The pervasiveness of smart devices, i.e., components equipped with feedback loops, sensing, and telecommunications for remote management, bring interesting research opportunities for incorporating contextual cybersecurity information through cyber threat intelligence (CTI). This approach enriches analysis by aggregating contextual information gathered from a myriad of unstructured data sources such as application logs, sensing data, blog posts, selected Internet-based commentary on security, vulnerability reports, and a host of other sources. The main difficulty regarding CTI is how to best integrate data into the design of protective measures. This chapter will discuss ways of leveraging CTI using a myriad of smart devices present in cyber-physical systems and internet-of-things with applications to the smart grid and smart buildings. The author will showcase the use of CTI in smart environments and how to incorporate and integrate data from multiple sources directly into the analysis efforts. The chapter will end with research perspectives and future work.
TopIntroduction
Modern critical infrastructure is highly interconnected and data intensive. Providing continuous operation to a range of stakeholders in such large attack surfaces mandates a strong cybersecurity posture. Analysts and officers sitting on the edge of the infrastructure must trace and monitor failures to enhance protective measures and violations perpetrated by malicious actors. However, the staggering number of components, services, and devices that participate in this environment feeding data into information management systems is simply overwhelming. These difficulties demand system analysts and respond teams to quickly react and respond to events and alarms. The job of these domain experts with focus on cybersecurity involves tackling multiple data sources for identifying and thwarting cyber-attacks before they propagate any further. The problems are compounded by the sheer number of data sources namely application logs from intrusion detection system and firewalls, external and internal data feeds, and other information sources to consider when assessing risk or determining breaches.
This reflects today’s societal objectives to provide seamless services to customers connecting to critical infrastructure. Coordination systems exchanges messages and instantaneously collect data to allow the remote-control of devices and to operate machinery unbounded by geographical barriers. It is worth mentioning that enterprise information systems are mandated nowadays to collect large longitudinal data originating from a plethora of systems, because it may be indicative of potential malicious incursions lurking on the infrastructure. Another issue concerns security threats that hide sophisticated malicious incursions aiming to destabilize systems and promote disruptions that cause damage and financial loss, among other substantial shortcomings.
Those are precisely the main reasons as to why one must combine efforts and incorporate cyber threat intelligence (CTI) readily into analysis. This approach sits between the continuous outputs of smart systems and modelling/analysis efforts and tools, bringing together technicians, domain experts, and managers into addressing cybersecurity problems together. These professionals, whilst working together, could enormously enrich analysis procedures through complementing cyber-attacks with context and relevant events that belongs to the timeline of malicious incursions that were gathered in outside sources. With this body of contextual information gathered not only in specific systems but elsewhere, on the Internet, may clarify and produce a systematic analysis panorama of cyber-attacks.
CTI has the potential of assisting cybersecurity officers making timely decisions on available data and help towards improving the cybersecurity posture and defenses of organizations. For instance, they might employ CTI-related knowledge to anticipate attacks, recover from attacks, highlight weaknesses, understand ‘under attack’ situations, and prepare for malicious incursions before they are propagated in sub-systems. Intelligence, in smart contexts, also accommodates accountability, non-repudiation, forensic analysis, and privacy preservation concerns.
Undoubtedly, in smart infrastructure, there is a trade-off on the use of cybersecurity measures, personal liberties, and convenience. The chapter will overview Smart Infrastructure concepts, CTI and threat hunting, and an introduction to modelling using standardized models. It will discuss how to map modelling primitives concerning a setting under observation and then addressing how to incorporate relevant data directly into models. Once defined, analysts may share those models with trustful counterparts (Burger et al., 2014) fostering discussions about the how adding intelligence features into complex analysis scenarios may help cyber-attack prevention.
Intelligence is of interest not only to companies but also to governments. For instance, the UK government is vouching threat hunting combined with CTI with the publication of a booklet detailing how organizations of any size could profit from its features (Digital, Data & Technology – UK, 2022). The author has identified the need for an integrated approach that enjoys the synergy of combining ideas from CTI altogether is still missing. This chapter aims to bridge this gap and offer cybersecurity analysts and managers a comprehensive vision on how, when, and where to employ CTI and enriched STIX™ models for comprehensive analysis sessions. The author will outline the current research on the topic of CTI in smart contexts and discuss the inherent trade-offs, concerns, future research, and perspectives.