Opportunities for Applying Cyber Threat Intelligence Technologies from Open Sources: A Case Study Using the MITRE ATT&CK Framework

Cover Page

Cite item

Full Text

Abstract

Introduction. The relevance of employing OSINT (Open Source Intelligence) and CTI (Cyber Threat Intelligence) in the evolving landscape of cybersecurity is increasingly recognized. This is particularly evident in the growing number of targeted attacks and the limitations of traditional security measures in detecting them. There is a pressing need to address the key challenges associated with integrating OSINT and CTI data into corporate information security systems, as well as the automation of intelligence data collection and analysis processes. Objective. This study aims to explore the applicability of various OSINT tools for identifying vulnerabilities in information systems, using the MITRE ATT&CK framework and focusing on techniques from the "Reconnaissance" tactic. Methodology. The research methodology includes a comparative analysis of modern OSINT and CTI tools, a review of approaches to processing and interpreting threat intelligence data, and practical testing of selected MITRE ATT&CK tactics and sub-techniques. The study evaluates five sub-techniques under the "Reconnaissance" tactic: IP block scanning (T1595.001), wordlist scanning (T1595.003), DNS/passive DNS analysis (T1596.001), use of WHOIS data (T1596.002), and database scanning (T1596.005). Tools such as Nmap, Dirb, dig, WHOIS, and Shodan were utilized to implement these techniques. Results. Active IP block scanning and DNS analysis proved effective in identifying critical IT infrastructure vulnerabilities, including open ports and insecure service configurations. The use of Dirb and Shodan enabled the discovery of hidden vulnerabilities in web applications and internet-connected devices. WHOIS data analysis revealed risks associated with the public availability of domain ownership information, which can be exploited in phishing attacks and social engineering schemes. The findings highlight the importance of integrating OSINT with the MITRE ATT&CK framework for the systematic analysis of threats and vulnerabilities. The proposed approach enables organizations not only to detect potential threats but also to implement preventive measures such as WHOIS data monitoring, regular scanning of internet-exposed assets, and DNS record analysis. This contributes to enhanced cyber resilience and reduced risk of successful cyberattacks. Conclusion. The application of OSINT tools within the MITRE ATT&CK framework provides cybersecurity professionals with an effective means for proactively identifying threats and vulnerabilities. The results of this study can inform cybersecurity practices, including the development of new defense tools and the enhancement of existing threat monitoring systems. Future research will focus on the quantitative assessment of this approach’s effectiveness to better evaluate its impact on organizational cybersecurity.

About the authors

A. M. Sadykov

Kazan National Research Technogical University

Email: AlekseevaAA@corp.knrtu.ru
ORCID iD: 0009-0005-8893-7846
SPIN-code: 2964-5508

Candidate of Engineering Sciences, Associate Professor, Associate Professor at the Department of Information Security of Kazan National Research Technogical University. Research interests – legal aspects of information security, technical protection of information. The author of 13 scientific publications and 1 patent.

Russian Federation, 68, Karl Marx str., Kazan, 420015

A. A. Alekseeva

Kazan National Research Technogical University

Author for correspondence.
Email: AlekseevaAA@corp.knrtu.ru
ORCID iD: 0000-0002-6119-1934
SPIN-code: 9098-1135

Candidate of Engineering Sciences, Associate Professor, Associate Professor at the Department of Information Security of Kazan National Research Technogical University. Research interests – digital twins, securing digital transformation in industry. The author of 60 scientific publications and 3 patents. 

Russian Federation, 68, Karl Marx str., Kazan, 420015

L. Kh. Safiullina

Kazan National Research Technogical University

Email: AlekseevaAA@corp.knrtu.ru
ORCID iD: 0000-0002-2765-0973
SPIN-code: 3548-2479

Candidate of Engineering Sciences, Associate Professor, Associate Professor at the Department of Information Security of Kazan National Research Technogical University. Research interests – application of machine learning methods in information security tasks. The author of 76 scientific publications and 6 certificates of state registration of computer programs. 

Russian Federation, 68, Karl Marx str., Kazan, 420015

D. I. Sabirova

Kazan National Research Technogical University

Email: AlekseevaAA@corp.knrtu.ru
ORCID iD: 0009-0007-5066-5907
SPIN-code: 2207-3183

Candidate of Engineering Sciences, Associate Professor, Associate Professor at the Department of Information Security of Kazan National Research Technogical University. Research interests – personal data protection. The author of 56 scientific publications and 1 patent. 

Russian Federation, 68, Karl Marx str., Kazan, 420015

References

  1. Kolodova I.A., Yusupova L.M., Khisamova E.D. et al. Use of information technologies as a factor in the development of digital transformation in financial and credit markets. Jekonomika i predprinimatelstvo. 2023;9(158):479–483. (In Russ.) doi: 10.34925/EIP.2023.158.09.087; EDN: CNEFOL.
  2. Kovrizhnykh O.E. Features of the development cost budget formation IT-project. Jekonomika i predprinimatelstvo. 2024;5(166):1005–1009. (In Russ.) doi: 10.34925/EIP.2024.166.5.205; EDN: DIKWDS.
  3. Makhalina O.M., Makhalin V.N. Digitalization of business increases the costs of information security. Upravlenie. 2020;8(1):134–140. (In Russ.) doi: 10.26425/2309-3633-2020-1-134-140; EDN: MFGSYL.
  4. Vasilyev V.I., Vulfin A.M., Kirillova A.D. Analysis and risk management of ICS information security risks based on cognitive modeling. Modeling, Optimization and Information Technology. 2022;10(2):15. (In Russ.) doi: 10.26102/2310-6018/2022.37.2.022; EDN: FKRMPL.
  5. Armellin A., Gaggero G.B., Cattelino A. et al. Integrating OT data in SIEM platforms: an Energy Utility Perspective. 2023 International Conference on Electrical, Communication and Computer Engineering (ICECCE), Dubai, United Arab Emirates, December 30–31, 2023. IEEE, 2023. P. 1–7. doi: 10.1109/ICECCE61019.2023.10442554.
  6. Guemmah T., Fadili H.E., Hraoui S. A review and synthesis for framing the use of artificial intelligence in cybersecurity. 2023 7th IEEE Congress on Information Science and Technology (CiSt), Agadir–Essaouira, Morocco, December 16–22, 2023. IEEE, 2023. P. 44–49. doi: 10.1109/CiSt56084.2023.10409914.
  7. Chastikova V.A., Kozachok K.V. Overview and possibilities of using threat intelligence technology. Scientific Works of the Kuban State Technological University. 2023;(2):82–97. (In Russ.) EDN: TTNOLU.
  8. Bryushinin A.O., Dushkin A.V., Melshiyan M.A. Automation of the information collection process by OSINT methods for penetration testing during information security audit. 2022 Conference of Russian Young Researchers in Electrical and Electronic Engineering (ElConRus), Saint Petersburg, Russian Federation, January 25–28, 2022. IEEE, 2022. P. 242–246. doi: 10.1109/ElConRus54750.2022.9755812.
  9. Eluwa J., Omorovan P., Adewumi D. et al. The evolving threat landscape: how cyber threat intelligence empowers proactive defenses against WannaCry ransomware. International Journal of Scientific Research in Computer Science, Engineering and Information Technology. 2024;(2):403–411. doi: 10.32628/CSEIT243648.
  10. Yang F., Han Y., Ding Y. et al. A flexible approach for cyber threat hunting based on kernel audit records. Cybersecurity. 2022;5(1):11. doi: 10.1186/s42400-022-00111-2.
  11. Haddad A., Aaraj N., Nakov P. et al. Automated mapping of CVE vulnerability records to MITRE CWE weaknesses. arXiv. 2023;2304:11130. doi: 10.48550/arXiv.2304.11130.
  12. Samtani S., Chen H., Kantarcioglu M. et al. Explainable artificial intelligence for cyber threat intelligence (XAI-CTI). IEEE Transactions on Dependable and Secure Computing. 2022;19(4):2149–2150. doi: 10.1109/TDSC.2022.3168187.
  13. Ozarslan S. Top of the TTPs: malware's most common tactics, techniques and procedures. Network Security. 2023;2023(9):3. doi: 10.12968/S1353-4858(23)70042-1.
  14. Daniel N., Kaiser F.K., Dzega A. et al. Labeling NIDS rules with MITRE ATT&CK techniques using ChatGPT. Computer Security. ESORICS 2023 International Workshops. ESORICS 2023. Lecture Notes in Computer Science. Vol. 14399. Cham: Springer Nature Switzerland, 2024. P. 76–91. doi: 10.1007/978-3-031-54129-2_5.
  15. Pastor-Galindo J., Nespoli P., Gómez Mármol F. et al. The not yet exploited goldmine of OSINT: opportunities, open challenges and future trends. IEEE Access. 2020;8:10282–10304. doi: 10.1109/ACCESS.2020.2965257.
  16. Cline L.E. Terrorism futures: evolving technology and TTPs use. Defense & Security Analysis. 2022;38(1):122–123. doi: 10.1080/14751798.2022.2031716.
  17. Hwang Y.-W., Lee I.-Y., Kim H. et al. Current status and security trend of OSINT. Wireless Communications and Mobile Computing. 2022;2022(1):1290129. doi: 10.1155/2022/1290129.
  18. Chainey S.P., Alonso Berbotto A. A structured methodical process for populating a crime script of organized crime activity using OSINT. Trends in Organized Crime. 2022;25(3):272–300. doi: 10.1007/s12117-021-09428-9.
  19. Vasilyev V.I., Vulfin A.M., Kirillova A.D., Kuchkarova N.V. Methodology for assessing current threats and vulnerabilities based on cognitive modeling technologies and text mining. Systems of Control, Communication and Security. 2021;(3):110–134. (In Russ.) doi: 10.24412/2410-9916-2021-3-110-134; EDN: IUHRSS.
  20. Al-Sada B., Sadighian A., Oligeri G. Analysis and characterization of cyber threats leveraging the MITRE ATT&CK database. IEEE Access. 2024;12:1217–1234. doi: 10.1109/ACCESS.2023.3344680.
  21. Naik N., Jenkins P., Grace P. et al. Comparing attack models for IT systems: Lockheed Martin’s cyber kill chain, MITRE ATT&CK framework and diamond model. 2022 IEEE International Symposium on Systems Engineering (ISSE), Vienna, Austria, October 24–26, 2022. IEEE, 2022. P. 1–7. doi: 10.1109/ISSE54508.2022.10005490.
  22. Strom B.E., Applebaum A., Miller D. et al. MITRE ATT&CK: design and philosophy. Technical report. Project No.: 01ADM105-PI. The MITRE Corporation, 2018. 27 p.
  23. Leite C., den Hartog J., Ricardo dos Santos D. et al. Actionable cyber threat intelligence for automated incident response. Secure IT Systems. 27th Nordic Conference, NordSec 2022, Reykjavic, Iceland, November 30–December 2, 2022. Cham: Springer International Publishing, 2022. P. 368–385. doi: 10.1007/978-3-031-22295-5_20.
  24. Marinho R., Holanda R. Automated emerging cyber threat identification and profiling based on natural language processing. IEEE Access. 2023;11:58915–58936. doi: 10.1109/ACCESS.2023.3260020.
  25. Georgiadou A., Mouzakitis S., Askounis D. Assessing MITRE ATT&CK risk using a cyber-security culture framework. Sensors. 2021;21(9):3267. doi: 10.3390/s21093267.
  26. Zhang Z., Towey D., Ying Z. et al. MT4NS: metamorphic testing for network scanning. 2021 IEEE/ACM 6th International Workshop on Metamorphic Testing (MET), Madrid, Spain, June 2, 2021. IEEE, 2021. P. 17–23. doi: 10.1109/MET52542.2021.00010.
  27. Malkawi M., Özyer T., Alhajj R. Automation of active reconnaissance phase: an automated API-based port and vulnerability scanner. Proceedings of the 2021 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM '21), Netherlands, November 8–11, 2021. Association for Computing Machinery, New York, NY, United States, 2021. P. 622–629. doi: 10.1145/3487351.3492720.
  28. Karapetyants M., Plaksiy K.V., Nikiforov A.A. Investigation of processes and measures applicable for ensuring information security for systems with a graph DBMS. Voprosy Kiberbezopasnosti. 2023;(6):96–111. (In Russ.) doi: 10.21681/2311-3456-2023-6-96-111; EDN: DSIBZY.
  29. Puchkov G.Yu. On the issue of optimizing corporate data transmission networks. Mezhdunarodny Zhurnal Informacionnyh Tekhnologij i Energojeffektivnosti. 2024;9(6):40–47. (In Russ.) EDN: GWFGFK.
  30. Nautiyal A. et al. Detection of fake news based on domain analysis and social network psychology. Hybrid Intelligent Systems: 20th International Conference on Hybrid Intelligent Systems (HIS 2020), December 14–16, 2020. Springer International Publishing, 2021. P. 433–443. doi: 10.1007/978-3-030-73050-5_44.

Supplementary files

Supplementary Files
Action
1. JATS XML
Download

Согласие на обработку персональных данных с помощью сервиса «Яндекс.Метрика»

1. Я (далее – «Пользователь» или «Субъект персональных данных»), осуществляя использование сайта https://journals.rcsi.science/ (далее – «Сайт»), подтверждая свою полную дееспособность даю согласие на обработку персональных данных с использованием средств автоматизации Оператору - федеральному государственному бюджетному учреждению «Российский центр научной информации» (РЦНИ), далее – «Оператор», расположенному по адресу: 119991, г. Москва, Ленинский просп., д.32А, со следующими условиями.

2. Категории обрабатываемых данных: файлы «cookies» (куки-файлы). Файлы «cookie» – это небольшой текстовый файл, который веб-сервер может хранить в браузере Пользователя. Данные файлы веб-сервер загружает на устройство Пользователя при посещении им Сайта. При каждом следующем посещении Пользователем Сайта «cookie» файлы отправляются на Сайт Оператора. Данные файлы позволяют Сайту распознавать устройство Пользователя. Содержимое такого файла может как относиться, так и не относиться к персональным данным, в зависимости от того, содержит ли такой файл персональные данные или содержит обезличенные технические данные.

3. Цель обработки персональных данных: анализ пользовательской активности с помощью сервиса «Яндекс.Метрика».

4. Категории субъектов персональных данных: все Пользователи Сайта, которые дали согласие на обработку файлов «cookie».

5. Способы обработки: сбор, запись, систематизация, накопление, хранение, уточнение (обновление, изменение), извлечение, использование, передача (доступ, предоставление), блокирование, удаление, уничтожение персональных данных.

6. Срок обработки и хранения: до получения от Субъекта персональных данных требования о прекращении обработки/отзыва согласия.

7. Способ отзыва: заявление об отзыве в письменном виде путём его направления на адрес электронной почты Оператора: info@rcsi.science или путем письменного обращения по юридическому адресу: 119991, г. Москва, Ленинский просп., д.32А

8. Субъект персональных данных вправе запретить своему оборудованию прием этих данных или ограничить прием этих данных. При отказе от получения таких данных или при ограничении приема данных некоторые функции Сайта могут работать некорректно. Субъект персональных данных обязуется сам настроить свое оборудование таким способом, чтобы оно обеспечивало адекватный его желаниям режим работы и уровень защиты данных файлов «cookie», Оператор не предоставляет технологических и правовых консультаций на темы подобного характера.

9. Порядок уничтожения персональных данных при достижении цели их обработки или при наступлении иных законных оснований определяется Оператором в соответствии с законодательством Российской Федерации.

10. Я согласен/согласна квалифицировать в качестве своей простой электронной подписи под настоящим Согласием и под Политикой обработки персональных данных выполнение мною следующего действия на сайте: https://journals.rcsi.science/ нажатие мною на интерфейсе с текстом: «Сайт использует сервис «Яндекс.Метрика» (который использует файлы «cookie») на элемент с текстом «Принять и продолжить».