Threat Ontologies for Cyber Security Analytics

When security incidents occur there is typically limited understanding of who the threat actor is, why they attack or how they operate, which makes it difficult to make well informed decisions about countermeasures. Threat actors who are not identified and made responsible for their actions, will continue their criminal behaviour. When we do not understand the attacker we can only see - if even that- the results of the attacker's actions. Improved cybersecurity requires digital threat intelligence - structured and partly automated analysis and sharing of information. This Ph.D. project aimed at developing models and tools for automated or semi-automated classification and discovery of cyberthreats based on ontologies. The project collaborated with two related projects on cybersecurity: 1) ACT, a BIA-project managed by mnemonic, and 2) Oslo Analytics, an IKTPLUSS-project managed by The University of Oslo. A litterature study states that interesting research challenges are related to logic reasoning for analysis and representation of available threat data. We are currently using NLP(natural language processing) to extract relevant threat data from public sources, and use of ontologies to improve and reason upon these data is showing valuable results. Further, it is interesting to look at the possibility of using ontologies for exchange of threat knowledge, not just data or information which are present in the currently available technology for exchange of threat intelligence. The results of this project is the developed ontologies and related technologies which provides a flexible framework for representing and structuring the large variety of data with which security analysts are confronted. An implementation of an ontology developed in the project provides increased automation prosibilites. The developed platform is open sourced and available for anyone who would like to use it.

The results of this project contributed to the creation of the ACT Platform - an open sources platform for cyber threat intelligence. In addition, we gained a deeper understanding of the field within mnemonic.

Cyberattacks now have the realistic potential of causing serious harm to humans, their assets and business processes, with Cyberweapons of Mass Disruption that can be launched remotely and anonymously. Cybersecurity is aimed at blocking or mitigating such threats, by preventing, detecting and recovering from harmful incidents in cyberspace. The task of implementing adequate cybersecurity is already daunting, and becomes increasingly challenging every day. The threat landscape is continuously changing, it is often difficult to distinguish between friend and foe, and attribution of attacks is often uncertain. This is a situation of moving targets where existing security approaches used by "white hats" quickly become outdated and ineffective against the next generation of attack strategies by "black hats". In the overwhelming majority of identified security incidents there is currently no understanding of who the threat actor is, why they attack or how they operate. The result is a lack of ability to make informed decisions when it comes to protection and countermeasures. The threat actors most often are not identified and made responsible for their actions, resulting in continuous criminal behaviour. We simply do not understand our opponent and can identify - if even that- only the results of the opponent's actions. To improve our situation we need digital threat intelligence - structured and partly automated analysis and sharing of information. This observation provides the motivation for starting a Ph.D project on Threat Ontologies for Cybersecurity Analytics which aims at developing models and tools for automated or semi-automated classification and discovery of cyberthreats based on ontologies.