Threat Intelligence

Introduction

Threats executed by criminals are advancing by leaps and bounds, which leads to the very defences of a company or organization being affected if they use traditional security measures or if operational approaches are not adapted to new threats. Threat intelligence, or cyber threat intelligence (CTI), is the resulting knowledge about threats based on concrete evidence including capabilities, infrastructure, motivation, objectives and resources of the attacker. Therefore, CTI makes it possible to detect indicators related to cyber threats, extract information regarding attack methods, identify security threats and make decisions in advance in order to respond to possible attacks accurately and forcefully. CTI sharing is a critical tool for security analysts. By sharing CTI, security teams can alert each other to new findings across the threat landscape and flag active cybercrime campaigns and indicators of compromise (IOCs) that the cybersecurity community should be immediately aware of. As this intel spreads, organizations can work together to build upon each other’s defences to combat the latest threat. This creates a herd-like immunity for networks as defensive capabilities are collectively raised. The projects in this cluster seek to provide solutions to improve CTI and information sharing.

Cluster Objectives

Some of the main goals of the projects included in the cluster are the following:
  • Improve the response capacity of organizations in the face of new cybersecurity threats.
  • Enhance threat intelligence platforms.
  • Enhance threat intelligence sharing.
  • Enhance the state of the art for reliability, safety and privacy guarantees of security intelligence techniques.
  • Enhance the preparedness of cybersecurity professionals at all levels and advance their skills towards preventing, detecting, reacting and mitigating sophisticated cyber-attacks.

Who benefits?

  • Security operations teams
  • Vulnerability management teams
  • Fraud prevention and risk analysis teams
  • IoT device owners
  • Internet Service Providers (ISPs)
  • Law Enforcement Agencies (LEAs)
  • Policymakers

Challenges

According to ENISA’s report on "Cyber Threat Intelligence Overview, it seems that the next challenge in CTI will be to digest, consolidate and disseminate existing practices to achieve more extensive use in a cost-efficient and synergetic manner. The main opportunities in this respect lie in sharing non-competitive CTI practices, requirements, tools and information. Apart from this, identifying new stakeholders entering the CTI business - both producers and consumers – will enhance capabilities, identify standard CTI requirements and establish CTI sharing capabilities in a timely manner.

Innovations and solutions

  • CONCORDIA
  • A project that pilots Cybersecurity Competence Network with leading research, technology, industrial and public competencies. CONCORDIA provides excellence and leadership in technology, processes and services to establish a user-centric EU-integrated cybersecurity ecosystem for digital sovereignty in Europe. It enhances the threat intelligence platform for the financial sector and provides mechanisms for the access and use control of the data exchanged between different entities.

  • CRITICAL-CHAINS
  • A project that pilots Cybersecurity Competence Network with leading research, technology, industrial and public competencies. CONCORDIA provides excellence and leadership in technology, processes and services to establish a user-centric EU-integrated cybersecurity ecosystem for digital sovereignty in Europe. It enhances the threat intelligence platform for the financial sector and provides mechanisms for the access and use control of the data exchanged between different entities.

  • CyberSec4Europe
  • Cybersec4Europe will provide an elastic intrusion detection system suitable for cloud deployment based on a multi-disciplinary approach that makes use of network traffic analysis, employs online and offline complementary approaches to overcome:

    a) online failure diagnosis for arbitrary faults using a white-box approach through the instrumentation of services and the use of domain knowledge to finger-point the root of the fault, and

    b) offline graph-mining for fault-detection by using graph-mining to collect common interaction patterns and then use it to detect faulty patterns through supervision learning.

    The system will enhance the state of the art for reliability, safety and privacy guarantees of security intelligence techniques based on artificial intelligence, machine learning and data analytics. The investigating mechanisms used will be capable of interacting with Threat Intelligence Information Services to capture evidence of malware activity at an early stage.

  • CYBER-TRUST
  • The CYBER-TRUST project aims to develop an innovative cyber-threat intelligence gathering, detection, and mitigation platform, as well as, to perform high-quality interdisciplinary research in key areas for introducing novel concepts and approaches to tackle the grand challenges towards securing the ecosystem of IoT devices. To address the major challenges of securing the IoT ecosystem from cyber threats, the Cyber-Trust project has developed a revolutionary framework that will first identify, then analyse, and next mitigate these threats. The Cyber-Trust project has developed an innovative platform based on end-user specifications that formed the technical and functional requirements of the project. The validation of the Cyber-Trust platform will be achieved in two (2) pilot phases. In both phases, Cyber-Trust functionality will be verified using several use case scenarios, developed by the potential end-users: IoT device owners, Internet Service Providers (ISPs) and Law Enforcement Agencies (LEAs).

  • ECHO
  • ECHO delivers an organized and coordinated approach to strengthen the proactive cyber defence of the European Union, through effective and efficient multi-sector collaboration. It aims to develop, model and demonstrate a network of cyber research and competence centres, with a centre of research and competence at the hub. The Central Competence Hub serves as the focal point for the ECHO Multi-sector Assessment Framework enabling multi-sector dependencies management with: the provision of an ECHO Early Warning System (EWS); an ECHO Federation of Cyber Ranges; management of an expanding collection of Partner Engagements. The ECHO EWS has a modular architecture that enables the customizable trustworthy environment to share threat intelligence. Its core functionality is enriched by plugins that offer extended reporting capabilities, extended cross-sector cyber threat analysis and information sharing for different cybersecurity roles (such as technical roles and strategic management/executive roles). It will deliver a dashboard displaying warning messages based on priority (impacted by a user, trust score and quality score). The three main innovation points are the guaranteed trust of the cyber threat intelligence sources, the filtering of data based on quality metrics and an ecosystem of cyber threat plugins.

  • FINSEC
  • It develops, demonstrates and brings to market an integrated, intelligent, collaborative and predictive approach to the security of critical infrastructures in the financial sector. To this end, FINSEC will introduce, implement and validate a novel reference architecture for the integrated physical and cybersecurity of critical infrastructures, which will enable handling of dynamic, advanced and asymmetric attacks, while at the same time boosting financial organizations’ compliance to security standards and regulations. It develops a dashboard where the Cyber-Physical Threat Intelligence information is visualized to the end-users (security officers).

  • FORESIGHT
  • The FORESIGHT project aims to develop a federated cyber-range solution to enhance the preparedness of cybersecurity professionals at all levels and advance their skills towards preventing, detecting, reacting and mitigating sophisticated cyber-attacks. This is achieved by delivering an ecosystem of networked realistic training and simulation platforms that collaboratively bring unique cyber-security aspects from the aviation, smart grid and naval domains. The proposed platform will extend the capabilities of existing cyber ranges and will allow the creation of complex cross-domain/hybrid scenarios to be built jointly with the IoT domain. Emphasis is given on the design and implementation of realistic and dynamic scenarios that are based on identified and forecasted trends of cyberattacks and vulnerabilities extracted from cyber-threat intelligence gathered from the dark web; this will enable cybersecurity professionals to rapidly adapt to an evolving threat landscape.

  • INFRASTRESS
  • Addressing the current fragmentation of available security solutions and technology, InfraStress provides an integrated framework including cyber and physical threat detection, integrated C/P Situational Awareness, Threat Intelligence, and an innovative methodology for resilience assessment – all tailored to each site. Their solutions include:

    • Physical threats and hazards detection and protection systems
    • Cyber threat detection and protection systems
    • Human sensors and crowdsensing
    • Integration of existing and novel cyber-physical detection systems and sensors
    • Situational picture for integrated cyber-physical protection of industrial sensitive sites and plants
    • Cyber and physical threat intelligence and prediction
    • Prevention and preparedness decision support services
    • CIP Monitoring and early warning services
    • Response, mitigation and recovery decision support services
    • Post-event analysis services
    • Information sharing and distribution to relevant stakeholder
    • Stress test services

    The InfraStress solutions will be tested and demonstrated in 5 pilot sites, with a participative approach involving the owners, operators and stakeholders.

    • SAPPAN
    • It aims to enable efficient protection of modern ICT infrastructures via advanced data acquisition, threat analysis, and privacy-aware sharing and distribution of threat intelligence aimed to dynamically support human operators in response and recovery actions. The SAPPAN project will develop a collaborative, federated, and scalable attack detection to support response activities and allow for timely responses to newly emerging threats supporting different privacy levels. We plan to identify a standard for the interoperable and machine-readable description of incident response reports and recovery solutions. The risk assessment, privacy, and security will be addressed in the standard design. Results of both attack detection and recovery and response processes will be shared on a global level to achieve an advanced response and recovery via knowledge sharing and federated learning. We develop a mechanism for sharing information on threat intelligence, which implements a combination of encryption and anonymization to achieve GDPR compliance. Novel visualization techniques will be developed to assist security and IT personnel and provide an enhanced content of context of the response and recovery, and improved visual presentation of the process.

Impacts

  • Cybersecurity professionals are better prepared to face the new security threats that affect their organizations and make better decisions.
  • A common culture of collaboration in cybersecurity. .
  • Improved ability of law enforcers to identify the perpetrators of a particular cyber-attack. .
  • Improved design and implementation of more effective countermeasures. .

Join the Project Cluster

News

The pandemic has shown the importance of international supply chains and how dependent we are. Attacks in the virtual space may have an increasing impact on supplies in our analogue world.