Cyber Threat Intelligence Model: An Evaluation of Taxonomies, Sharing Standards, and Ontologies within Cyber Threat Intelligence (2103.03530v5)

Abstract: Cyber threat intelligence is the provision of evidence-based knowledge about existing or emerging threats. Benefits from threat intelligence include increased situational awareness, efficiency in security operations, and improved prevention, detection, and response capabilities. To process, correlate, and analyze vast amounts of threat information and data and derive intelligence that can be shared and consumed in meaningful times, it is required to utilize structured, machine-readable formats that incorporate the industry-required expressivity while at the same time being unambiguous. To a large extent, this is achieved with technologies like ontologies, schemas, and taxonomies. This research evaluates the coverage and high-level conceptual expressivity of cyber-threat-intelligence-relevant ontologies, sharing standards, and taxonomies pertaining to the who, what, why, where, when, and how elements of threats and attacks in addition to courses of action and technical indicators. The results confirm that little emphasis has been given to developing a comprehensive cyber threat intelligence ontology, with existing efforts being not thoroughly designed, non-interoperable, ambiguous, and lacking proper semantics and axioms for reasoning.

• The paper systematically evaluates CTI representations, revealing gaps in coverage and semantic expressivity across taxonomies, sharing standards, and ontologies.
• Methodology involves a qualitative assessment using a 5W1H+CoA+Indicators framework applied to resources like STIX and ATT&CK.
• Findings underscore the need for a unified, formally-specified CTI ontology to enhance automated reasoning and threat data correlation.

This research evaluates the efficacy of existing Cyber Threat Intelligence (CTI) representation mechanisms, specifically taxonomies, sharing standards, and ontologies, by assessing their coverage and conceptual expressivity. The core objective is to determine how well these models capture the fundamental elements of cyber threats – the 'who' (attribution), 'what' (tools, malware), 'why' (motivation, intent), 'where' (infrastructure, location), 'when' (timing), and 'how' (TTPs) – along with Courses of Action (CoAs) and technical indicators. The central argument posits that despite the proliferation of CTI data, the lack of structured, machine-readable formats with sufficient expressivity and unambiguous semantics hampers effective processing, correlation, analysis, and sharing of intelligence.

Evaluation Framework and Methodology

The paper employs a qualitative evaluation framework centered on two primary criteria: coverage and high-level conceptual expressivity. Coverage refers to the extent to which a given model explicitly represents the core CTI elements (5W1H + CoA + Indicators). Conceptual expressivity assesses the richness and clarity of the model's constructs for representing these elements, albeit at a high level, without exploring formal semantic rigor initially.

The evaluation corpus included a selection of widely recognized CTI resources:

• Taxonomies: VERIS (Vocabulary for Event Recording and Incident Sharing), CAPEC (Common Attack Pattern Enumeration and Classification), MAEC (Malware Attribute Enumeration and Characterization), MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge).
• Sharing Standards: STIX (Structured Threat Information Expression) versions 1.x and 2.x, OpenIOC (Open Indicators of Compromise), IODEF (Incident Object Description Exchange Format).
• Ontologies: Unified Cyber Ontology (UCO), D3FEND (detection techniques mapped to ATT&CK), and other relevant, albeit less comprehensive, academic or proprietary ontological efforts identified in the literature.

Each resource was systematically analyzed against the 5W1H+CoA+Indicator framework to map its constituent objects, properties, or concepts to these core elements and assess the degree and nature of the representation.

Analysis of Taxonomies

The evaluation found that CTI taxonomies generally offer structured vocabularies for specific domains but lack comprehensive coverage across all facets of a threat event.

• VERIS: Primarily focuses on incident description ('what' happened, 'when', 'where' affected), offering a detailed schema for breach data collection but limited expressivity regarding attacker attribution ('who'), motivation ('why'), or detailed TTPs ('how').
• CAPEC and ATT&CK: Excel in detailing the 'how' (attack patterns and TTPs). ATT&CK, in particular, provides extensive coverage of adversarial behaviors across the kill chain, implicitly linking to 'what' (tools/malware) and sometimes 'who' (groups associated with techniques). However, explicit representation of intent ('why'), precise timing ('when'), or specific infrastructure ('where') is often outside their core scope. ATT&CK includes mitigations, partially covering CoA.
• MAEC: Concentrates heavily on the 'what', specifically the attributes and behaviors of malware, offering deep technical detail but limited scope regarding the broader context of the attack campaign (who, why, where, when, how beyond malware execution).

Overall, taxonomies provide valuable classification schemes within their defined scopes but are insufficient individually or collectively for holistic CTI representation needed for complex correlation and reasoning. They often lack formal semantics, hindering machine interpretability beyond simple categorization.

Analysis of Sharing Standards

Sharing standards aim to facilitate interoperable CTI exchange. The analysis revealed varying levels of success in achieving comprehensive representation.

• IODEF: Designed for incident reporting, it covers aspects of 'what' happened, 'when', and 'where' (affected systems). Its expressivity regarding attacker details ('who', 'why', 'how') is limited compared to more CTI-focused standards.
• OpenIOC: Primarily focused on host and network indicators ('what' observable artifacts), facilitating detection and response. It offers limited representation for the broader strategic context (who, why, how).
• STIX: Emerged as the most comprehensive standard evaluated.
  • STIX 1.x: Provided foundational objects for representing Indicators, TTPs ('how'), Exploit Targets, Incidents ('what', 'when', 'where'), Adversaries ('who'), and CoAs. However, its XML-based structure was complex, and certain relationships, particularly regarding intent ('why'), were not explicitly modeled.
  • STIX 2.x: Transitioned to JSON and refined the object model, introducing SDOs (STIX Domain Objects) like Attack Pattern, Campaign, Intrusion Set ('who', 'why'), Malware ('what'), Threat Actor ('who'), Tool ('what'), Vulnerability, and SROs (STIX Relationship Objects) for explicit linkage. It significantly improved coverage across the 5W1H+CoA+Indicator elements. Despite improvements, the standard's semantics are primarily defined textually, limiting formal reasoning capabilities. Representing complex motivations ('why') and nuanced relationships remains challenging. The standard relies on referenced taxonomies (like ATT&CK via external_references) to provide detailed semantics for certain objects (e.g., TTPs).

While STIX 2.x offers the broadest coverage among standards, its reliance on textual descriptions for semantics and loose coupling with external taxonomies means it falls short of providing a fully unambiguous, machine-interpretable model suitable for advanced automated reasoning.

Analysis of Ontologies

The evaluation of CTI ontologies highlighted significant deficiencies. Ontologies, with their potential for formal semantics and automated reasoning (inference, consistency checking), are theoretically ideal for complex CTI modeling. However, the paper found existing efforts lacking.

• Existing Ontologies (e.g., UCO, custom academic models): The research identified a scarcity of well-developed, comprehensive CTI ontologies. Those that exist often suffer from:
  • Limited Scope: Focusing on specific sub-domains (e.g., malware analysis, network events) rather than the entire CTI lifecycle.
  • Lack of Interoperability: Different ontologies use incompatible terminologies and structural approaches.
  • Ambiguity: Concepts and relationships are often ill-defined, lacking precise formal semantics (e.g., insufficient use of OWL axioms like disjointness, property characteristics).
  • Insufficient Axiomatization: The absence of rich axioms prevents sophisticated reasoning beyond basic subsumption or instance checking. This hinders the ability to automatically infer attacker motivations, predict future actions, or validate the consistency of fused intelligence.
  • Design Issues: Some ontologies were deemed not thoroughly designed, potentially repurposed from other domains without adequate adaptation to CTI specifics.

The Unified Cyber Ontology (UCO) represents an effort towards unification but, at the time of the research and often still, faces challenges in achieving broad adoption and deep semantic integration across the diverse CTI landscape. The paper concluded that no existing ontology provided the necessary combination of comprehensive coverage, formal semantics, interoperability, and expressivity required for advanced CTI applications.

Comparative Analysis and Identified Gaps

Comparing the three types of models, the research concluded:

• Taxonomies: Useful for classification within specific domains but too narrow for holistic CTI.
• Sharing Standards (esp. STIX 2.x): Provide the best balance of coverage and structure for sharing CTI data but lack the formal semantics needed for deep reasoning. They act more as structured data containers than knowledge representation frameworks.
• Ontologies: Theoretically the most promising for machine reasoning and knowledge integration but practically underdeveloped, fragmented, and semantically shallow in the CTI domain.

Key gaps identified across all models include:

• Representing 'Why': Attacker intent, motivation, and strategic goals are often poorly or inconsistently represented.
• Semantic Interoperability: Lack of common, formally defined semantics hinders integration and reasoning across different data sources and tools.
• Reasoning Capabilities: Current models primarily support data structuring and exchange, not advanced automated reasoning (e.g., predicting attacker behavior, assessing attack plausibility, automated CoA generation/selection).
• Comprehensive Coverage: No single model effectively integrates all 5W1H aspects along with detailed indicators and actionable CoAs within a unified, semantically rich framework.

Implications for Cyber Threat Intelligence

The findings have significant implications for the practice of CTI. The limitations of existing representation models directly impede progress towards more automated and intelligent CTI systems. Without unambiguous, machine-interpretable models:

• Correlation and Analysis: Automated correlation of disparate threat data (e.g., linking indicators to TTPs, TTPs to actors, actors to motivations) remains difficult and often requires significant human effort.
• Information Sharing: While standards like STIX facilitate sharing, the lack of deeper semantics can lead to misinterpretation or inability to leverage shared data effectively in automated systems.
• Situational Awareness: Building a comprehensive, dynamic understanding of the threat landscape is hampered by the inability to automatically integrate and reason over diverse intelligence inputs.
• Proactive Defense: Predicting future threats and recommending optimal CoAs requires sophisticated reasoning capabilities currently unsupported by the underlying representation models.

The research underscores the need for a concerted effort to develop a comprehensive, formally specified CTI ontology (or a set of interoperable modular ontologies) grounded in description logics (like OWL) to enable semantic interoperability and advanced reasoning.

Conclusion

This evaluation systematically assessed CTI taxonomies, sharing standards, and ontologies against a framework covering essential threat elements (5W1H+CoA+Indicators). It concluded that while taxonomies offer domain-specific classification and standards like STIX 2.x provide a structure for information exchange, the CTI field lacks a comprehensive, formally specified, and widely adopted ontology. This absence severely limits the potential for automated reasoning, sophisticated analysis, and true semantic interoperability within CTI platforms, highlighting a critical area for future research and development to advance the state of cyber threat intelligence processing and utilization.