Utilization of Threat Information in Detection Process of Cybersecurity Anomalies

Abstract

This thesis examined the sharing of threat information between different systems and the utilization of this information in dedicated software applications. The main distributor of threat information was Malware Information Sharing Platform (MISP), where threat information from various sources can be imported and shared. Microsoft Azure was also used as its own threat intelligence source. At the same time, a proof of concept was carried out for TheHive and Cortex tools, which have not been used before, and there was a particular interest in their integration with other software applications. While the logging system renewal project was underway at the same time, the sharing of threat information to the Elastic software and the generation of automatic alarms were studied. In the thesis, several technical details were revealed related to the installation of these programs for integration. The documentation of these installations was needed for the future when considering the extent of the use of different programs in the information security group. The thesis also includes some instructions for using tools to handle incidents and templates for dividing cases into several tasks. This makes it easier to divide the investigation of the same case to several people.