Semi-Automated Cyber Threat Intelligence
The industry is losing terrain against the cybercriminals and we need a game changer. The main goal for the ACT project is to develop a platform for digital threat intelligence to predict and uncover targeted cyberattacks, electronic espionage and sabotage.
The ACT platform is now available on GitHub: https://github.com/mnemonic-no/act-platform
Time for a game changer
For years, we have built perimeter and point security solutions for protection against cyberattacks based on two wrong assumptions:
- Detection can only happen after or at best during an attack.
- Cyberattacks succeed only due to a bug or misconfiguration.
With the development of sophisticated targeted human driven cyberattacks, this approach has been proven wrong. The demand for digital threat intelligence has increased with the knowledge of successful data breaches. The ACT-project will develop new algorithms and a new platform for cyber threat intelligence.
PREDICTION
Have the ability to predict:
- Attribution
- Timing
- Characteristics
- Victim
OPEN SOURCE
The platform will:
- Be developed as open source
- Unite the fight against cybercrime
ORCHESTRATING COUNTERMEASURES
Have cross platform support for automatic:
- Detection capabilities
- Prevention capabilities
So Why, what’s the challenge?
The demand for threat information, which results in well-defined actions with as much automation as possible, grows exponentially. However, the threat information comes in all kind of formats and from sources with variable credibility. In addition sharing threat data across private and public industry can be challenging.
These are the main areas to be covered:
- Mastering the challenge related to sharing, storage and administration of structured data together with unstructured data streams such as email, web and twitter.
- Cross industry including private and public sharing
- Interfacing with current technology including automation for instant counter measures.
- Prediction on attribution, when, how, victim and why.
Innovation:
For effective analysis, high quality statistics and reporting, access to correct data sources is critical. Automated data collection from open and closed sources, including sources and information that are not available today, will provide a tremendous improvement in the underlying data set. The main innovation will be:
- New algorithms for automated analysis of collected data across systems and companies
Effect: detected more attacks, realtime detection of attacks and more precise results. - New algorithms for identification of threat actors and attack campaigns.
Effect: generate new opportunities for criminal prosecution. - Automated exchange of analysis results between private and public industry.
Effect: Prevent attacks and incidents. - Industry and business-specific reports and trend analysis.
Effect: Actionable reports tailored for specific sectors, businesses or enterprises
Approach
There are a number of standards, solutions and initiatives for digital threat intelligence.
- Trusted Automated Exchange of Indicator Information (TAXII)
- Cyber Observable Expression (CybOX)
- Structured Threat Information Expression (STIX)
These are representative standards for automatic sharing of cyber threat information. However, they solve just a portion of the challenges related to threat intelligence. Initially we have representatives from law enforcement, defense, finance, energy and academia supporting the project. Through their support, we aim to solve the real challenges.
Project management
The project management and main owner of the Semi-Automated Cyber Threat Intelligence research project is mnemonic, which will deliver 60% of the resources to the project. The last 40% is delivered by the partners below.
Research partners
Partners to the Semi-Automated Cyber Threat Intelligence (ACT) project:
- The University of Oslo
- The Norwegian University of Science and Technology (NTNU) at Gjøvik
- The Norwegian National Security Authority (NSM)
- Nordic Financial CERT
- KraftCERT