AUTOMATION IN THE CYBERSECURITY INCIDENT HANDLING PROCESS

Cybersecurity is increasingly becoming a key area nowadays, cyber crimes are on the rise, and managing and responding to a cyber attack is an indispensable component. Cyber Threat Intelligence is definitely a relevant part of the attack prevention process, which can be used to help identify threat actors by providing details about cyber events, including their tools and procedures used, and also information about the general risks associated with cyber threats that can be used to guide a high-level organizational strategy. Threat intelligence companies report threats and compromise events that have occurred on the network and send them to partner companies. The information sent may represent malicious IPs, hashes of malware, or fraudulent domains; this data represents Indicators of Compromise (IoCs). This thesis presents and explores the relationship between incident handling and threat intelligence, highlighting how the large amount of IoCs sent by companies of threat intelligence companies, needs to be filtered by an algorithmic component thus preventing the data analysis process from becoming congested and slow. A detailed analysis of the state of the art is followed by the proposal of the algorithmic model devised, which then aims to divide the information received between that which may represent real threats to a company and that which is only false positives, thus improving the time needed to classify this information, reducing the resources used for this activity, and avoiding that legitimate activities are blocked by a misinterpretation of the data affecting the company's reputation. The model can analyze a considerable amount of data, clean it of outliers, classify it according to its descriptive tags, interact with external security vendors, collect partial results, and produce the final reports.