See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/361276941

CYBER THREAT INTELLIGENCE: A SURVEY ON PROGRESSIVE TECHNIQUES

AND CHALLENGES

Conference Paper · June 2022

CITATIONS READS

0 2,010

3 authors, including:

Nimisha Goel
Wells Fargo
3 PUBLICATIONS 6 CITATIONS

SEE PROFILE

All content following this page was uploaded by Nimisha Goel on 14 June 2022.

The user has requested enhancement of the downloaded file.

 CYBER THREAT INTELLIGENCE: A SURVEY ON PROGRESSIVE
TECHNIQUES AND CHALLENGES
1
NIMISHA GOEL, 2MANSI, 3NANDINI SETHI
1,2,3
Dept. of Information Technology, Indira Gandhi Delhi Technical University for Women (IGDTUW), Delhi, India
E-mail: 1goelnimisha1@gmail.com, 2mansiaggarwal987@gmail.com, 3nandini053phd20@igdtuw.ac.in

Abstract - In today’s digital era, organizations and even individuals face enormous cyber-based attacks by persistent threat
actors who try to bypass the security of networks, devices and manipulate sensitive information. Cyber Threat Intelligence
(CTI) enables the cyber firms to gather the knowledge related to a cyber attack, its evidences, threat actors and their Tactics,
Techniques and Procedures (TTP), Indicators of Compromise (IOC) to mitigate and further reduce the impact of those
attacks. In the modern landscape of cyber threats, bridging the security gap is more than just securing data. Moreover,
accessing the cyber content safely is the fundamental right of a human. This paper briefs about the state of the art of CTI and
its various challenges that must be addressed to maintain sufficient early warning and threat detection systems.

Keywords - Cyber attacks, Cyber Threat Intelligence (CTI), Indicators of Compromise (IOC), Tactics, Techniques and
Procedures (TTP), Threat actors

I. INTRODUCTION The important characteristics of actionable CTI are

complete, accurate, prioritize, just in time, effective
Cyber Threat intelligence is information that an response and relevant as shown in the Figure 1.
organization uses in order to understand all the threats
and minimize their impact. The CTI information is CTI has mainly three levels; Strategic, Tactical and
used to identify and prevent cyber threats from taking Operational Intelligence [17].
advantage of the sensitive data. It can be understood
as the skill/experience-based knowledge and
information about the physical and cyber threats,
threat assessments and actors that help in mitigating
malicious incidents and potential attacks in
cyberspace. The implementation of intelligence is
commercially a very well-known discipline. There
are many definitions of intelligence. Regardless of the
accurate role of an organization and the frequency of
its opinions, it is very clear that these definitions
identify the product of intelligence as an
understanding that helps in the decision-making
process. It provides analyzed and organized
information about the present, past and future Figure 2: Levels of CTI
potential attacks that may be a security threat to the
enterprise and delivers the in-depth information such  Strategic Cyber Threat Intelligence
as files, IP addresses, domain names and URLs that It is used to emphasize on the “who” and “why” i.e.,
are often used in executing attacks. CTI enables us to motivations of threat actors that affect the modern
make more informed and faster data-backed security threat landscape. It is non-technical and reveals the
decisions and changes its behavior from reactive to intentions and reasons behind the attacks, specifically
proactive in the fight against the threat actors. seeks to identify the person behind cyber
operations/threats and their targets. Strategic CTI is
usually produced as reports, white papers and
briefings.
 Tactical Cyber Threat Intelligence
It helps in identifying the “how” of the attacks, which
indicates the threat actor TTPs and helps in
understanding details of the attacks. This further
helps to identify the severity of incidents and
measures to prepare and prevent them. It uses
machine-readable data, called IOC like URLs,
domain names, file names, IP addresses, hashes etc.
IOCs generally get outdated in just a few hours. But it
is also important to observe that waning indicators are
Figure 1: Characteristics of actionable CTI not good practices which sometimes remain active for
Proceedings of IRAJ International Conference, Pune, India, 06th June, 2022
37
 Cyber Threat Intelligence: A Survey on Progressive Techniques and Challenges

months or even years and pose danger to an
enterprise.
 Operational Cyber Threat Intelligence
It deals with timing and nature of an attack. It uses
private and public sources like social media, dark
webs, chats etc. to investigate communication
channels of cyber threat actors and anticipate the
incoming attacks.
II. PROGRESSIVE TECHNIQUES OF CYBER
THREAT INTELLIGENCE
Today, there exist many CTI tools and platforms to
combat various cyber threats like data breaches,
DDoS attacks, malware attacks, phishing etc. Some
of these tools are open-source whereas others are
licensed to protect sensitive information against cyber
attacks. According to the SANS CTI Survey 2021 [8],
some of the major CTI tools are Cisco Umbrella,
DeCYFIR, Echosec, Grey Noise etc. The CTI
platforms can be software-as-a-service (SaaS) or on
premises solutions which help to analyze and
investigate potential cyber crimes. While these are
common CTI tools/platforms used worldwide, it is
important to mention some of the considerable and
worthy contributions of the researchers in threat
intelligence over the past few years as mentioned in
Table 1.

Proposed model/
Authors Explanation Challenges/ Future work
framework for CTI
The authors proposed a visual-
based analytics method to study,
modify and visualize the CTI
Graphical and visual In the interviews conducted
information. Knowledge
F. Böhm, F. Menges, analytics by authors, it was found that
Acquisition, Visualization and
and G. Pernul [9] there were some drawbacks
Assessment System (KAVAS)
in the STIX standard.
was used and combined with the
CTI vault.

The authors proposed an

elasticsearch technology, ELK
(Elasticsearch, Logstash and As the future work, authors
Kibana) and study the log data of aim to establish new
H. Almohannadi et al. Elasticsearch based CTI honeypots and recognize various honeypots to fetch threat
[11] patterns and actions of threat data. The patterns identified
actors. As a result, various attack would later be used to train
events were listed down along various IPS/IDS systems.
with their frequency and
occurrence.
Authors proposed a method to
prevent the tampering of CTI
feeds with the use of FeedRank,
which ranks the feeds according
to the content originality. Further,
Further improvement is
it helps to determine
R. Meier, C. Scherrer, required in the existing
spatial/temporal correlations. It
D. Gugelmann, V. FeedRank- Ranking based method to enhance the
takes input as feed snapshots,
Lenders, and L. method for CTI feeds accuracy and decision
builds a graph for correlation,
Vanbever [13] metrics.
determines the contributions of
each feed and finally uses an
algorithm to rank them. Accuracy
of this method was found to be
94.2% for training part and 91.5%
for validation part.
To minimize the cost and time of
IR procedure and investigation,
authors proposed the extension of
the DFR model to make CTI The major challenge is
N. Serketzis, V.
Enhancing the Digital actionable. The model has the the trade-off between cost of
Katos, C.Iliadic,
Forensic Readiness (DFR) capability to work in the computation and
D.Baltatzis and G.
model environment stimulated by performance with high
Pangalos [10]
malware and cyber threats. The false positives.
accuracy to correctly identify the
causes of cyber incidents was
evaluated as 90.73%.

M. Landauer, F. CTI framework for Raw Log The authors implemented a The future work is to
Skopik, data extraction framework to identify and parse enhance the working of

Proceedings of IRAJ International Conference, Pune, India, 06th June, 2022

38
 Cyber Threat Intelligence: A Survey on Progressive Techniques and Challenges
M.Wurzenberger, W.
Hotwagner, and A.
Rauber [12]
J. Cha, S. K. Singh, Y. Block chain based CTI
Pan, and J. H. Park [3]
the log events and extract data pattern identification
such as IP addresses. Later the algorithms and evaluate the
parsed data was used to detect framework in a more
anomalies, recognize the patterns complicated environment of
of threat actors and were finally cyber threats.
evaluated. The framework was
able to detect 1600 anomalies and
6 different patterns.
Its main features are to prevent
passing of the wrong information
by verifying it, manage a large
The major challenge in
volume of information and
this proposed approach is
maintain the integrity of data
that if the cloud server
using
at the cloud layer is
Block chain. The proposed
cyber-attacked, it may
architecture consists of a device
preventive model not possess the reliable
layer to generate data, a feed layer
data since the hash
to collect and share data and a
value of original data would
cloud layer to securely pass the
be present.
information to the authorized user
using hash collision.

It helps to overcome the

challenges of identifying the
unknown IOCs and automatically
generating CTI with its domain
J. Zhao, Q. Yan, J. Li, tags to improve CTI sharing. The The future work is to
An automated framework,
M.Shao, Z. He, and domain recognizer is based on the improve the accuracy of the
TIMiner
B. Li [4] convolutional neural network model.
(CNN). Authors were able to
achieve the accuracy of 84% for
domain recognizer and 94% for
IOC extraction.

Its function is to detect threats and

minimize the false
positives/negatives. Further, the
model has been encrypted using
Ciphertext Policy Attribute- For future work, authors
Based Encryption (CP-ABE) for will investigate the extent
D. Preuveneers and W. A ML-based model with
valid users. This simplifies the upto which threats can be
Joosen [6] CTI sharing and platforms
sharing of ML models and relics annotated impulsively.
for incident response
across Malware Information
Sharing Platform (MISP) open-
source platform for implementing
threat intelligence.

The authors first proposed an For future work, authors

automated method for threat will implement a CTI
detection and CTI sharing knowledge graph and
followed by the implementation Open Stack services for
of an automated cloud-based cloud - based threat
cyber defense system. It can be detection and STIX
integrated with data standards generation.
M. F. Haque and R. such as Trusted Automated
Krishnan [7] An automated cloud-based exchange of Indicator Information
cyber defense system (TAXII) and Structured Threat
Information Expression (STIX) to
mitigate the cyber threats. To
address the security issues during
CTI sharing, authors integrated
Relationship based Access
Control (ReBAC) and other
secure protocols.

Proceedings of IRAJ International Conference, Pune, India, 06th June, 2022

39
 Cyber Threat Intelligence: A Survey on Progressive Techniques and Challenges
An improved Intrusion Detection
System (IDS) approach was
proposed with the use of two
There is a possibility of
M. Al-Fawa'reh, M. Al processes, Deep Neural Network
using hybrid models to
- Fayoumi, S. (DNN) model which can detect
PCA-DNN based detection detect abnormal activities
Nashwan, and S. threats and a Principal
approach trained on benign flows
Fraihat [14] Component Analysis (PCA)
with minimum false
method to enhance performance
positives.
and the security. Authors were
able to achieve 98% accuracy,
highest in the current scenario.
Firstly, a meta-schema of CTI
was designed, then to integrate
various infrastructure nodes, a
It is important to
heterogeneous information
Y. Gao, X. Li, H. extract fine - grained
Heterogeneous Information network (HIN) was developed
Peng, B.Fang, and P. organized data to
Network (HIN) and finally a graph convolutional
S. Yu [5] further improve the
network (GCN) based method
identification of threats.
was used to identify the types of
attacks.

Authors implemented a honey spy

system to identify the correlations
of an unknown hacker’s methods
with his/her psychology and
expertise. The system consists of
The limitation of the
some tests like that for cyber
approach is that there can be
expertise, events of Capture the
M. Odemis, C. Yucel, A Honey spy system random answers to the
Flag (CTF) to get the logs and a
and A. Koltuksuz [15] questionnaire in the tests
Big-5 test for personality.
conducted, which can
Predictions were made using
hamper the results.
various ML algorithms and
accuracy was improved by 11%
with the use of ensemble (Bagged
Tree), Support Vector Machine
(SVM) and Naive Bayes.
A trigger-enhanced discovery
system was proposed by the
authors to identify the relationship
between IOCs and phases of Current model has some
campaign i.e., phrases of misclassified samples
campaign trigger for actionable because of the complex
Trigger enhanced discovery CTI. Authors used Natural phrases which describe the
J. Liu et al. [16]
system for actionable CTI Language Processing (NLP) cyber attacks and some
technique to train a classification IOCs are not correctly
model. Tri CTI was used on related with campaign
29,000 reports related to cyber phases.
security with an accuracy greater
than 86.99%.

Table 1 Survey on the recent contributions in CTI

III. CHALLENGES OF CYBER THREAT intelligence, alerts generated, threat intelligence

INTELLIGENCE
Today, there are many useful methods for cyber
threat intelligence as mentioned above, but there are
certain challenges that should be addressed to
effectively mitigate the cyber threats. Some of the
major challenges are:
 Executing threat intelligence in businesses just
for the sake of security trends often misleads the
team members on resources and budgets. An
effective CTI includes prioritizing threats,
measuring response time before and after threat
feeds and their efficacy.
 Due to the lack of knowledge of various data
standards related to CTI (for e.g., STIX, TAXII),
the response can be delayed during Cyber
Defense Exercise (CDX).
 Usage of wrong sources to collect data feeds can
hinder the CTI process. It’s important to collect
information from the sources which are reliable
and provide maximum coverage without the
gaps.
 Lack of familiarity with threat intelligence and
sharing platforms like Malware Information

Proceedings of IRAJ International Conference, Pune, India, 06th June, 2022

40
 Cyber Threat Intelligence: A Survey on Progressive Techniques and Challenges
Sharing Platform (MISP) leads to insufficient
data during cyber attacks. CTI experts must be
provided with specialized training in MISP to
effectively store IOCs, share and visualize the
CTI data and monitor the attacks.
 Absence of human expertise to understand and
interpret the threat data can result in an
ineffective CTI process. It’s necessary that the
threat intelligence experts timely identify the
vulnerabilities, proactively look for the evidence,
identify the TTPs associated with threat actors,
prioritize the security measures and implement
the incident response efficiently.
 While sharing CTI information, there are often
privacy issues faced by organizations.
Establishing trust among organizations and
sharing threat intelligence information on
platforms is necessary to timely mitigate the
cyber attacks.
Considering the above challenges of CTI,
organizations must address them for a well-planned
threat intelligence procedure and mitigate the cyber
threats quickly and efficiently.
IV. CONCLUSION AND FUTURE WORK
Cyber Threat Intelligence provides information that is
important for an organization to make an informed
and effective decision. Also, true CTI is actionable. It
serves a role of regular security monitoring and is a
valuable tool in incident response to protect against
the zero-day attacks. This paper briefly explains
about CTI, its importance, levels, and most
importantly its state of the art. Further, several
challenges of CTI have been identified which are
usually faced by organizations today.
It is necessary that organizations address these
challenges in future by conducting various CTI
trainings, proactively identifying the unknown threats
by adopting cutting-edge technologies such as block
chain, cloud computing, machine learning/deep
learning to completely automate the process,
prioritizing and timely mitigating the cyber attacks.
REFERENCES
[1] D. Wagner, K. Mahbub, E. Palomar, and A. E. Abdallah,
“Cyber threat intelligence sharing: Survey and research
directions,” Computers & Security, vol. 87, p. 101589, 2019.

Proceedings of IRAJ International Conference, Pune, India, 06th June, 2022
41
View publication stats
[2] W. Tounsi and H. Rais, “A survey on technical threat
intelligence in the age of sophisticated cyber attacks,”
Computers & Security, vol. 72, pp. 212–233, 2018.
[3] J. Cha, S. K. Singh, Y. Pan, and J. H. Park, “Blockchain-
based Cyber Threat Intelligence System Architecture for
Sustainable Computing,” Sustainability, vol. 12, no. 16, p.
6401, 2020.
[4] J. Zhao, Q. Yan, J. Li, M. Shao, Z. He, and B. Li, “TIMiner:
Automatically extracting and analyzing categorized cyber
threat intelligence from Social Data,” Computers & Security,
vol. 95, p. 101867, 2020.
[5] Y. Gao, X. Li, H. Peng, B. Fang, and P. S. Yu, “Hincti: A
cyber threat intelligence modeling and identification system
based on Heterogeneous Information Network,” IEEE
Transactions on Knowledge and Data Engineering, vol. 34,
no. 2, pp. 708–722, 2022.
[6] D. Preuveneers and W. Joosen, “Sharing machine learning
models as indicators of compromise for Cyber Threat
Intelligence,” Journal of Cybersecurity and Privacy, vol. 1,
no. 1, pp. 140–163, 2021.
[7] M. F. Haque and R. Krishnan, “Toward automated cyber
defense with secure sharing of Structured Cyber Threat
Intelligence,” Information Systems Frontiers, vol. 23, no. 4,
pp. 883–896, 2021.
[8] “Jennifer e Santiago Jennifer e Santiago,” SANS Institute,
02-Mar-2022. [Online]. Available:
https://www.sans.org/white-papers/40080/.
[9] F. Böhm, F. Menges, and G. Pernul, “Graph-based visual
analytics for Cyber Threat Intelligence,” Cybersecurity, vol.
1, no. 1, 2018.
[10] N. Serketzis, V. Katos, C. Ilioudis, D. Baltatzis, and G.
Pangalos, “Improving forensic triage efficiency through
Cyber Threat Intelligence,” Future Internet, vol. 11, no. 7, p.
162, 2019.
[11] H. Almohannadi, I. Awan, J. Al Hamar, A. Cullen, J. P.
Disso, and L. Armitage, “Cyber threat intelligence from
honeypot data using Elasticsearch,” 2018 IEEE 32nd
International Conference on Advanced Information
Networking and Applications (AINA), 2018.
[12] M. Landauer, F. Skopik, M. Wurzenberger, W. Hotwagner,
and A. Rauber, “A framework for cyber threat intelligence
extraction from Raw Log Data,” 2019 IEEE International
Conference on Big Data (Big Data), 2019.
[13] R. Meier, C. Scherrer, D. Gugelmann, V. Lenders, and L.
Vanbever, “FeedRank: A tamper- resistant method for the
ranking of Cyber Threat Intelligence feeds,” 2018 10th
International Conference on Cyber Conflict (CyCon), 2018.
[14] M. Al-Fawa'reh, M. Al-Fayoumi, S. Nashwan, and S. Fraihat,
“Cyber threat intelligence using PCA-DNN model to detect
abnormal network behavior,” Egyptian Informatics Journal,
2021.
[15] M. Odemis, C. Yucel, and A. Koltuksuz, “Detecting user
behavior in cyber threat intelligence: Development of
honeypsy system,” Security and Communication Networks,
vol. 2022, pp. 1–28, 2022.
[16] J. Liu, J. Yan, J. Jiang, Y. He, X. Wang, Z. Jiang, P. Yang,
and N. Li, “TRICTI: An actionable cyber threat intelligence
discovery system via trigger-enhanced neural network,”
Cybersecurity, vol. 5, no. 1, 2022.
[17] “What is threat intelligence?,” Recorded Future, 11-Sep-
2020. [Online]. Available:
https://www.recordedfuture.com/threat-intelligence/