Cyber Threat Intelligence Model: An Evaluation of Taxonomies, Sharing Standards, and Ontologies within Cyber Threat Intelligence

TL;DR

This paper evaluates existing cyber threat intelligence ontologies, taxonomies, and standards, revealing significant gaps in coverage, interoperability, and semantic clarity crucial for effective threat analysis and sharing.

Contribution

It provides a comprehensive assessment of current cyber threat intelligence models, highlighting the need for more thorough, interoperable, and semantically rich ontologies.

Findings

Existing ontologies are incomplete and lack proper semantics.

Current standards are often non-interoperable and ambiguous.

There is a significant gap in developing comprehensive cyber threat ontologies.

Abstract

Cyber threat intelligence is the provision of evidence-based knowledge about existing or emerging threats. Benefits from threat intelligence include increased situational awareness, efficiency in security operations, and improved prevention, detection, and response capabilities. To process, correlate, and analyze vast amounts of threat information and data and derive intelligence that can be shared and consumed in meaningful times, it is required to utilize structured, machine-readable formats that incorporate the industry-required expressivity while at the same time being unambiguous. To a large extent, this is achieved with technologies like ontologies, schemas, and taxonomies. This research evaluates the coverage and high-level conceptual expressivity of cyber-threat-intelligence-relevant ontologies, sharing standards, and taxonomies pertaining to the who, what, why, where, when, and how elements of threats and attacks in addition to courses of action and technical indicators. The results confirm that little emphasis has been given to developing a comprehensive cyber threat intelligence ontology, with existing efforts being not thoroughly designed, non-interoperable, ambiguous, and lacking proper semantics and axioms for reasoning.