D. Raúl Riesco Granadino presented his Ph. D. Thesis entitled “Contribution to dynamic risk management automation by an ontology-based framework” on 2019, November 20, being his advisor Dr. Víctor A. Villagrá, senior doctor of the IPTC-UPM (RSTI Group). Part of the work was published in the International Journal of Information Security, December 2019, Volume 18, Issue 6, pp 715–739, with the title “Leveraging cyber threat intelligence for a dynamic risk framework”, which eventually was recognized with a prize in the last edition of prizes of the Cátedra Ingeniero General D. Antonio Remón y Zarco del Valle.
A summary of the thesis work follows hereby:
Risk management frameworks are not integrated and automated with Near Real Time (NRT) risk-related Cybersecurity Threat Intelligence (CTI) information. To enable such a dynamic, NRT and more realistic risk assessment and management processes, we created a new semantic version of STIX™ v2.0 for Cyber Threat Intelligence as it is becoming a de facto standard for Structured Threat Information Exchange.
At the same time, although cyber threat intelligence (CTI) exchange is a must for any organization due to the fact that no one can fight alone against all threats, the potential participants are often reluctant to share their CTI and prefer to consume only, at least in voluntary based approaches. Such behavior destroys the idea of information exchange. We propose a paradigm shift of cybersecurity information exchange by introducing a new way to encourage all participants involved, at all levels, to share relevant information dynamically within our DRM Framework. It will also contribute to the support and deployment of Dynamic Risk Management (DRM) frameworks along all our peers to share advanced intelligence, in the format of algorithms, beyond the exchange of Indicators of Compromise (IoC).
Our proposal leverages from standards like Structured Threat Information Exchange (STIX™), as well as W3C semantic web standards to enable a workspace of knowledge related to behavioral threat intelligence patterning to characterize tactics, techniques and procedures (TTP). At the same time, we propose the use of the Ethereum Blockchain to better incentivize the sharing of that knowledge between all parties involved as well as the creation of a standard CTI token as a digital asset with a promising value in the market. An experimentation was also performed to demonstrate its benefits and incentives but also its potential limits with regard to storage and cost of transactions.
The contribution of the thesis is a Dynamic Risk Assessment and Management (DRA / DRM) framework based on ontologies. It includes an integrated, layered and networked architecture based on the Web Ontology Language (OWL), STIX™, a semantic reasoner, the use of semantic web rule language (SWRL) and the Ethereum Blockchain to approach an all-in-one solution at all levels (operational, tactic and strategic). It implements a hybrid Cyber Threat Intelligence and DRM Ontology as well as behavioral algorithms in the format of SWRL rules to infer new knowledge by the reasoner. As the dynamics is provided by the use of Intelligence Sharing, a paradigm shift based on the Ethereum Blockchain is also provided, to overcome all known issues of information sharing today.
Figure from Vega-Barbas, M., Villagrá, V. A., Monje, F., Riesco, R., Larriva-Novo, X., & Berrocal, J. (2019). Ontology-Based System for Dynamic Risk Management in Administrative Domains. Applied Sciences, 9 (21), 4547.
