Cyber Threat Intelligence (CTI) is a crucial component of the ARCADIAN-IoT framework. The objective of the CTI component is to gather, produce, analyze, and share information related to cyber threats and attacks in the Internet of Things (IoT) domain, where end devices might be severely impacted. The information is generally presented in the form of Indicator of Compromise (IoC), which can be used by different organizations to detect similar attacks, or to analyze new security incidents.
RISE is building an IoT-specific CTI system based on the open-source Malware Information Sharing Platform (MISP) to orchestrate the process of information parsing, formatting, and sharing, generation of IoCs, and fetching feeds to CTI. The IoT-specific CTI will have additional features missing in MISP, such as automated IoC filtering and analysis, and smart IoC sharing, which are essential for IoT environments. The CTI platform will also have federated ML-based models to enable the sharing of IoCs in a privacy-preserving manner.
The components of the IoT-specific CTI include the MISP core, IoT IDS event parsing and formatting, IoC aggregation, and ML model manager. The MISP core is the CTI engine that provides the primary features of threat data gathering and sharing. The IoT IDS event parsing and formatting component aggregates and analyzes IDS events from IoT devices to generate and share IoT-specific IoCs. The IoC aggregation component pre-processes existing IoT vulnerability databases and converts the information into IoC format. The ML model manager integrates the functionalities provided by the Federated AI component into the CTI, enabling privacy preservation while sharing threat information.
In ARCADAIN-IoT, the CTI component is evaluated against the following KPIs: support for common IoC sources and formats, ability for at least two stakeholders to receive shared data, promotion of sharing IoT threat data in the EU while respecting privacy and data regulations, and enabling an automated and privacy-preserved CTI approach.
Although CTI technologies, tools, and best practices are well established, automated processing of CTI platforms is still an evolving area, especially in critical sectors such as healthcare, banking, energy, and transportation. Despite the growth of IoT, there is still a lack of maturity in CTI focused on IoT, with most current CTI platforms focusing on standard internet hosts.
In conclusion, the CTI component of the ARCADIAN-IoT framework provides a crucial instrument for gathering, analyzing, and sharing information related to cyber threats and attacks in the IoT domain.