Cybersecurity Threat Hunting and Vulnerability Analysis Using a Neo4j Graph Database of Open Source Intelligence

by   Elijah Pelofske, et al.

Open source intelligence is a powerful tool for cybersecurity analysts to gather information both for analysis of discovered vulnerabilities and for detecting novel cybersecurity threats and exploits. However the scale of information that is relevant for information security on the internet is always increasing, and is intractable for analysts to parse comprehensively. Therefore methods of condensing the available open source intelligence, and automatically developing connections between disparate sources of information, is incredibly valuable. In this research, we present a system which constructs a Neo4j graph database formed by shared connections between open source intelligence text including blogs, cybersecurity bulletins, news sites, antivirus scans, social media posts (e.g., Reddit and Twitter), and threat reports. These connections are comprised of possible indicators of compromise (e.g., IP addresses, domains, hashes, email addresses, phone numbers), information on known exploits and techniques (e.g., CVEs and MITRE ATT CK Technique ID's), and potential sources of information on cybersecurity exploits such as twitter usernames. The construction of the database of potential IoCs is detailed, including the addition of machine learning and metadata which can be used for filtering of the data for a specific domain (for example a specific natural language) when needed. Examples of utilizing the graph database for querying connections between known malicious IoCs and open source intelligence documents, including threat reports, are shown. We show that this type of relationship querying can allow for more effective use of open source intelligence for threat hunting, malware family clustering, and vulnerability analysis.


page 16

page 17


Can Twitter be used to Acquire Reliable Alerts against Novel Cyber Attacks?

Time-relevant and accurate threat information from public domains are es...

Malware Knowledge Graph Generation

Cyber threat and attack intelligence information are available in non-st...

ThreatCrawl: A BERT-based Focused Crawler for the Cybersecurity Domain

Publicly available information contains valuable information for Cyber T...

A System for Automated Open-Source Threat Intelligence Gathering and Management

To remain aware of the fast-evolving cyber threat landscape, open-source...

Taxonomy driven indicator scoring in MISP threat intelligence platforms

IT security community is recently facing a change of trend from closed t...

Processing Tweets for Cybersecurity Threat Awareness

Receiving timely and relevant security information is crucial for mainta...

Nebula Graph: An open source distributed graph database

This paper introduces the recent work of Nebula Graph, an open-source, d...

Please sign up or login with your details

Forgot password? Click here to reset