Choose from Seven Cyber Security Courses at SANS Atlanta 2018. Save $200 thru 4/25.

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.  




Threat Intelligence

Featuring 8 Papers as of March 26, 2018

  • Evaluation of Comprehensive Taxonomies for Information Technology Threats STI Graduate Student Research
    by Steven Launius - March 26, 2018 

    Categorization of all information technology threats can improve communication of risk for an organization’s decision-makers who must determine the investment strategy of security controls. While there are several comprehensive taxonomies for grouping threats, there is an opportunity to establish the foundational terminology and perspective for communicating threats across the organization. This is important because confusion about information technology threats pose a direct risk of damaging an organization’s operational longevity. In order for leadership to allocate security resources to counteract prevalent threats in a timely manner, they must understand those threats quickly. A study that investigates categorization techniques of information technology threats to nontechnical decision-makers through a qualitative review of grouping methods for published threat taxonomies could remedy the situation.


  • CTI in Security Operations: SANS 2018 Cyber Threat Intelligence Survey Analyst Paper
    by Dave Shackleford - February 5, 2018 

    The survey focuses on how organizations could collect security intelligence data from a variety of sources, and then recognize and act upon indicators of attack and compromise scenarios in a timely manner. Although some CTI trends continued this year, we definitely saw several differences in a number of areas, which are noted in the research. From this year's results, it is obvious that CTI collection, integration and use within security teams are maturing.


  • Cyber Threat Intelligence Support to Incident Handling STI Graduate Student Research
    by Brian Kime - November 17, 2017 

    Recent research has shown increased awareness of Cyber Threat Intelligence (CTI) capabilities. However, CTI teams continue to be underutilized and have had difficulty demonstrating the value they can add to digital forensics incident response (DFIR) teams. Meta-analysis of multiple surveys will identify where the gaps in knowledge exist. The paper will suggest how CTI can support DFIR at each level of intelligence and operations tactical, operational, and strategic and during each phase of the incident response lifecycle preparation; detection and analysis, containment, eradication, and recovery; and lessons learned. CTI teams should have priority intelligence requirements (PIRs) and a collection plan that supports answering those PIRs. In return, DFIR needs to share investigations and incident reports with the CTI team to reduce risk to the organization, decrease the time to detect an incident and decrease the time to remediate an incident. This paper builds on previous work by the author to develop CTI processes to support CTI planning.


  • Data Mining in the Dark: Darknet Intelligence Automation STI Graduate Student Research
    by Brian Nafziger - November 17, 2017 

    Open-source intelligence offers value in information security decision making through knowledge of threats and malicious activities that potentially impact business. Open-source intelligence using the internet is common, however, using the darknet is less common for the typical cybersecurity analyst. The challenges to using the darknet for open-source intelligence includes using specialized collection, processing, and analysis tools. While researchers share techniques, there are few publicly shared tools; therefore, this paper explores an open-source intelligence automation toolset that scans across the darknet - connecting, collecting, processing, and analyzing. It describes and shares the tools and processes to build a secure darknet connection, and then how to collect, process, store, and analyze data. Providing tools and processes serves as an on-ramp for cybersecurity intelligence analysts to search for threats. Future studies may refine, expand, and deepen this paper's toolset framework.


  • Triaging Alerts with Threat Indicators by Gregory Pickett - August 25, 2017 

    Enterprises see more and more alerts every day. They are continually flooded with alerts, and the numbers keep increasing. Because analysts don't know which ones indicate a genuine threat, they have to be gone through one at a time to find out. With not enough time in the day, some get ignored (Magee, 2017). There just isn't enough time to get to them all. What if analysts could skip over those alerts that aren't a threat and just focus their time on those that are? If they were able to do that, they just might have enough time in the day to get through all of them. The answer to this question is Threat Indicators. Using past behavior, as measured by Threat Indicators, security analysts can determine how likely an adversary in an alert is a threat. Those that are less threatening can then be skipped over in favor of those that are allowing an analyst to get through their alerts much more quickly. It may even be quick enough for them to get through them all. This paper explores the use of Threat Indicators in through both theory and practice. Finally, it will measure its success through its use in the analysis of actual alerts to determine how effective this approach is in identifying threats and through this identification whether or not analysts able to get through their alerts more quickly.


  • The Conductor Role in Security Automation and Orchestration by Murat Cakir - August 22, 2017 

    Security Operations Centers (SOCs) are trying to handle hundreds of thousands of events per day and automating any part of their daily routines is considered helpful. Ultimately fast creation of malware variants produces different Indicators of Compromise (IOCs) and automated tasks should adapt themselves accordingly. This paper describes the possible use of automation at Threat Hunting, Identification, Triage, Containment, Eradication and Recovery tasks and phases of Incident Handling along with practical examples. Also describes how they can fail or can be systematically forced to fail when orchestration is missing. Orchestration should not only cover dynamic selection of proper paths for handling of specific tasks, but should also provide circumstantial evidence while doing that. Finally, there should be a Conductor who should know "when and how to use the baton" to accept, modify or reject any part of the automated flow.


  • Artificial Intelligence and Law Enforcement by John Wulff - August 21, 2017 

    After the 9/11 terrorist attacks against the United States, law enforcement, and intelligence communities began efforts to combine their talents and information gathering assets to create an efficient method for sharing data. The central focus of these cooperative efforts for information dissemination was State Fusion Centers, tasked with collecting data from several database sources and distributing that information to various agencies. This vast amount of intelligence data eventually overwhelmed the investigative organizations. The use of Artificial Intelligence (AI) is the preferred technology for analyzing data to recognize behavioral patterns and create a method for the sharing of data in the fight against crime and terrorism. AI can analyze threat data and historical information and then create attack hypotheses for predicting when and where crimes will be committed. The use of AI can directly affect the cost of operations. Criminal activity locations can be predicted by AI so equipment and personnel can be directed to those areas to prevent those events from occurring. Financial resources must be allocated to allow for the development and testing of these applications so that the options available to law enforcement and the intelligence communities can be increased.


  • Threat Intelligence: Planning and Direction STI Graduate Student Research
    by Brian Kime - March 29, 2016 

    Many celebrated leaders like Ben Franklin and Winston Churchill have said, in various forms, “Failing to plan is planning to fail.”


Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.