Towards augmented proactive cyberthreat intelligence.

Abstract In cyber crimes, attackers are becoming more inventive with their exploits and use more sophisticated techniques to bypass the deployed security system. These attacks are targeted and are commonly referred as Advanced Persistent Threats (APTs). The currently available techniques to tackle these attacks are mostly reactive and signature based. Security Information and Event Management (SIEM), a proactive approach is the best solution. However, the major problem with SIEM is tackling huge amount of data in real time that makes it a time consuming and tedious task for security analyst. The use of threat intelligence caters to such issue by prioritizing the level of threat. In this paper, we assign risk score and confidence value to each feed generated at our product "T-Eye platform". On the basis of these values, we assign a severity score to each feed type. Severity score assigns a level to the threat means prioritize the threat. The results, we achieved for prioritizing the threat is more apparent and accurate. In addition, we optimize the rules of IBM-Q-Radar by using threat feeds generated at T-Eye platform. Furthermore, a huge amount of false positive alarms generated at IBM Q-Radar is reduced to a certain extent. Highlights • Proposed a platform for Threat intelligence along with a Threat Intelligence application integrated with IBM Qradar and classified the feeds on the basis of types of attack. • Calculated the risk score for each feed by taking into account severity, progression level, asset value and threat relevance. • Calculated the confidence value for each feed by using external sources, volume of traffic and aging of the traffic. • Optimized the rules of IBM Q-Radar using Threat intelligence feeds. • Reduced false positive alarms of IBM Qradar to an acceptable level. [ABSTRACT FROM AUTHOR]