| Title | Data-Driven Threat Hunting Using Sysmon |
| Publication Type | Conference Paper |
| Year of Publication | 2018 |
| Authors | Mavroeidis, Vasileios, Jøsang, Audun |
| Conference Name | Proceedings of the 2Nd International Conference on Cryptography, Security and Privacy |
| Publisher | ACM |
| Conference Location | New York, NY, USA |
| ISBN Number | 978-1-4503-6361-7 |
| Keywords | artificial intelligence security, composability, cyber threat intelligence, Human Behavior, Metrics, pubcrawl, Resiliency, sysmon, Threat Assessment, threat hunting |
| Abstract | Threat actors can be persistent, motivated and agile, and they leverage a diversified and extensive set of tactics, techniques, and procedures to attain their goals. In response to that, organizations establish threat intelligence programs to improve their defense capabilities and mitigate risk. Actionable threat intelligence is integrated into security information and event management systems (SIEM) forming a threat intelligence platform. A threat intelligence platform aggregates log data from multiple disparate sources by deploying numerous collection agents and provides centralized analysis and reporting of an organization's security events for identifying malicious activity. Sysmon logs is a data source that has received considerable attention for endpoint visibility. Approaches for threat detection using Sysmon have been proposed mainly focusing on search engines (NoSQL database systems). This paper presents a new automated threat assessment system that relies on the analysis of continuous incoming feeds of Sysmon logs. The system is based on a cyber threat intelligence ontology and analyses Sysmon logs to classify software in different threat levels and augment cyber defensive capabilities through situational awareness, prediction, and automated courses of action. |
| DOI | 10.1145/3199478.3199490 |
| Citation Key | mavroeidis_data-driven_2018 |
Data-Driven Threat Hunting Using Sysmon