Development of Automatic Technologies for Threat Intelligence and Identification of Indicators of Compromise (IoC) on Reddit.

Abstract Recent events like the Dyn attack of 2016, where internet services in the US were compromised for a day and the Garmin ransomware attack of 2020, where the company was taken offline for more than a week, show that existing security measures are still ineffective in tackling modern-day threats and there is a need for stronger and preventative cybersecurity to address the increasing sophistication of cyber threats. A critical factor that can enhance cyber security measures is the obtaining of information about current or recent attacks, referred to as Cyber Threat Intelligence (CTI). CTI entails the collection and analysis of information from the surface web, deep web, and dark web to identify existing and emerging threats. This intelligence helps organizations to have a better understanding of the threats that may exist and how to prevent them from happening. Elements of CTI that is related to the identification of the attack are known as Indicators of Compromise (IoCs). IoCs can include IP addresses, file hashes, URLs, domain names and other data that are useful in identifying and mitigating threats in a network. With these indicators in mind, organizations can put in place better measures to prevent and respond to cyber threats. The main objective of this thesis is to develop a framework to identify IoCs on social media, particularly the Reddit platform. Social media platforms contain real-time information that is helpful in identifying and understanding the current and potential cyber threats. The system is designed to collect, analyze and store this real-time information to strengthen the security measures of organizations and the community. Extracting IoCs from social media entails the use of sophisticated tools like AI, ML, and NLP to effectively search through the text and pinpoint IoCs. To validate the proposed framework performance, some assessments were conduct which include the evaluation of classification model, the entity recognition algorithm, and the overall system. Also the efficiency of the system is compared with other methods to assess its performance and reliability. One of the evaluation techniques is an experiment where the extracted IoCs are compared to VirusTotal and Kaspersky’s platforms. These platforms are known for having large databases of known threats and can therefore be used to compare the extracted IoCs with. The result of evaluation shows that the proposed framework presents a highly accurate strategy for identifying IoCs from social media platforms with a reduced likelihood of false positives. The real-time analysis and validation of IoCs makes the system a useful tool in strengthening the overall cybersecurity posture.