Add to my Schedule Bohemia Ballroom 07 Dec 2017 09:00 - 09:30

The speaker will begin the session by presenting a challenge facing machine-to-machine Cyber Threat Intelligence (CTI) sharing. The challenge is that semantics-rich machine-understandable CTI available is very limited. The speakers will then point out that there is a decent amount of semantics-rich "human"-understandable CTI for humans. Lastly they’ll lay out three strategies to leverage semantics-rich human-understandable CTI to enrich semantically CTI shared machine-to-machine (M2M), with a demonstration of one strategy, human-to-human (H2H) and M2M CTI sharing integration.



Additional information on the presentation:


[Challenge - Limited Semantics-Rich Machine-Understandable CTI]

Currently most of the CTI shared M2M through CTI protocols like STIX/TAXII is simply indicators and observables. Even though STIX defines many elements to communicate semantics-rich "intelligence" on cyber attacks beyond simple facts or data like indicators and observables, those elements are seldomly used. Do not misunderstand. Those indicators and observables are very important and critical for cyber defense. However, their utility will be limited without their surrounding context and intelligence. We cannot effectively prioritize them nor apply data analytics and/or machine learning to them when their context and intelligence are not available. Eventually, we fear, the sheer volume of indicators and observables will swamp incident responders, cybersecurity people, and systems and their edge and merits for cyber defense will lessen significantly if not be lost.

[Semantics-Rich Human-Understandable CTI Is Available]

There is, however, a decent amount of semantics-rich "human"-understandable CTI more readily available. First, one of such CTI sources is, of course, H2H communication. Telephone calls, emails, meetings, conferences, etc. provide channels for human-to-human communication of CTI. UK CiSP (Cyber Security Information Sharing Partnership) providing an SNS-like forum for those involved in cybersecurity is another example of such channels.

Secondly, commercial CTI providers often make available additional semantics (context and intelligence) on their Web site for humans to consume. In many cases, they provide machine-understandable CTI, too, but only indicators and observables, through STIX/TAXII.

Thirdly, there are reports from security vendors. They put a lot of resources into producing those reports as the quality of their reports is a reflection of their cyber capability and commitment to cybersecurity.

[Strategies]

Naturally our solutions to enrich semantically CTI shared machine-to-machine are built around levaraging semantics-rich human-understandable CTI.

The first strategy is to let H2H sharing and M2M CTI sharing integrate. By doing so, we can capture human-understandable CTI as much in a structured way and automatically as possible, and then let it flow in M2M sharing so that machines can consume and understand it. It is not just the flow from H2H CTI sharing to M2M CTI sharing that is important, but also the other way around as well. By making CTI shared M2M available for humans in an easy-for-humans-to-understand manner, humans can add additional semantics to such CTI by actions like evaluatations and comments. We will demonstrate how such "H2H and M2M CTI sharing integration" is possible through an SNS system for cyber defenders.

The second strategy is to encourage commercial CTI providers to share more semantics for M2M CTI sharing channel like STIX/TAXII. They have such semantics in their databases and it should be easy and spontaneous once they realize the merits of doing so. This would be the next competitive edge for commercial CTI providers. CTI consumers need to be ready to consume and utilize such semantics-rich machine-understandable CTI in order for a positive feedback loop to happen between CTI providers and consumers. The first strategy should prepare CTI consumers.

The third strategy is to extract machine-understandable semantics from human-readable reports, using natural language processing and other technologies. Cybersecurity ontology works should play an important role to make resulting semantics more or less uniform so that machines can process semantics easily and coherently.


Speakers
Fujitsu System Integration Laboratories
Research Principal
Co-Presenters/Authors
Fujitsu System Integration Laboratories
Researcher
Fujitsu System Integration Laboratories
Researcher

Discussions


Discussion not started yet.