Enabling Efficient Cyber Threat Hunting With Cyber Threat Intelligence
This addresses the challenge of manual effort in threat hunting for cybersecurity professionals, though it appears incremental by integrating OSCTI into existing frameworks.
The paper tackles the problem of inefficient log-based cyber threat hunting by proposing ThreatRaptor, a system that uses open-source Cyber Threat Intelligence (OSCTI) to automate query construction and execution, demonstrating accuracy and efficiency in evaluations on attack cases.
Log-based cyber threat hunting has emerged as an important solution to counter sophisticated attacks. However, existing approaches require non-trivial efforts of manual query construction and have overlooked the rich external threat knowledge provided by open-source Cyber Threat Intelligence (OSCTI). To bridge the gap, we propose ThreatRaptor, a system that facilitates threat hunting in computer systems using OSCTI. Built upon system auditing frameworks, ThreatRaptor provides (1) an unsupervised, light-weight, and accurate NLP pipeline that extracts structured threat behaviors from unstructured OSCTI text, (2) a concise and expressive domain-specific query language, TBQL, to hunt for malicious system activities, (3) a query synthesis mechanism that automatically synthesizes a TBQL query for hunting, and (4) an efficient query execution engine to search the big audit logging data. Evaluations on a broad set of attack cases demonstrate the accuracy and efficiency of ThreatRaptor in practical threat hunting.