Threat Actor Type Inference and Characterization within Cyber Threat Intelligence

TL;DR

This paper introduces an ontological method for automatically inferring and characterizing threat actor types in cyber threat intelligence, enhancing contextual understanding and interoperability while reducing manual bias.

Contribution

It presents a novel ontological framework that leverages controlled vocabularies to infer threat actor types and behaviors, improving automation and contextual richness in cyber threat intelligence.

Findings

Enables structured sharing of threat actor information

Automates inference of threat actor types at machine speed

Reduces cognitive biases in threat classification

Abstract

As the cyber threat landscape is constantly becoming increasingly complex and polymorphic, the more critical it becomes to understand the enemy and its modus operandi for anticipatory threat reduction. Even though the cyber security community has developed a certain maturity in describing and sharing technical indicators for informing defense components, we still struggle with non-uniform, unstructured, and ambiguous higher-level information, such as the threat actor context, thereby limiting our ability to correlate with different sources to derive more contextual, accurate, and relevant intelligence. We see the need to overcome this limitation in order to increase our ability to produce and better operationalize cyber threat intelligence. Our research demonstrates how commonly agreed upon controlled vocabularies for characterizing threat actors and their operations can be used to enrich cyber threat intelligence and infer new information at a higher contextual level that is explicable and queryable. In particular, we present an ontological approach to automatically inferring the types of threat actors based on their personas, understanding their nature, and capturing polymorphism and changes in their behavior and characteristics over time. Such an approach not only enables interoperability by providing a structured way and means for sharing highly contextual cyber threat intelligence but also derives new information at machine speed and minimizes cognitive biases that manual classification approaches entail.