Data-Driven Threat Hunting Using Sysmon

@article{Mavroeidis2018DataDrivenTH,
  title={Data-Driven Threat Hunting Using Sysmon},
  author={Vasileios Mavroeidis and Audun J{\o}sang},
  journal={Proceedings of the 2nd International Conference on Cryptography, Security and Privacy},
  year={2018}
}
  • Vasileios Mavroeidis, A. Jøsang
  • Published 16 March 2018
  • Computer Science
  • Proceedings of the 2nd International Conference on Cryptography, Security and Privacy
Threat actors can be persistent, motivated and agile, and they leverage a diversified and extensive set of tactics, techniques, and procedures to attain their goals. In response to that, organizations establish threat intelligence programs to improve their defense capabilities and mitigate risk. Actionable threat intelligence is integrated into security information and event management systems (SIEM) forming a threat intelligence platform. A threat intelligence platform aggregates log data from… 
ATHAFI: Agile Threat Hunting And Forensic Investigation
TLDR
A framework for agile threat hunting and forensic investigation (ATHAFI), which automates the threat hunting process at multiple levels and enables intelligent adjustment of workflows, which react to emerging threats effectively.
Automated Threat Hunting Using ELK Stack - A Case Study
TLDR
The system identified all the threats successfully and segmented them with alert message and the complete system was implemented on virtual environment on Windows with Oracle VM Virtual Box for creating virtual environment.
Hacker Forum Exploit and Classification for Proactive Cyber Threat Intelligence
TLDR
This research paper employs machine learning and deep learning approach using neural networks to automatically classify hacker forum data into predefined categories and develop interactive visualizations that enables CTI practitioners to probe collected data for proactive and opportune CTI.
A Holistic Approach to Insider Threat Detection
TLDR
It is concluded that machine learning shows some promise as a measure for insider threat detection if used in adjunct to manual forensics work and to improve the performance of the current machine learning system, it seems necessary to include more substance to the selected features.
From TTP to IoC: Advanced Persistent Graphs for Threat Hunting
TLDR
This article challenges a formal model that dissects and abstracts elements of an attack, from both attacker and defender perspectives, using an attack campaign mimicking APT29, a real-world threat, in a scenario designed by the MITRE Corporation.
Enhancing intelligence SOC with big data tools
  • R. Andrade, Jenny Torres
  • Computer Science
    2018 IEEE 9th Annual Information Technology, Electronics and Mobile Communication Conference (IEMCON)
  • 2018
TLDR
This work is to analyze the applicability of the use of Big Data as a complementary tool for the detection of security events in a real CSIRT environment, validating the architecture, configuration and visualization using the ELK stack as a Big Data platform.
Threat Hunting in Windows Using Big Security Log Data
TLDR
An anomaly detection system is proposed and performed on five different datasets with up to 55,000 events which detects the attacks using the preserved logs and demonstrates the significance of host-based logs in auditing, security monitoring, and intrusion detection systems.
Unifying Cyber Threat Intelligence
TLDR
A model that describes the elementary properties as well as a common notation for entities within CTI formats is proposed and a unified model is developed to improve the understanding of CTI data formats and to discuss possible future research directions.
procmonML: Generating evasion resilient host-based behavioral analytics from tree ensembles
TLDR
This work introduces a novel machine learning-based approach (procmonML) to generate true behavioral host-based analytics that are more resilient to adversary evasion, thus imparting more workload on the adversary to successfully evade detection.
Detection of Malicious Tools by Monitoring DLL Using Deep Learning
TLDR
This study proposes a detection method of malicious tools by analyzing DLL information using deep learning, considering the DLL and its order of loading by each process, and confirmed that even if the file names are changed or tools are rebuilt, it could detect the mentioned four tools with high detection rates.
...
1
2
...

References

SHOWING 1-10 OF 19 REFERENCES
Cyber Threat Intelligence Model: An Evaluation of Taxonomies, Sharing Standards, and Ontologies within Cyber Threat Intelligence
TLDR
The CTI model is introduced, which enables cyber defenders to explore their threat intelligence capabilities and understand their position against the ever-changing cyber threat landscape and shows that the cyber security community lacks an ontology covering the complete spectrum of threat intelligence.
Enabling New Technologies for Cyber Security Defense with the ICAS Cyber Security Ontology
TLDR
A cyber security ontology that is specially constructed to enable the TAPIO tool to automatically ingest data from a wide range of data sources, and which provides semantic relationships across the landscape of an enterprise network is presented.
A Survey on Systems Security Metrics
TLDR
This survey particularly focuses on how a system security state can evolve as an outcome of cyber attack-defense interactions, and proposes a security metrics framework based on the following four sub-metrics: metrics of system vulnerabilities, defense power, attack or threat severity, and metrics of situations.
Guide to Cyber Threat Information Sharing
TLDR
This guidance helps organizations establish information sharing goals, identify cyber threat information sources, scope information sharing activities, develop rules that control the publication and distribution of threat information, engage with existing sharing communities, and make effective use of threat Information in support of the organization’s overall cybersecurity practices.
Threat Intelligence Sharing Platforms: An Exploratory Study of Software Vendors and Research Perspectives
TLDR
The state-of-the-art software vendor landscape of these platforms are examined, gaps are identified and how existing gaps should be addressed by future research perspectives are discussed.
Semantic ontologies for cyber threat sharing standards
TLDR
This paper analyzes XML based exchange formats for cyber threat information exchange using ontologies and library science, to see to what degree they overlap and/or provide extra features, and analyzes potential benefits of RDF/OWL-based semantic exchange format, in comparison to purely syntactic representation.
OVM: an ontology for vulnerability management
TLDR
The ontology for vulnerability management (OVM) has been populated with all vulnerabilities in NVD with additional inference rules, knowledge representation, and data-mining mechanisms and provides a promising pathway to making ISAP successful.
Ontology for malware behavior: A core model proposal
TLDR
A core model for a novel malware ontology that is based on their exhibited behavior is proposed, filling a gap in the field.
Developing an Ontology of the Cyber Security Domain
TLDR
A description of the potential ontologies and standards that could be utilized to extend the Cyber ontology from its initially constrained malware focus and some proposed next steps in the iterative evolution of the ontology development methodology are proposed.
An ontology of suspicious software behavior
TLDR
MBO, a Malicious Behavior Ontology that represents complex behaviors of suspicious executions, and through inference rules calculates their associated threat level for analytical proposals is introduced.
...
1
2
...