View article

Applying Cyber Threat Intelligence for active cyber defence, while potentially very beneficial, is currently limited to predominantly manual use. In this paper, we propose an automated approach for using Cyber Threat Intelligence during incident response by gathering Tactics, Techniques and Procedures available on intelligence reports, mapping them to network incidents, and then using this map to create attack patterns for specific threats. We consider our method actionable because it provides the operator with contextualised Cyber Threat Intelligence related to observed network incidents in the form of a ranked list of potential related threats, all based on patterns matched with the incidents. We evaluate our approach with publicly available samples of different malware families. Our analysis of the results shows that our method can reliably match network incidents with intelligence reports and relate them to these …