Managing Cyber Threat Intelligence in a Graph Database: Methods of Analyzing Intrusion Sets, Threat Actors, and Campaigns

Efforts to cope jointly with the ever-increasing number of breach incidents have resulted in the establishment of the standard format and protocol and given birth to many consultative groups. In addition, various channels that distribute Cyber Threat Intelligence information free of charge have emerged, and studies on utilizing such channels have spread. As the market for sharing information professionally is expanding, the need to manage the shared information in various ways in order to achieve better result has arisen. This paper proposes a standardized management structure and method based on the standardized format and a meaning and standard of Cyber Threat Intelligence that can be shared outside when loading OSINT information collected from various channels into the graph database. This paper also proposes a method of supporting the detection provided by existing security equipment with the information saved in the graph database and an effective method of analysis. Lastly, the paper discusses the advantages that can be expected from saving cyber threat information in the graph database developed using information collected from the outside.