Data-Driven Threat Hunting Using Sysmon

TL;DR

This paper presents a threat assessment system that uses Sysmon logs and a cyber threat intelligence ontology to automatically classify software threats, enhancing situational awareness and automated response capabilities.

Contribution

It introduces a novel approach combining Sysmon data with a cyber threat intelligence ontology for automated threat classification.

Findings

Effective classification of software into threat levels

Enhanced situational awareness through automated analysis

Potential for improved automated response

Abstract

Threat actors can be persistent, motivated and agile, and leverage a diversified and extensive set of tactics and techniques to attain their goals. In response to that, defenders establish threat intelligence programs to stay threat-informed and lower risk. Actionable threat intelligence is integrated into security information and event management systems (SIEM) or is accessed via more dedicated tools like threat intelligence platforms. A threat intelligence platform gives access to contextual threat information by aggregating, processing, correlating, and analyzing real-time data and information from multiple sources, and in many cases, it provides centralized analysis and reporting of an organization's security events. Sysmon logs is a data source that has received considerable attention for endpoint visibility. Approaches for threat detection using Sysmon have been proposed, mainly focusing on search engine technologies like NoSQL database systems. This paper demonstrates one of the many use cases of Sysmon and cyber threat intelligence. In particular, we present a threat assessment system that relies on a cyber threat intelligence ontology to automatically classify executed software into different threat levels by analyzing Sysmon log streams. The presented system and approach augments cyber defensive capabilities through situational awareness, prediction, and automated courses of action.