Data-Driven Threat Hunting Using SysmonVasileios Mavroeidis

University of OsloNorway

vasileim@ifi.uio.no

Audun JøsangUniversity of Oslo

Norwayjosang@ifi.uio.no

ABSTRACTThreat actors can be persistent, motivated and agile, and they lever-age a diversified and extensive set of tactics, techniques, and pro-cedures to attain their goals. In response to that, organizationsestablish threat intelligence programs to improve their defensecapabilities and mitigate risk. Actionable threat intelligence is inte-grated into security information and event management systems(SIEM) forming a threat intelligence platform. A threat intelligenceplatform aggregates log data from multiple disparate sources bydeploying numerous collection agents and provides centralizedanalysis and reporting of an organization’s security events for iden-tifying malicious activity. Sysmon logs is a data source that hasreceived considerable attention for endpoint visibility. Approachesfor threat detection using Sysmon have been proposed mainly fo-cusing on search engines (NoSQL database systems). This paperpresents a new automated threat assessment system that relies onthe analysis of continuous incoming feeds of Sysmon logs. The sys-tem is based on a cyber threat intelligence ontology and analysesSysmon logs to classify software in different threat levels and aug-ment cyber defensive capabilities through situational awareness,prediction, and automated courses of action.

CCS CONCEPTS• Security and privacy → Intrusion/anomaly detection andmalware mitigation; • Computing methodologies → Ontol-ogy engineering;

KEYWORDScyber threat intelligence, threat assessment, sysmon, threat huntingACM Reference Format:Vasileios Mavroeidis and Audun Jøsang. 2018. Data-Driven Threat HuntingUsing Sysmon. In ICCSP 2018: 2018 the 2nd International Conference onCryptography, Security and Privacy, March 16–19, 2018, Guiyang, China.ACM, Guiyang, China , 7 pages. https://doi.org/10.1145/3199478.3199490

1 INTRODUCTIONThreat Intelligence has become a priority in the cyber securityoperations of every security aware organization as a way of pre-venting an attack or decreasing the time needed to discover an

Permission to make digital or hard copies of all or part of this work for personal orclassroom use is granted without fee provided that copies are not made or distributedfor profit or commercial advantage and that copies bear this notice and the full citationon the first page. Copyrights for components of this work owned by others than theauthor(s) must be honored. Abstracting with credit is permitted. To copy otherwise, orrepublish, to post on servers or to redistribute to lists, requires prior specific permissionand/or a fee. Request permissions from permissions@acm.org.ICCSP 2018, March 16–19, 2018, Guiyang, China© 2018 Copyright held by the owner/author(s). Publication rights licensed to Associa-tion for Computing Machinery.ACM ISBN 978-1-4503-6361-7/18/03. . . $15.00https://doi.org/10.1145/3199478.3199490

attack. In addition, cyber attacks are increasingly sophisticated,posing significant challenges for organizations that must defendtheir data and systems from capable threat actors. Threat actorscan be persistent, motivated and agile, and they use a variety oftactics, techniques, and procedures to disrupt the confidentially,integrity, and availability of systems and data. Given the risks of thepresent cyber threat landscape, it is increasingly important for theorganizations to focus on cyber threat intelligence and participatein threat information sharing to improve their security posture.In a previous work [1], we discussed the importance of consum-ing cyber threat information aggregated from different sources forthreat intelligence, and presented the Cyber Threat Intelligence(CTI) model which enables cyber defenders to explore their threatintelligence capabilities and understand their position against theever-changing cyber threat landscape. Furthermore, in the samework, we remarked the importance of developing a multi-layeredcyber threat intelligence ontology based on the CTI model thatcould improve the threat detection, prioritization, and responsecapabilities of organizations. The results of [1] showed the lack ofa comprehensive ontology readily available for use within cyberthreat intelligence, although some holistic initiatives towards thatgoal exist [2–4]. In addition, there is a plethora of ontological ap-proaches related to cyber security focusing on specific sub-domains,such as malware detection, vulnerability analysis and more [5–13].

Current threat detection analysis approaches include aggrega-tion of log files in a centralized system known as security informa-tion and event management (SIEM) which performs inspectionsand flags anomalies. A SIEM system collects logs by deployingmultiple collection agents to gather security-related events fromend-user devices, servers, intrusion detection systems (IDS), intru-sion prevention systems (IPS) and firewalls, network devices such asrouters and DNS servers and more. In particular, one resource thathas received considerable attention for endpoint visibility has beenSysmon; a Windows system service and device driver that monitorsand logs system activity of Windows workstations. Approaches forthreat detection using Sysmon have been proposed mainly focusingon search engines (NoSQL database systems) or graph databases.Without any relevant academic publication, a comprehensive listof related works can be found on GitHub 1.

The contribution of this paper is twofold. First, we present theCyber Threat Intelligence Ontology (CTIO) which is based on theCTI model and second, we introduce an alternative threat assess-ment system that utilizes CTIO for analyzing Sysmon logs to clas-sify software in different threat levels (high threat, medium threat,low threat, or unknown) and augment cyber defensive capabilitiesthrough situational awareness, prediction, and automated coursesof action.

1https://github.com/MHaggis/sysmon-dfir

ICCSP 2018, March 16–19, 2018, Guiyang, China Vasileios Mavroeidis and Audun Jøsang

The rest of the paper is organized as follows. Section 2 explainsthe importance of cyber threat intelligence and cyber threat infor-mation sharing in security operations and discusses how a knowl-edge base would enable their combination to build a strong securityposture. Section 3 presents our developed cyber threat intelligenceontology and explains its applications in incident response andother security operations. Section 4 presents a threat assessmentsystem that utilizes cyber threat intelligence for analyzing Sysmonlogs. Section 5 discusses some observations regarding the threatassessment system. Section 6 concludes the paper.

2 THREAT INTELLIGENCE AND THREATINFORMATION SHARING

Threat intelligence can be described as the aggregation, transforma-tion, analysis, interpretation, and enrichment of threat informationto provide the necessary context that can aid decision making [14].Threat information is any information that can help an organizationto protect itself against a threat or detect the activities of a threatactor. Ryan Stillions 2 has remarked that security teams of lowdetection maturity and low skills would be able to detect attacksin terms of low-level technical observations, without necessarilyunderstanding the significance of these observations. On the otherhand, security teams of high detection maturity and high skillsare assumed to be able to interpret technical observations in thesense that the type of attack, the attack methods used, and possi-bly the identity of the attacker can be determined. Absorbing richthreat intelligence shared by teams of high capability would en-able improvements in threat detection, prioritization, and responsecapabilities of teams of lower capability.

Threat information sharing allows one organization’s detectionto become another’s prevention by leveraging collective knowledge,experience, and capabilities to gain a complete understanding of thethreats an organization might face. Benefits of threat informationsharing include greater insight into cyber threats and enhanceddetective and preventive capabilities of an entire community withsecurity teams of any maturity and skills. An organization can useshared information in many different ways such us strategically,operationally, tactically, and technically [15].

2.1 Knowledge Base of Threat IntelligenceA knowledge base is a repository of complex structured and un-structured information that represents facts about the world. Aknowledge base can evolve over time and can suitably supportinference capabilities that can reason about those facts and userules and other forms of logic to deduce new facts or highlightinconsistencies. Present threat information sharing is facilitatedby several sharing standards which are based on XML or JSON(machine-readable) formats and can be seen as means of feedingthreat intelligence platforms. An example is structured threat in-formation eXpression (STIX) language which based on a studyof existing threat intelligence sharing initiatives is currently themost used standard for sharing structured threat information [16].Asgarli and Burger [17] remark that semantic exchange formatscould be used instead of XML-based sharing formats without any

2http://ryanstillions.blogspot.no/2014/04/the-dml-model_21.html

features being lost in the translation. In addition, JASON [18] rec-ommended the construction of a common language and a set ofbasic concepts about which the security community can develop ashared understanding.

Threat intelligence initiatives include security products by ven-dors that deliver threat intelligence tied tightly with their productswhich is not easily accessible outside of their products and pure-play threat intelligence vendors that charge a subscription to accesstheir information [19]. The latter can be a viable option but still theinformation needs to be analyzed. In addition, several open sourceapproaches exist with variable success.

In a previous work [1] we argued that an ontology representingthe "full spectrum" of cyber threat intelligence would allow organi-zations of any size to improve their threat detection, prioritization,and response capabilities. Based on that we developed the cyberthreat intelligence ontology (CTIO).

Ontology is a form of knowledge representation (knowledgebase) based on well-defined semantic concepts and their relation-ship. The agreed vocabulary of an ontology allows informationcoming from different sources to be aggregated in a unique knowl-edge base that can leverage reasoning capabilities using formallogic to infer new information.

3 CYBER THREAT INTELLIGENCEONTOLOGY

Part of our work was the development of a cyber threat intelligenceontology (CTIO) rich enough for consuming and representing infor-mation from several different sources, such as taxonomies, sharingstandards, and domain expertise within cyber threat intelligencewith the purpose of supporting decision making. Our ontologyrepresents knowledge (information) from low-level technical ob-servables to high-level goals and threat actors. Concisely, CTIOincludes facts about threat actors, their motivation, their goals andtheir strategies, specific attack patterns and procedures (tactics,techniques and procedures-TTPs), malware, general tools and in-frastructures used in adversarial attacks, indicators of compromise,atomic indicators, targets, software weaknesses and vulnerabilities(identified weaknesses in specific software), and courses of action.

For developing the ontology we used the web ontology language(OWL) and we followed an agile engineering approach. We createdand interconnected several modular sub-ontologies based on tax-onomies, such as Common Vulnerabilities and Exposures (CVE),National Vulnerability Database (NVD), Common VulnerabilityScoring System (CVSS 2.0), Common Platform Enumeration (CPE),CommonWeakness Enumeration (CWE), Common Attack PatternsEnumerations and Characteristics (CAPEC), Threat Agent Library(TAL), Threat Agent Motivation (TAM), Adversarial Tactics, Tech-niques and Common Knowledge (ATT&CK); sharing standards,such as STIX 2.1 and OpenIOC; and domain expertise that allowedus to create a malware ontology and an extension of CPE that wenamed ExtendedCPE. A high-level diagram showing the interre-lationships between the aforementioned concepts is presented inFigure 1. For additional information regarding the purpose of theaforementioned taxonomies, sharing standards and their relationto the CTI model please refer to [1].

Data-Driven Threat Hunting Using Sysmon ICCSP 2018, March 16–19, 2018, Guiyang, China

Figure 1: High-Level Relationships of Cyber Threat Intelligence Ontology

The malware and the ExtendedCPE ontologies are the two ma-jor ontologies queried in the threat assessment system (describedin the next section) and they are intended to represent accurateknowledge of malicious and non-malicious software respectively.All the aforementioned ontologies are interconnected to expresscomplete knowledge. In addition, conditions (constraints) weredefined and OWL constructs are used to enable automated classifi-cation, consistency checking, and inference of new information byusing a reasoner. For example, indexing a software as ExtendedCPEdemands all the classification criteria of CPE to be met and addi-tionally, a hash to be included followed by a verification confirmingthat the software indexed is non-malicious. It is worth mention-ing that ExtendedCPE aims to classify non-malicious software butincludes software with known or unknown vulnerabilities and le-gitimate software that have been used by threat actors to performattacks (browsers, vulnerability scanners, network scanners, etc.);hence ExtendedCPE supports different levels of trust for legitimatesoftware.

The malware ontology was initially developed based on STIX2.1 as a reference to basic objects needed and later was enrichedwith several new properties that would allow it to be used multi-purposely, in our case in an automated threat assessment system.For example, we included properties that would increase the pos-sibilities of detecting malware based on information available in

Sysmon logs, such as hashes and names of dynamic-link librariesthat were dynamically loaded during the execution of malware.

Because of the modularity of CTIO additional sub-ontologiescan be introduced and embedded in the main ontology with low en-gineering complexity. Information and documentation about CTIO,as well as the ontologies themselves, can be found on GitHub3.

4 SOFTWARE THREAT ASSESSMENT SYSTEMThe second contribution of our paper is a threat assessment system(Figure 2) that utilizes CTIO for analyzing Windows Sysmon logsand classifying software (in real time) as of high threat, mediumthreat, low threat, or unknown based on its identified characteristics(Table 1). Thus, an organization can identify malicious activity,understand how intruders and malware operate on their networkand defend against the threat.

The system handles available threat intelligence multi-purposely.Not only can identify malware and adversarial indicators on work-stations but enables advanced cyber defensive capabilities throughsituational awareness, prediction, and descriptive or automatedcourses of action.

Situational awareness: is achieved through the evidence-basedknowledge accumulated into our ontology. A simple observablesuch as an IP, a domain name, a hash, or even a modified registry3https://github.com/Vasileios-Mavroeidis/CTIO

ICCSP 2018, March 16–19, 2018, Guiyang, China Vasileios Mavroeidis and Audun Jøsang

Table 1: Threat Level Classification

key could be an indicator of compromise were when queried wouldallow as to see the bigger picture. For example, an identified mali-cious hash could provide related information about command andcontrol (C2) servers that this malware instance has been observedconnecting to or trying to connect to, the malware family that be-longs to, the campaigns that have used this malware instance oranother instance of the same family, maybe the threat actor behindthe identified campaign and malware, possibly the motivation andgoal of the threat actor, as well as the target of the attack, such asspecific industry sectors the malware and the attacker are targeting.When the scope of an incident can be determined and taken intoaccount the response speed and effectiveness increases.

Prediction: Threat intelligence is important for visibility intowhathappens inside and outside of an organization that might affect it;hence, enables guidance on how an organization should prioritizeits next actions (security operations and incident response). In termsof our threat assessment system an identified malware or unknownsoftware related to a knownmalicious attribute such as a blacklisteddomain may reveal who is attacking the organization (attributionof the attack), the goal of the attack, the attack pattern related tothis malware, and consequently, possibly predict the next steps ofa campaign targeting the organization. Thus, detection of ongoingadvanced persistent threats and anticipation of future events ispossible.

Course of action: is an action taken either to prevent an attackor to respond to an attack that is in progress. Courses of actioninto CTIO can be described in prose or in a standardized mannerthat enables real-time automated and active cyber defence. For thelatter, our system utilizes OASIS "Open Command and Control"(OpenC2) language (expressed in JSON format) that enables thecommand and control of cyber defence components in a mannerthat is agnostic of the underlying products, technologies, transportmechanisms or other aspects of the implementation. An OpenC2command is composed of an action, a target, an optional actuator(what is executing the command), and command options, whichinfluence how the command is to be performed. The OpenC2 lan-guage assumes that the event has been detected, a decision to acthas been made, the act is warranted, and the initiator and recipientof the commands are authenticated and authorized [20].

Other advantages of this approach are the following:• Automated consumption of updated taxonomies and threatinformation from different sharing standards is viable due tothe open source environment of the system; thus, CTIO canbe enriched in the light of new information and be up-to-dateto new emerging threats.

• By analyzing Sysmon logs we can detect threats that other-wise could go undetected by traditional network intrusiondetection systems and firewalls, such as encrypted traffic.

• Ontologies have inference capabilities that are beneficial forimproving the quality of data integration (several differentsources). Rules concentrate on defining a general mechanismfor discovering and generating new relationships based onexisting ones. For example, a set of rules can be createdto classify new malware instances based on the maliciousinfrastructure they use. In addition, consistency checking isvital to avoid misclassification of data.

• More sophisticated queries can be introduced to utilize allthe information available in Sysmon logs. The higher thedomain expertise the more sophisticated and precise thequeries and rules can become. For example, queries can beenriched with regular expressions (like signature detection).

• The system provides considerable advantages to teams oflesser experience. The threat assessment system is automatedand utilizes a knowledge base of threat intelligence makingthreat hunting viable and enables situational awareness thattraditionally could only be achieved by teams of high skillsand high maturity.

• The cyber threat intelligence ontology could be deployedon the cloud and could be maintained by an organizationor a threat intelligence community. CTIO is accessed withrest-style SPARQL queries over HTTP (API for Apache JenaFuseki server); thus, the software threat assessment systemcould be deployed massively in different organizations.

Figure 2: Architecture of Threat Assessment System

Data-Driven Threat Hunting Using Sysmon ICCSP 2018, March 16–19, 2018, Guiyang, China

4.1 Operational Flow of the SystemThe system (Figure 2) aggregates Sysmon logs fromWindows-basedworkstations and using a parsing engine automatically extractsattributes (features) for querying CTIO based on the event id ofeach log. For example, a log with "Event ID 1" provides detailedinformation about a newly created process. In Figure 3, we can seea "simplified" Sysmon log related to WannaCry ransomware attackmanifested in May 2017. From this log, the system extracts thefollowing element and attribute values; event id, computer name,username, time of the event, calculated hashes of the particularprocess, and command lines of both current and parent processes.

Figure 3: Sysmon Log with Event ID 1 Related to WannaCryRansomware

Next, the system’s lookup engine checks whether the extractedvalues have been observed and queried previously in a specificadjustable time period to reduce the workload of the SPARQL engine.In the sight of an already classified process the system pushes theinformation directly in the decision making process engine and theappropriate courses of action are applied or recommended. Thevalues that end up in the SPARQL engine become part of SPARQLqueries that perform a semantic search into CTIO.

For each Sysmon log the knowledge base is queried graduallywith different features (hashes, network connections, commandlines for parent and current processes, registry key modifications,file creation timestamp changes, etc.) until information that allowsthe classification (decision making process engine) of the process isidentified. In addition, the system recommends or applies courses ofaction (OpenC2) and presents related threat information to ensureaccess to the most up-to-date details and guided response steps tothe detected threat; thus, eliminating the time needed typically toinvestigate the threat manually.

If we go back to the Sysmon log in Figure 3, the extracted val-ues are seen for the first time, thus, they become part of SPARQLqueries. In Figure 4 a sequence of queries is presented. The firstquery checks whether an indicator of compromise exists or not inthe knowledge base for a particular hash. In our case an IOC exists,thus, the system classifies the process as of high threat and pro-ceeds by requesting related courses of action (second query). Theknowledge base outputs the following automated courses of action

Figure 4: Basic queries in the SPARQL Engine

related to WannaCry ransomware that based on the actuator speci-fied they call the appropriate APIs; a) allow traffic passing througha firewall for a specific domain that acts as a kill-switch, b) block C2communications to specific .onion domains c) for externally facingservers and systems that are not using SMB or Windows NetworkFile Sharing capabilities, it is best practice to reduce the networkattack surface by configuring prevention policy rules to block SMBnetwork traffic, d) automatically restore infected systems to a pre-vious state (point in time). Examples of OpenC2 are presented inFigure 5.

Figure 5: Example OpenC2 Courses of Action forWannaCryRansomware

Additionally, the system returns a single RDF graph (in triples)presenting the complete known knowledge of the identified threat

ICCSP 2018, March 16–19, 2018, Guiyang, China Vasileios Mavroeidis and Audun Jøsang

Figure 6: High-Level RDF Graph of WannaCry Ransomware

(third query). In Figure 6 a high-level graph of the identified Wan-naCry ransomware is presented. In case of complete lack of infor-mation related to a process, the decision making engine will classifythe process as unknown and further analysis can be performed,such as automated malware analysis.

5 DISCUSSIONIn the previous sections, we presented the cyber threat intelligenceontology (CTIO) and a new system that uses CTIO for analyzingSysmon logs in real time for threat hunting and process classifi-cation. In this section, we discuss some limitations, concerns, andfuture work regarding our approach.

Our threat assessment system, the ontology, and a couple Win-dows workstations were deployed in a controlled environment us-ing several virtual machines. It is known that reasoners are resourceintensive and SPARQL queries can take a considerable amount oftime to produce results which could be problematic when hundredsor thousands of machines generate Sysmon logs continuously. Inresponse to that, we included a lookup engine that reduces the loadof SPARQL queries. In addition, to reduce the amount of Sysmonlogs generated and consequently the performance impact in thesystem it is recommended to use matching rules (filtering) in Sys-mon configuration file to exclude or include events. Modificationsof the configuration file would require some domain expertise asit would be easy to lose indicators of malicious activity because ofthe blindness created.

Another important consideration is the visualization of RDFgraphs. Our system currently outputs only RDF graphs in triples.Graph visualization methods would provide better and easier graph

exploration and consequently, the ability to convey key insightsmore effectively.

The system detects malicious activity based on information avail-able in the knowledge base. Even though it is possible to identify"new malware", this would require an attribute of the softwareunder analysis to be already in the knowledge base. In responseto that behavioral rules could be constructed like in the work of[9, 10], but attacks are getting increasingly sophisticated makingthis method ineffective. Future work will focus on mitigating thisblind spot by using machine learning for Sysmon threat hunting.

6 CONCLUSIONThe threats associated with cyber security are dynamic. The nature,the agenda, and the attacks of adversaries are continuously chang-ing and evolving partly in response to defensive actions. This paperpresented a new automated system for threat hunting that anal-yses Sysmon logs to classify system processes in different threatlevels based on their identified characteristics. The system utilizescontinuously updated threat intelligence through an ontology andperforms automated courses of action in response to indicators ofcompromise. To the extent of our knowledge, this paper is the firstone that presents an ontological approach for automated end-pointthreat hunting using Sysmon in an automated manner.

ACKNOWLEDGMENTSThis research was supported by the research project Oslo Analyticsfunded by the Research Council of Norway. IKTPLUSS projectnumber: 247648.

Data-Driven Threat Hunting Using Sysmon ICCSP 2018, March 16–19, 2018, Guiyang, China

REFERENCES[1] Vasileios Mavroeidis and Siri Bromander. Cyber Threat Intelligence Model: An

Evaluation of Taxonomies, Sharing Standards, and Ontologies within CyberThreat Intelligence. In Proceedings of the European Intelligence and SecurityInformatics Conference. IEEE, 2017.

[2] Michael Iannacone, Shawn Bohn, Grant Nakamura, John Gerth, Kelly Huffer,Robert Bridges, Erik Ferragut, and John Goodall. Developing an Ontology forCyber Security Knowledge Graphs. In Proceedings of the 10th Annual Cyber andInformation Security Research Conference, page 12. ACM, 2015.

[3] Zareen Syed, Ankur Padia, M Lisa Mathews, Tim Finin, and Anupam Joshi. UCO:A Unified Cybersecurity Ontology. In Proceedings of the AAAI Workshop onArtificial Intelligence for Cyber Security. AAAI Press, 2016.

[4] Sean Barnum. Unified Cyber Ontology (UCO). https://github.com/ucoProject/uco,2016.

[5] Ju AnWang and Minzhe Guo. OVM: An Ontology for Vulnerability Management.In Proceedings of the 5th Annual Workshop on Cyber Security and InformationIntelligence Research: Cyber Security and Information Intelligence Challenges andStrategies, page 34. ACM, 2009.

[6] Ontology-Based Security Assessment for Software Products, author=Wang, JuAn and Guo, Minzhe and Wang, Hao and Xia, Min and Zhou, Linfeng, bookti-tle=Proceedings of the 5th Annual Workshop on Cyber Security and InformationIntelligence Research: Cyber Security and Information Intelligence Challengesand Strategies, pages=15, year=2009, organization=ACM.

[7] Leo Obrst, Penny Chase, and Richard Markeloff. Developing an Ontology of theCyber Security Domain. In STIDS, pages 49–56, 2012.

[8] Alessandro Oltramari, Lorrie Faith Cranor, Robert J Walls, and Patrick DrewMcDaniel. Building an Ontology of Cyber Security. In STIDS, pages 54–61.Citeseer, 2014.

[9] André Grégio, Rodrigo Bonacin, Olga Nabuco, Vitor Monte Afonso, Paulo LícioDe Geus, andMario Jino. Ontology for Malware Behavior: A CoreModel Proposal.In WETICE Conference (WETICE), 2014 IEEE 23rd International, pages 453–458.IEEE, 2014.

[10] André Grégio, Rodrigo Bonacin, Antonio Carlos de Marchi, Olga FernandaNabuco, and Paulo Lício de Geus. An Ontology of Suspicious Software Behavior.Applied Ontology, 11(1):29–49, 2016.

[11] Malek Ben Salem and Chris Wacek. Enabling New Technologies for CyberSecurity Defense with the ICAS Cyber Security Ontology. In STIDS, pages 42–49,2015.

[12] Daniel Popescu and Alexandru Citea. Malware OWL. https://pdan93.github.io/MalwareOWL/scholarly.html, 2016.

[13] Marcus Pendleton, Richard Garcia-Lebron, Jin-Hee Cho, and Shouhuai Xu. ASurvey on Systems Security Metrics. ACM Computing Surveys (CSUR), 49(4):62,2016.

[14] Chris Johnson, Lee Badger, David Waltermire, Julie Snyder, and Clem Skorupka.Guide to Cyber Threat Information Sharing. NIST Special Publication, 800:150,2016.

[15] David Chismon and Martyn Ruks. Threat Intelligence: Collecting, Analysing,Evaluating, 2015.

[16] Clemens Sauerwein, Christian Sillaber, AndreaMussmann, and Ruth Breu. ThreatIntelligence Sharing Platforms: An Exploratory Study of Software Vendors andResearch Perspectives. 2017.

[17] Elchin Asgarli and Eric Burger. Semantic Ontologies for Cyber Threat SharingStandards. In Technologies for Homeland Security (HST), 2016 IEEE Symposium on,pages 1–6. IEEE, 2016.

[18] D McMorrow. Science of Cyber-Security. Technical report, MITRE CORPMCLEAN VA JASON PROGRAM OFFICE, 2010.

[19] AlienVault. Beginner’s Guide to Threat Intelligence, 2017.[20] OASIS. Open Command and Control (OpenC2), 2017.