Biblio

Cyber threat hunting is the process of proactively and iteratively formulating and validating threat hypotheses based on security-relevant observations and domain knowledge. To facilitate threat hunting tasks, this paper introduces threat intelligence computing as a new methodology that models threat discovery as a graph computation problem. It enables efficient programming for solving threat discovery problems, equipping threat hunters with a suite of potent new tools for agile codifications of threat hypotheses, automated evidence mining, and interactive data inspection capabilities. A concrete realization of a threat intelligence computing platform is presented through the design and implementation of a domain-specific graph language with interactive visualization support and a distributed graph database. The platform was evaluated in a two-week DARPA competition for threat detection on a test bed comprising a wide variety of systems monitored in real time. During this period, sub-billion records were produced, streamed, and analyzed, dozens of threat hunting tasks were dynamically planned and programmed, and attack campaigns with diverse malicious intent were discovered. The platform exhibited strong detection and analytics capabilities coupled with high efficiency, resulting in a leadership position in the competition. Additional evaluations on comprehensive policy reasoning are outlined to demonstrate the versatility of the platform and the expressiveness of the language.

Threat actors can be persistent, motivated and agile, and they leverage a diversified and extensive set of tactics, techniques, and procedures to attain their goals. In response to that, organizations establish threat intelligence programs to improve their defense capabilities and mitigate risk. Actionable threat intelligence is integrated into security information and event management systems (SIEM) forming a threat intelligence platform. A threat intelligence platform aggregates log data from multiple disparate sources by deploying numerous collection agents and provides centralized analysis and reporting of an organization's security events for identifying malicious activity. Sysmon logs is a data source that has received considerable attention for endpoint visibility. Approaches for threat detection using Sysmon have been proposed mainly focusing on search engines (NoSQL database systems). This paper presents a new automated threat assessment system that relies on the analysis of continuous incoming feeds of Sysmon logs. The system is based on a cyber threat intelligence ontology and analyses Sysmon logs to classify software in different threat levels and augment cyber defensive capabilities through situational awareness, prediction, and automated courses of action.