{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2024,8,1]],"date-time":"2024-08-01T23:32:13Z","timestamp":1722555133943},"reference-count":36,"publisher":"Association for Computing Machinery (ACM)","issue":"1","content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Digital Threats"],"published-print":{"date-parts":[[2022,3,31]]},"abstract":"<jats:p>For a strong, collective defense in the digital domain, we need to produce, consume, analyze, and share cyber threat intelligence. With an increasing amount of available information, we need automation to ensure adequate efficiency. We present the results from a questionnaire investigating the use of standards and standardization and how practitioners share and use cyber threat intelligence (CTI). We propose a strict data model for CTI that enables consumption of all relevant data, data validation, and analysis of consumed content. The main contribution of this article is insight into how CTI is shared and used by practitioners, and the strictness of the data model that enforces input of information and enables automation and deduction of new knowledge.<\/jats:p>","DOI":"10.1145\/3458027","type":"journal-article","created":{"date-parts":[[2021,4,16]],"date-time":"2021-04-16T00:47:40Z","timestamp":1618534060000},"page":"1-22","update-policy":"http:\/\/dx.doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":6,"title":["Investigating Sharing of Cyber Threat Intelligence and Proposing A New Data Model for Enabling Automation in Knowledge Representation and Exchange"],"prefix":"10.1145","volume":"3","author":[{"given":"Siri","family":"Bromander","sequence":"first","affiliation":[{"name":"mnemonic\/University of Oslo, Oslo, Norway"}]},{"given":"Morton","family":"Swimmer","sequence":"additional","affiliation":[{"name":"Trend Micro Research, Munich, Germany"}]},{"given":"Lilly Pijnenburg","family":"Muller","sequence":"additional","affiliation":[{"name":"King\u2019s College, London, United Kingdom"}]},{"given":"Audun","family":"J\u00f8sang","sequence":"additional","affiliation":[{"name":"University of Oslo, Norway"}]},{"given":"Martin","family":"Eian","sequence":"additional","affiliation":[{"name":"mnemonic, Oslo, Norway"}]},{"given":"Geir","family":"Skj\u00f8tskift","sequence":"additional","affiliation":[{"name":"mnemonic, Oslo, Norway"}]},{"given":"Fredrik","family":"Borg","sequence":"additional","affiliation":[{"name":"mnemonic, Oslo, Norway"}]}],"member":"320","published-online":{"date-parts":[[2021,10,22]]},"reference":[{"key":"e_1_3_2_2_2","unstructured":"NATO Standard AJP. 2016. 2.0 Allied joint doctrine for intelligence counterintelligence and security doctrine."},{"key":"e_1_3_2_3_2","volume-title":"The OpenCTI Platform","year":"2019","unstructured":"ANSSI, Luatix, and CERT-EU. 2019. The OpenCTI Platform. Retrieved August 7, 2021 from https:\/\/github.com\/OpenCTI-Platform."},{"key":"e_1_3_2_4_2","unstructured":"Sean Barnum. 2012. Standardizing Cyber Threat Intelligence Information with the Structured Threat Information Expression (STIX\u2122) . Technical Paper. MITRE Corporation."},{"key":"e_1_3_2_5_2","article-title":"The Pyramid of Pain","author":"Bianco David","year":"2014","unstructured":"David Bianco. 2014. The Pyramid of Pain. Retrieved August 7, 2021 from http:\/\/detect-respond.blogspot.no\/2013\/03\/the-pyramid-of-pain.html.","journal-title":"http:\/\/detect-respond.blogspot.no\/2013\/03\/the-pyramid-of-pain.html."},{"issue":"1","key":"e_1_3_2_6_2","doi-asserted-by":"crossref","first-page":"16","DOI":"10.1186\/s42400-018-0017-4","article-title":"Graph-based visual analytics for cyber threat intelligence","volume":"1","author":"B\u00f6hm Fabian","year":"2018","unstructured":"Fabian B\u00f6hm, Florian Menges, and G\u00fcnther Pernul. 2018. Graph-based visual analytics for cyber threat intelligence. Cybersecurity 1, 1 (2018), 16.","journal-title":"Cybersecurity"},{"key":"e_1_3_2_7_2","article-title":"Questionnaire: Sharing Cyber Threat Intelligence","author":"Bromander Siri","year":"2019","unstructured":"Siri Bromander. 2019. Questionnaire: Sharing Cyber Threat Intelligence. Retrieved August 7, 2021 from https:\/\/github.com\/sbrom\/sharingCTI\/.","journal-title":"https:\/\/github.com\/sbrom\/sharingCTI\/."},{"key":"e_1_3_2_8_2","first-page":"74","volume-title":"Proceedings of the 11th International Conference on Semantic Technology for Intelligence, Defense, and Security","author":"Bromander Siri","year":"2016","unstructured":"Siri Bromander, Audun J\u00f8sang, and Martin Eian. 2016. Semantic cyberthreat modelling. In Proceedings of the 11th International Conference on Semantic Technology for Intelligence, Defense, and Security (STIDS\u201916). 74\u201378."},{"key":"e_1_3_2_9_2","first-page":"493\u2013XII","volume-title":"Proceedings of the International Conference on Cyber Warfare and Security","author":"Bromander Siri","year":"2020","unstructured":"Siri Bromander, Lilly Pijnenburg Muller, Martin Eian, and Audun J\u00f8sang. 2020. Examining the \u201cknown truths\u201d in cyber threat intelligence\u2014The case of STIX. In Proceedings of the International Conference on Cyber Warfare and Security. 493\u2013XII."},{"key":"e_1_3_2_10_2","volume-title":"The Diamond Model of Intrusion Analysis","author":"Caltagirone Sergio","year":"2013","unstructured":"Sergio Caltagirone, Andrew Pendergast, and Christopher Betz. 2013. The Diamond Model of Intrusion Analysis. Technical Report. DTIC Document."},{"key":"e_1_3_2_11_2","volume-title":"Threat Intelligence: Collecting, Analysing, Evaluating.","author":"Chismon D.","year":"2015","unstructured":"D. Chismon and M. Ruks. 2015. Threat Intelligence: Collecting, Analysing, Evaluating.Technical Report. MWR InfoSecurity, London, UK."},{"key":"e_1_3_2_12_2","article-title":"What Is an SME? Retrieved August 7, 2021 from","author":"Commission European","year":"2019","unstructured":"European Commission. 2019. What Is an SME? Retrieved August 7, 2021 fromhttps:\/\/ec.europa.eu\/growth\/smes\/business-friendly-environment\/sme-definition_en.","journal-title":"https:\/\/ec.europa.eu\/growth\/smes\/business-friendly-environment\/sme-definition_en."},{"key":"e_1_3_2_13_2","article-title":"The Cybersecurity Workforce Gap","author":"Crumpler William","year":"2019","unstructured":"William Crumpler and James A. Lewis. 2019. The Cybersecurity Workforce Gap. Retrieved August 7, 2021 from https:\/\/csis-website-prod.s3.amazonaws.com\/s3fs-public\/publication\/190129_Crumpler_Cybersecurity_FINAL.pdf.","journal-title":"https:\/\/csis-website-prod.s3.amazonaws.com\/s3fs-public\/publication\/190129_Crumpler_Cybersecurity_FINAL.pdf."},{"key":"e_1_3_2_14_2","doi-asserted-by":"publisher","DOI":"10.1145\/3132218.3132219"},{"key":"e_1_3_2_15_2","volume-title":"Traffic Light Protocol","author":"ORG FIRST","year":"2019","unstructured":"FIRST ORG. 2019. Traffic Light Protocol (TLP). Retrieved August 7, 2021 from https:\/\/www.first.org\/tlp\/."},{"key":"e_1_3_2_16_2","article-title":"Definition: Threat Intelligence","year":"2013","unstructured":"Gartner. 2013. Definition: Threat Intelligence. Retrieved August 7, 2021 from https:\/\/www.gartner.com\/en\/documents\/2487216\/definition-threat-intelligence.","journal-title":"https:\/\/www.gartner.com\/en\/documents\/2487216\/definition-threat-intelligence."},{"key":"e_1_3_2_17_2","article-title":"Global Industry Classification Standard","author":"Global S&P","year":"2018","unstructured":"S&P Global. 2018. Global Industry Classification Standard. Retrieved August 7, 2021 from https:\/\/www.spglobal.com\/marketintelligence\/en\/documents\/112727-gics-mapbook_2018_v3_letter_digitalspreads.pdf.","journal-title":"https:\/\/www.spglobal.com\/marketintelligence\/en\/documents\/112727-gics-mapbook_2018_v3_letter_digitalspreads.pdf."},{"key":"e_1_3_2_18_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.websem.2014.06.004"},{"key":"e_1_3_2_19_2","doi-asserted-by":"crossref","first-page":"439","DOI":"10.1007\/978-3-319-54395-6_53","volume-title":"The Palgrave Handbook of Survey Research","author":"Krosnick Jon A.","year":"2018","unstructured":"Jon A. Krosnick. 2018. Questionnaire design. In The Palgrave Handbook of Survey Research. Springer, 439\u2013455."},{"key":"e_1_3_2_20_2","first-page":"91","volume-title":"Proceedings of the 2017 European Intelligence and Security Informatics Conference","author":"Mavroeidis Vasileios","year":"2017","unstructured":"Vasileios Mavroeidis and Siri Bromander. 2017. Cyber threat intelligence model: An evaluation of taxonomies, sharing standards, and ontologies within cyber threat intelligence. In Proceedings of the 2017 European Intelligence and Security Informatics Conference (EISIC\u201917). IEEE, Los Alamitos, CA, 91\u201398."},{"key":"e_1_3_2_21_2","doi-asserted-by":"publisher","DOI":"10.1145\/3329124"},{"key":"e_1_3_2_22_2","first-page":"161","volume-title":"Proceedings of the International Conference on Trust and Privacy in Digital Business","author":"Menges Florian","year":"2019","unstructured":"Florian Menges, Christine Sperl, and G\u00fcnther Pernul. 2019. Unifying cyber threat intelligence. In Proceedings of the International Conference on Trust and Privacy in Digital Business. 161\u2013175."},{"key":"e_1_3_2_23_2","volume-title":"The MISP Platform. Retrieved August 7, 2021 from https:\/\/github.com\/MISP\/MISP.","year":"2019","unstructured":"MISP. 2019. The MISP Platform. Retrieved August 7, 2021 from https:\/\/github.com\/MISP\/MISP."},{"key":"e_1_3_2_24_2","article-title":"Adversarial Tactics, Techniques and Common Knowledge (ATT&CK)","year":"2019","unstructured":"MITRE. 2019. Adversarial Tactics, Techniques and Common Knowledge (ATT&CK). Retrieved August 7, 2021 from https:\/\/attack.mitre.org\/.","journal-title":"https:\/\/attack.mitre.org\/."},{"key":"e_1_3_2_25_2","article-title":"Structured Threat Information Expression (STIX\u2122) 2.0","author":"TC OASIS CTI","year":"2017","unstructured":"OASIS CTI TC. 2017. Structured Threat Information Expression (STIX\u2122) 2.0. Retrieved August 7, 2021 from https:\/\/oasis-open.github.io\/cti-documentation\/.","journal-title":"https:\/\/oasis-open.github.io\/cti-documentation\/."},{"key":"e_1_3_2_26_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-0-387-48438-9_8"},{"key":"e_1_3_2_27_2","article-title":"Nettskjema","author":"Oslo University of","year":"2019","unstructured":"University of Oslo. 2019. Nettskjema. Retrieved August 7, 2021 from https:\/\/www.uio.no\/english\/services\/it\/adm-services\/nettskjema\/.","journal-title":"https:\/\/www.uio.no\/english\/services\/it\/adm-services\/nettskjema\/."},{"key":"e_1_3_2_28_2","volume-title":"Evaluate or Die Trying: A Methodology for Qualitative Evaluation of Cyber Threat Intelligence Feeds","author":"Polzunov Sergey","year":"2019","unstructured":"Sergey Polzunov and Jorg Abraham. 2019. Evaluate or Die Trying: A Methodology for Qualitative Evaluation of Cyber Threat Intelligence Feeds. Retrieved August 7, 2021 from https:\/\/www.first.org\/resources\/papers\/london2019\/EVALUATE-OR-DIE-TRYING-Abraham-Polzunov.pdf."},{"key":"e_1_3_2_29_2","doi-asserted-by":"publisher","DOI":"10.3390\/electronics9050824"},{"key":"e_1_3_2_30_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2018.12.011"},{"key":"e_1_3_2_31_2","unstructured":"Clemens Sauerwein Christian Sillaber Andrea Mussmann and Ruth Breu. 2017. Threat intelligence sharing platforms: An exploratory study of software vendors and research perspectives."},{"key":"e_1_3_2_32_2","doi-asserted-by":"publisher","DOI":"10.1093\/poq\/nfj007"},{"key":"e_1_3_2_33_2","article-title":"The DML Model","author":"Stillions Ryan","year":"2014","unstructured":"Ryan Stillions. 2014. The DML Model. Retrieved August 7, 2021 from http:\/\/ryanstillions.blogspot.com\/2014\/04\/the-dml-model_21.html.","journal-title":"http:\/\/ryanstillions.blogspot.com\/2014\/04\/the-dml-model_21.html."},{"key":"e_1_3_2_34_2","unstructured":"Rebecca Vogel et\u00a0al. 2016. Closing the cybersecurity skills gap. Salus Journal 4 2 (2016) 32\u201346."},{"key":"e_1_3_2_35_2","volume-title":"Semantic Web Rule Language","year":"2004","unstructured":"W3C. 2004. Semantic Web Rule Language. Retrieved August 7, 2021 from https:\/\/www.w3.org\/Submission\/SWRL\/."},{"key":"e_1_3_2_36_2","volume-title":"RDF 1.1 Semantics","year":"2014","unstructured":"W3C. 2014. RDF 1.1 Semantics. Retrieved August 7, 2021 from https:\/\/www.w3.org\/TR\/rdf11-mt\/."},{"key":"e_1_3_2_37_2","doi-asserted-by":"crossref","first-page":"49","DOI":"10.1145\/2994539.2994542","volume-title":"Proceedings of the 2016 ACM Workshop on Information Sharing and Collaborative Security","author":"Wagner Cynthia","year":"2016","unstructured":"Cynthia Wagner, Alexandre Dulaunoy, G\u00e9rard Wagener, and Andras Iklody. 2016. MISP: The design and implementation of a collaborative threat intelligence sharing platform. In Proceedings of the 2016 ACM Workshop on Information Sharing and Collaborative Security. ACM, New York, NY, 49\u201356."}],"container-title":["Digital Threats: Research and Practice"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3458027","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,1,1]],"date-time":"2023-01-01T23:52:40Z","timestamp":1672617160000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3458027"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,10,22]]},"references-count":36,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2022,3,31]]}},"alternative-id":["10.1145\/3458027"],"URL":"https:\/\/doi.org\/10.1145\/3458027","relation":{},"ISSN":["2692-1626","2576-5337"],"issn-type":[{"value":"2692-1626","type":"print"},{"value":"2576-5337","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,10,22]]},"assertion":[{"value":"2020-10-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2021-03-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2021-10-22","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}  <script>parent.window.postMessage('ixistenz.url:https://api.crossref.org/works/10.1145%2F3458027', '*'); </script> <div id='browserdiffcontainer' style='position: fixed; right: 10px; top: 10vh; min-width: 60px;  border: 1px solid white; background: rgb(251, 189, 0);; opacity: 0.9; font-family: helvetica, arial, sans serif;  font-size: 12px; z-index: 20001; padding-bottom: 20px;'><div onclick="toggle('browserdiffcontainerlist'); return false;" style='background: rgb(151, 89, 0);; color: white; '><strong>&nbsp; <span class='glyphicon glyphicon-minus'></span> NODES</strong></div><div id='browserdiffcontainerlist' style='padding-left: 10px; padding-right: 5px; max-height: 50vh; overflow: auto; '><div><a href='#diffid883' style='color: white;' onClick="parent.window.postMessage('ixistenz.opendiff:883', '*');; return false;" style='text-decoration: none; '>Association </a> <a style='color: white;' href='#diffid883'><sup>1</sup></a></div><div><a href='#diffid123' style='color: white;' onClick="parent.window.postMessage('ixistenz.opendiff:123', '*');; return false;" style='text-decoration: none; '>INTERN </a> <a style='color: white;' href='#diffid123'><sup>6</sup></a></div></div></div>
<script>
function toggle( divname ) {
  var x = document.getElementById( divname );
  if (x.style.display === 'none') {
    x.style.display = 'block';
  } else {
    x.style.display = 'none';
  }
} </script>