-
3 CYBER THREAT INTELLIGENCE
bly the identity of the attacker can be determined. Absorbing rich ONTOLOGY
threat intelligence shared by teams of high capability would en- Part of our work was the development of a cyber threat intelligence
able improvements in threat detection, prioritization, and response ontology (CTIO) rich enough for consuming and representing infor-
capabilities of teams of lower capability. mation from several different sources, such as taxonomies, sharing
Threat information sharing allows one organization’s detection standards, and domain expertise within cyber threat intelligence
to become another’s prevention by leveraging collective knowledge, with the purpose of supporting decision making. Our ontology
experience, and capabilities to gain a complete understanding of the represents knowledge (information) from low-level technical ob-
threats an organization might face. Benefits of threat information servables to high-level goals and threat actors. Concisely, CTIO
sharing include greater insight into cyber threats and enhanced includes facts about threat actors, their motivation, their goals and
detective and preventive capabilities of an entire community with their strategies, specific attack patterns and procedures (tactics,
security teams of any maturity and skills. An organization can use techniques and procedures-TTPs), malware, general tools and in-
shared information in many different ways such us strategically, frastructures used in adversarial attacks, indicators of compromise,
operationally, tactically, and technically [15]. atomic indicators, targets, software weaknesses and vulnerabilities
(identified weaknesses in specific software), and courses of action.
2.1 Knowledge Base of Threat Intelligence For developing the ontology we used the web ontology language
A knowledge base is a repository of complex structured and un- (OWL) and we followed an agile engineering approach. We created
structured information that represents facts about the world. A and interconnected several modular sub-ontologies based on tax-
knowledge base can evolve over time and can suitably support onomies, such as Common Vulnerabilities and Exposures (CVE),
inference capabilities that can reason about those facts and use National Vulnerability Database (NVD), Common Vulnerability
rules and other forms of logic to deduce new facts or highlight Scoring System (CVSS 2.0), Common Platform Enumeration (CPE),
inconsistencies. Present threat information sharing is facilitated Common Weakness Enumeration (CWE), Common Attack Patterns
by several sharing standards which are based on XML or JSON Enumerations and Characteristics (CAPEC), Threat Agent Library
(machine-readable) formats and can be seen as means of feeding (TAL), Threat Agent Motivation (TAM), Adversarial Tactics, Tech-
threat intelligence platforms. An example is structured threat in- niques and Common Knowledge (ATT&CK); sharing standards,
formation eXpression (STIX) language which based on a study such as STIX 2.1 and OpenIOC; and domain expertise that allowed
of existing threat intelligence sharing initiatives is currently the us to create a malware ontology and an extension of CPE that we
most used standard for sharing structured threat information [16]. named ExtendedCPE. A high-level diagram showing the interre-
Asgarli and Burger [17] remark that semantic exchange formats lationships between the aforementioned concepts is presented in
could be used instead of XML-based sharing formats without any Figure 1. For additional information regarding the purpose of the
aforementioned taxonomies, sharing standards and their relation
2 http://ryanstillions.blogspot.no/2014/04/the-dml-model_21.html to the CTI model please refer to [1].
Data-Driven Threat Hunting Using Sysmon ICCSP 2018, March 16–19, 2018, Guiyang, China
The malware and the ExtendedCPE ontologies are the two ma- Sysmon logs, such as hashes and names of dynamic-link libraries
jor ontologies queried in the threat assessment system (described that were dynamically loaded during the execution of malware.
in the next section) and they are intended to represent accurate Because of the modularity of CTIO additional sub-ontologies
knowledge of malicious and non-malicious software respectively. can be introduced and embedded in the main ontology with low en-
All the aforementioned ontologies are interconnected to express gineering complexity. Information and documentation about CTIO,
complete knowledge. In addition, conditions (constraints) were as well as the ontologies themselves, can be found on GitHub3 .
defined and OWL constructs are used to enable automated classifi-
cation, consistency checking, and inference of new information by 4 SOFTWARE THREAT ASSESSMENT SYSTEM
using a reasoner. For example, indexing a software as ExtendedCPE The second contribution of our paper is a threat assessment system
demands all the classification criteria of CPE to be met and addi- (Figure 2) that utilizes CTIO for analyzing Windows Sysmon logs
tionally, a hash to be included followed by a verification confirming and classifying software (in real time) as of high threat, medium
that the software indexed is non-malicious. It is worth mention- threat, low threat, or unknown based on its identified characteristics
ing that ExtendedCPE aims to classify non-malicious software but (Table 1). Thus, an organization can identify malicious activity,
includes software with known or unknown vulnerabilities and le- understand how intruders and malware operate on their network
gitimate software that have been used by threat actors to perform and defend against the threat.
attacks (browsers, vulnerability scanners, network scanners, etc.); The system handles available threat intelligence multi-purposely.
hence ExtendedCPE supports different levels of trust for legitimate Not only can identify malware and adversarial indicators on work-
software. stations but enables advanced cyber defensive capabilities through
The malware ontology was initially developed based on STIX situational awareness, prediction, and descriptive or automated
2.1 as a reference to basic objects needed and later was enriched courses of action.
with several new properties that would allow it to be used multi-
purposely, in our case in an automated threat assessment system. Situational awareness: is achieved through the evidence-based
For example, we included properties that would increase the pos- knowledge accumulated into our ontology. A simple observable
sibilities of detecting malware based on information available in such as an IP, a domain name, a hash, or even a modified registry
3 https://github.com/Vasileios-Mavroeidis/CTIO
ICCSP 2018, March 16–19, 2018, Guiyang, China Vasileios Mavroeidis and Audun Jøsang
(third query). In Figure 6 a high-level graph of the identified Wan- exploration and consequently, the ability to convey key insights
naCry ransomware is presented. In case of complete lack of infor- more effectively.
mation related to a process, the decision making engine will classify The system detects malicious activity based on information avail-
the process as unknown and further analysis can be performed, able in the knowledge base. Even though it is possible to identify
such as automated malware analysis. "new malware", this would require an attribute of the software
under analysis to be already in the knowledge base. In response
5 DISCUSSION to that behavioral rules could be constructed like in the work of
In the previous sections, we presented the cyber threat intelligence [9, 10], but attacks are getting increasingly sophisticated making
ontology (CTIO) and a new system that uses CTIO for analyzing this method ineffective. Future work will focus on mitigating this
Sysmon logs in real time for threat hunting and process classifi- blind spot by using machine learning for Sysmon threat hunting.
cation. In this section, we discuss some limitations, concerns, and
future work regarding our approach. 6 CONCLUSION
Our threat assessment system, the ontology, and a couple Win- The threats associated with cyber security are dynamic. The nature,
dows workstations were deployed in a controlled environment us- the agenda, and the attacks of adversaries are continuously chang-
ing several virtual machines. It is known that reasoners are resource ing and evolving partly in response to defensive actions. This paper
intensive and SPARQL queries can take a considerable amount of presented a new automated system for threat hunting that anal-
time to produce results which could be problematic when hundreds yses Sysmon logs to classify system processes in different threat
or thousands of machines generate Sysmon logs continuously. In levels based on their identified characteristics. The system utilizes
response to that, we included a lookup engine that reduces the load continuously updated threat intelligence through an ontology and
of SPARQL queries. In addition, to reduce the amount of Sysmon performs automated courses of action in response to indicators of
logs generated and consequently the performance impact in the compromise. To the extent of our knowledge, this paper is the first
system it is recommended to use matching rules (filtering) in Sys- one that presents an ontological approach for automated end-point
mon configuration file to exclude or include events. Modifications threat hunting using Sysmon in an automated manner.
of the configuration file would require some domain expertise as
it would be easy to lose indicators of malicious activity because of
the blindness created. ACKNOWLEDGMENTS
Another important consideration is the visualization of RDF This research was supported by the research project Oslo Analytics
graphs. Our system currently outputs only RDF graphs in triples. funded by the Research Council of Norway. IKTPLUSS project
Graph visualization methods would provide better and easier graph number: 247648.
Data-Driven Threat Hunting Using Sysmon ICCSP 2018, March 16–19, 2018, Guiyang, China
REFERENCES
[1] Vasileios Mavroeidis and Siri Bromander. Cyber Threat Intelligence Model: An
Evaluation of Taxonomies, Sharing Standards, and Ontologies within Cyber
Threat Intelligence. In Proceedings of the European Intelligence and Security
Informatics Conference. IEEE, 2017.
[2] Michael Iannacone, Shawn Bohn, Grant Nakamura, John Gerth, Kelly Huffer,
Robert Bridges, Erik Ferragut, and John Goodall. Developing an Ontology for
Cyber Security Knowledge Graphs. In Proceedings of the 10th Annual Cyber and
Information Security Research Conference, page 12. ACM, 2015.
[3] Zareen Syed, Ankur Padia, M Lisa Mathews, Tim Finin, and Anupam Joshi. UCO:
A Unified Cybersecurity Ontology. In Proceedings of the AAAI Workshop on
Artificial Intelligence for Cyber Security. AAAI Press, 2016.
[4] Sean Barnum. Unified Cyber Ontology (UCO). https://github.com/ucoProject/uco,
2016.
[5] Ju An Wang and Minzhe Guo. OVM: An Ontology for Vulnerability Management.
In Proceedings of the 5th Annual Workshop on Cyber Security and Information
Intelligence Research: Cyber Security and Information Intelligence Challenges and
Strategies, page 34. ACM, 2009.
[6] Ontology-Based Security Assessment for Software Products, author=Wang, Ju
An and Guo, Minzhe and Wang, Hao and Xia, Min and Zhou, Linfeng, bookti-
tle=Proceedings of the 5th Annual Workshop on Cyber Security and Information
Intelligence Research: Cyber Security and Information Intelligence Challenges
and Strategies, pages=15, year=2009, organization=ACM.
[7] Leo Obrst, Penny Chase, and Richard Markeloff. Developing an Ontology of the
Cyber Security Domain. In STIDS, pages 49–56, 2012.
[8] Alessandro Oltramari, Lorrie Faith Cranor, Robert J Walls, and Patrick Drew
McDaniel. Building an Ontology of Cyber Security. In STIDS, pages 54–61.
Citeseer, 2014.
[9] André Grégio, Rodrigo Bonacin, Olga Nabuco, Vitor Monte Afonso, Paulo Lício
De Geus, and Mario Jino. Ontology for Malware Behavior: A Core Model Proposal.
In WETICE Conference (WETICE), 2014 IEEE 23rd International, pages 453–458.
IEEE, 2014.
[10] André Grégio, Rodrigo Bonacin, Antonio Carlos de Marchi, Olga Fernanda
Nabuco, and Paulo Lício de Geus. An Ontology of Suspicious Software Behavior.
Applied Ontology, 11(1):29–49, 2016.
[11] Malek Ben Salem and Chris Wacek. Enabling New Technologies for Cyber
Security Defense with the ICAS Cyber Security Ontology. In STIDS, pages 42–49,
2015.
[12] Daniel Popescu and Alexandru Citea. Malware OWL. https://pdan93.github.io/
MalwareOWL/scholarly.html, 2016.
[13] Marcus Pendleton, Richard Garcia-Lebron, Jin-Hee Cho, and Shouhuai Xu. A
Survey on Systems Security Metrics. ACM Computing Surveys (CSUR), 49(4):62,
2016.
[14] Chris Johnson, Lee Badger, David Waltermire, Julie Snyder, and Clem Skorupka.
Guide to Cyber Threat Information Sharing. NIST Special Publication, 800:150,
2016.
[15] David Chismon and Martyn Ruks. Threat Intelligence: Collecting, Analysing,
Evaluating, 2015.
[16] Clemens Sauerwein, Christian Sillaber, Andrea Mussmann, and Ruth Breu. Threat
Intelligence Sharing Platforms: An Exploratory Study of Software Vendors and
Research Perspectives. 2017.
[17] Elchin Asgarli and Eric Burger. Semantic Ontologies for Cyber Threat Sharing
Standards. In Technologies for Homeland Security (HST), 2016 IEEE Symposium on,
pages 1–6. IEEE, 2016.
[18] D McMorrow. Science of Cyber-Security. Technical report, MITRE CORP
MCLEAN VA JASON PROGRAM OFFICE, 2010.
[19] AlienVault. Beginner’s Guide to Threat Intelligence, 2017.
[20] OASIS. Open Command and Control (OpenC2), 2017.