Enabling Efficient Cyber Threat Hunting With Cyber Threat Intelligence (2010.13637v2)

Abstract: Log-based cyber threat hunting has emerged as an important solution to counter sophisticated attacks. However, existing approaches require non-trivial efforts of manual query construction and have overlooked the rich external threat knowledge provided by open-source Cyber Threat Intelligence (OSCTI). To bridge the gap, we propose ThreatRaptor, a system that facilitates threat hunting in computer systems using OSCTI. Built upon system auditing frameworks, ThreatRaptor provides (1) an unsupervised, light-weight, and accurate NLP pipeline that extracts structured threat behaviors from unstructured OSCTI text, (2) a concise and expressive domain-specific query language, TBQL, to hunt for malicious system activities, (3) a query synthesis mechanism that automatically synthesizes a TBQL query for hunting, and (4) an efficient query execution engine to search the big audit logging data. Evaluations on a broad set of attack cases demonstrate the accuracy and efficiency of ThreatRaptor in practical threat hunting.

Enabling Efficient Cyber Threat Hunting With Cyber Threat Intelligence

The paper "Enabling Efficient Cyber Threat Hunting With Cyber Threat Intelligence" addresses a critical gap in the current landscape of cybersecurity by presenting ThreatRaptor, a system that leverages open-source Cyber Threat Intelligence (OSCTI) to enhance cyber threat hunting capabilities. The proposed system aims to address the limitations of existing threat hunting approaches, which often ignore the potential of OSCTI and require manual, error-prone query construction.

The authors introduce ThreatRaptor, which demonstrates several innovative facets to improve threat hunting. First is the development of an unsupervised, efficient, and accurate NLP pipeline designed to extract structured threat behaviors, such as Indicators of Compromise (IOCs) and their relationships from unstructured OSCTI text. This pipeline integrates specialized components to manage the unique nuances found in security contexts, such as special characters in IOCs.

Additionally, the authors develop TBQL (Threat Behavior Query Language), a domain-specific language crafted to express and search for malicious system activities with precision and ease. TBQL stands out due to its ability to handle complex multi-step behaviors and its support for variable-length event path patterns. The expressive power of TBQL is further augmented by a query synthesis mechanism, facilitating automatic creation of TBQL queries from the extracted threat behavior graphs, thereby bridging extracted knowledge directly into threat-hunting tasks.

Evaluation displays ThreatRaptor’s effectiveness, with notable performance in both the accuracy and efficiency of its components. It achieves an impressive F1 score of 96.64% for IOC extraction and 92.59% for IOC relation extraction, outperforming general information extraction approaches. In practice, ThreatRaptor successfully identifies malicious system activities with 98.34% F1, demonstrating its robustness in a real-world setup.

The implications of this research are significant, presenting both theoretical enhancements and practical solutions in the field of cyber threat hunting. The unsupervised approach to robust threat behavior extraction from OSCTI coupled with efficient search capabilities addresses a pressing need within cybersecurity frameworks. Future directions can explore extending the types of entities and behaviors captured by the system, integrating adaptive threat intelligence, and enhancing graph pattern matching for more scalable and dynamic threat detection environments.

In conclusion, "Enabling Efficient Cyber Threat Hunting With Cyber Threat Intelligence" contributes an important foundational step towards intelligent, automated, and scalable threat detection, posing promising avenues for continuous adaptation and improvement in cybersecurity defenses.