Standardized and Usage-Controlled Alert Analysis for Improved Cyber Threat Intelligence

Today’s IT systems are constantly at risk of being attacked. Security mechanisms and surveillance technologies were developed to detect, record, analyze, and even mitigate such attacks. However, alerts of such events are often structured using individual standards, produced by different commercial, governmental, or even open source community driven organizations. This leads to two problems. First, limited interoperability, because the attributes of the standards highly differ not just in the format but in content, also. Second, SOCs and SIEMs can not share their alert data due to regulations or the danger of leakage. Here we show an architecture which solves both problems using the alert format IDMEFv2 and an alert sharing architecture which provides usage control of shared sensitive alerts. Our system defends against information leakage while still providing the capability to combine, aggregate, and analyze sensitive information which enables the generation of advanced cyber threat intelligence. This is a scenario that would normally be impossible in real world scenarios. Using information sources from both cyber security contexts together with physical contexts and technically attested confidential processing of not just nonsensitive alert data, but even sensitive data, may provide necessary insights to provide countermeasures for existing threats faster. Gathered data is processed using conventional analyses and AI/ML techniques. Since our work is still in progress, the upcoming analysis about our proof-of-concept will be used to evaluate the potential of the approach in terms of scalability, complexity, flexibility, performance, effectiveness, and most importantly security.