THREATINSIGHT: A Profile-Aware and Explainable Cyber Threat Intelligence System Using Real-Time Vulnerability Analysis

Abstract

This fast rate of publicly published software vulnerability disclosure, combined with the growing complexity of modern enterprise software environments, has created a strong need and requirement of an automated cyber threat intelligence system with the capacity to provide operational, contextally relevant risk information. Security practitioners regularly rely on generic vulnerability feeds, manual scanning, or host-based scanning tools, which often create too much noise, have little relevance to the environment and introduce privacy and governance issues. Besides, the use of opaque machine learning models of some of the available solutions limits the explainability, as well as auditability, of solutions in security decision-making.This report describes ThreatInsight, a profile-sensitive and interpretable Cyber Threat Intelligence System which provides deterministic vulnerability risk analysis using distinctively available threat intelligence information only. It takes input of vulnerability data over MITRE CVE, NVD, CISA KEV, and EPSS and compares vulnerabilities to user-provided environment profiles which describe what operating systems and application stacks are in use and therefore does not require host scanning or the use of user-specific telemetry. The risk prioritisation is calculated by the use of transparent and rule-based intelligence agents and the output of this calculated information is shared using a versioned REST API, a SOC-based dashboard, automated warnings, and reports, thereby showing a viable and credible solution to cyber threat intelligence in the real world.