Back to search

BIA-Brukerstyrt innovasjonsarena

Delautomatisering av digital trusseletterretning

Alternative title: Semi-automated cyber threat intelligence

Awarded: NOK 12.1 mill.

Cyber-attacks are becoming more sophisticated and harder to detect, and existing technology to detect and prevent attacks are increasingly inefficient. The challenges for cybersecurity companies and their systems is to reveal the nature of attacks and stop them as early as possible. In 2016, mnemonic launched the research project "Semi-Automated Cyber Threat Intelligence (ACT)" to address these challenges. The project partners are UiO, NTNU, NSM, Nordic Financial CERT, KraftCERT and Telenor. The ACT project develops a platform for cyber threat intelligence to uncover cyberattacks, cyber espionage and sabotage. The project researches new methods for data enrichment and data analysis to identify threat agents, their motives, resources and attack methodologies. In addition, the project will develop new methods, work processes and mechanisms for creating and distributing threat intelligence and countermeasures, to stop ongoing and prevent future attacks. Gartner defines threat intelligence as follows: "Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard." - Gartner (2013) In short, threat intelligence is knowledge about threats. This knowledge must be based on evidence, and it must be actionable. A threat agent is an individual or group that poses a threat to a victim. A threat agent has associated capabilities, intents, and a history of past activity. The analysis of this history forms our knowledge of the threat agent, and this knowledge can help us predict and detect future attacks. Our primary motives for launching the ACT project were to provide a holistic workspace for analysts, automate repetitive tasks, facilitate advanced automated analysis, improve our knowledge of threat agents, facilitate efficient and accurate manual analysis, automate sharing of threat information and countermeasures, and automate the processing of unstructured data. Threat intelligence analysts use numerous different systems for their daily tasks. They copy and paste data from system to system, then manually try to collate the results. The ACT platform aims to automate such processes, to provide a holistic view of the information, and to retain the information for future use. The ACT project will facilitate sophisticated enrichment of data and the application of artificial intelligence techniques for automated analysis of data and information. These two research areas are the main responsibility of the universities participating in the project. Automated threat information sharing and countermeasures can significantly improve detection and prevention capabilities. We have reviewed existing standards and protocols for information sharing and countermeasures. We also closely monitor standards that are under development. Finally, masses of data relevant to threat intelligence are available in unstructured formats. Examples include threat reports, academic papers, blogs, and wiki pages. The ACT project has implemented and tested prototypes based on natural language processing (NLP) for the extraction of structured data from unstructured sources. During the previous two months, we implemented and tested information sharing between platform instances. We have created Github repositories for the project, where we have published all of the platform documentation and source code under an Open Source license [1]. The results from the ACT project made it possible for mnemonic to join the Horizon 2020 project SOCCRATES [2] as a partner. The project started on September 1st 2019, and the ACT platform is an important component of SOCCRATES. We have presented the project in several relevant conferences, including the FIRST Conference 2017 [3], and the FIRST Conference 2018 [4]. In June, we presented a full-day training at the FIRST Conference 2019 [5], and in August we presented the ACT platform at Black Hat USA Arsenal 2019 [6]. [1] https://github.com/mnemonic-no/ [2] https://soccrates.eu [3] https://www.first.org/conference/2017/program#pthreat-ontologies-for-cyber-security-analytics [4] https://www.first.org/conference/2018/program#psemi-automated-cyber-threat-intelligence-act [5] https://www.first.org/conference/2019/additional-programming/#pACT-Threat-Intelligence-Platform-Full-Day [6] https://www.blackhat.com/us-19/arsenal/schedule/index.html#act-semi-automated-cyber-threat-intelligence-15988

Virkninger: Prosjektet har levert en trusseletterretningsplattform som åpen kildekode, tilgjengelig for hele sikkerhetsmiljøet. Plattformen muliggjør automatisering og analyse som ikke tidligere var støttet. I tillegg har prosjektet bidratt til større bevissthet rundt automatisering i fagmiljøet, og satt fokus på utfordringene med og begrensningene i eksisterende løsninger. Effekter: Plattformen som er utviklet i prosjektet har allerede bidratt til en bedre forståelse av digitale trusler, som igjen bidrar til et mer effektivt forsvar mot truslene. Vi håper at plattformen vil tas i bruk av andre brukeraktører, og vi vil fortsette arbeidet med videreutvikling av plattformen også etter at prosjektslutt.

Digitale angrep mot norske interesser blir stadig mer avanserte og vanskeligere å oppdage, og eksisterende måter for å oppdage og avdekke angrep begynner å bli utilstrekkelige. Det er en kontinuerlig utfordring å avdekke hvordan angrep skjer, hvordan de skjules og hvordan de skal forhindres. Det skal vi gjennom prosjektet sikre at skjer i mye større grad enn i dag. Prosjektet skal resultere i produkter og tjenester for digital trusseletterretning som ikke eksisterer på det internasjonale markedet i dag. For bedrifter og offentlig sektor skal disse tjenestene gi bedre beskyttelse gjennom flere detekterte angrep og raskere tiltak mot både pågående og fremtidige trusler og angrep. Prosjektresultatet skal også muliggjøre utveksling av etterretningsinformasjon med offentlige og private virksomheter.

Publications from Cristin

No publications found

No publications found

No publications found

No publications found

Funding scheme:

BIA-Brukerstyrt innovasjonsarena