Cyber Threat Intelligence meets the Analytic Tradecraft

The volumes and sophistication of cyber threats in today's cyber threat landscape have risen to levels where automated quantitative tools for Cyber Threat Intelligence (CTI) have become an indispensable part in the cyber defense arsenals. The AI and cyber security research communities are producing novel automated tools for CTI that quickly find their ways into commercial products. However, the quality of such automated intelligence products is being questioned by the intelligence community. Cyber security operators are forced to complement the automated tools with costly and time-consuming human intelligence analysis in order to improve the quality of the end product. For improving the quality, it has been suggested that researchers should incorporate methods from traditional intelligence analysis into the quantitative algorithms. This article presents a novel approach to cyber intelligence analysis called AMBARGO, which takes the inherent ambiguity of evidence into account in the analysis, using the Choquet integral, in formalizing the re-evaluation of evidence and hypotheses made by human analysts. The development of AMBARGO revolves around a cyber attribution use case, one of the hardest problems in CTI. The results of our evaluating experiments show that the robustness of AMBARGO outperforms state-of-the-art quantitative approaches to CTI in the presence of ambiguous evidence and potentially deceptive threat actor tactics. AMBARGO has thus the potential to fill a gap in the CTI state-of-the-art, which currently handles ambiguity poorly. The findings are also confirmed in a large-scale realistic experimental setting based on data from an APT campaign obtained from the MITRE ATT&CK Framework.