In the contemporary digital age, the sophistication and frequency of cyberattacks necessitate a paradigm shift from reactive defense to proactive cybersecurity measures. Cyber Threat Intelligence (CTI) has emerged as a cornerstone of this proactive strategy, enabling organizations to anticipate, detect, and respond to threats more effectively. This article provides a comprehensive survey of cyber threat intelligence mining, exploring its fundamental concepts, diverse sources, and the advanced techniques employed for extracting actionable insights from vast, often unstructured, data. We delve into various approaches, from the identification of Indicators of Compromise (IoCs) and Tactics, Techniques, and Procedures (TTPs) to the complex challenge of threat attribution. Furthermore, we highlight the significant challenges inherent in CTI mining, including data volume, veracity, semantic understanding, and the crucial aspect of translating intelligence into actionable defense. Finally, we propose new perspectives and promising research directions to advance the field of proactive cybersecurity through more effective CTI mining.

cyber threat intelligence (CTI), threat intelligence mining, proactive cybersecurity, cybersecurity analytics

“SolarWinds hackers linked to known Russian spying tools, investigators say.” 2022. Accessed: Oct. 10, 2022. [Online]. Available: https://cybernews.com/news/solarwinds-hackers-linked-to-known-russianspying-tools-investigators-say/

R. McMillan. “Definition: Threat intelligence.” Accessed: Nov. 10, 2022. [Online]. Available: https://gartner.com/

D. Shackleford, Who’s Using Cyberthreat Intelligence and How, SANS Inst., North Bethesda, MD, USA, 2015.

H. Dalziel, How to Define and Build an Effective Cyber Threat Intelligence Capability, Syngress, Waltham, MA, USA, 2014.

C. Fachkha and M. Debbabi, “Darknet as a source of cyber intelligence: Survey, taxonomy, and characterization,” IEEE Commun. Surveys Tuts., vol. 18, no. 2, pp. 1197–1227, 2nd Quart., 2015.

J. Robertson et al., Darkweb Cyber Threat Intelligence Mining. Cambridge, U.K.: Cambridge Univ. Press, 2017.

W. Tounsi and H. Rais, “A survey on technical threat intelligence in the age of sophisticated cyber attacks,” Comput. Security, vol. 72, pp. 212–233, Jan. 2018.

T. D. Wagner, K. Mahbub, E. Palomar, and A. E. Abdallah, “Cyber threat intelligence sharing: Survey and research directions,” Comput. Security, vol. 87, Nov. 2019, Art. no. 101589.

M. S. Abu, S. R. Selamat, A. Ariffin, and R. Yusof, “Cyber threat intelligence—Issue and challenges,” Ind. J. Elect. Eng. Comput. Sci., vol. 10, no. 1, pp. 371–379, 2018.

A. Ibrahim, D. Thiruvady, J.-G. Schneider, and M. Abdelrazek, “The challenges of leveraging threat intelligence to stop data breaches,” Front. Comput. Sci., vol. 2, p. 36, Aug. 2020.

M. R. Rahman, R. Mahdavi-Hezaveh, and L. Williams, “What are the attackers doing now? Automating cyber threat intelligence extraction from text on pace with the changing threat landscape: A survey,” 2021, arXiv:2109.06808.

M. R. Rahman, R. Mahdavi-Hezaveh, and L. Williams, “A literature review on mining cyberthreat intelligence from unstructured texts,” in Proc. Int. Conf. Data Min. Workshops (ICDMW), 2020, pp. 516–525.

R. Brown and P. Stirparo, SANS 2022 Cyber Threat Intelligence Survey, SANS Inst., North Bethesda, MD, USA, 2022.

A. Ramsdale, S. Shiaeles, and N. Kolokotronis, “A comparative analysis of cyber-threat intelligence sources, formats and languages,” Electronics, vol. 9, no. 5, p. 824, 2020.

“What is cyber threat intelligence? 2022 threat intelligence report.” 2022. Accessed: Feb. 13, 2023. [Online]. Available: https://www.crowdstrike.com/cybersecurity-101/threat-intelligence/

N. Sun, C.-T. Li, H. Chan, M. Z. Islam, M. R. Islam, andW. Armstrong, “How do organizations seek cyber assurance? Investigations on the adoption of the common criteria and beyond,” IEEE Access, vol. 10, pp. 71749–71763, 2022.

N. Sun, J. Zhang, S. Gao, L. Y. Zhang, S. Camtepe, and Y. Xiang, “Data analytics of crowdsourced resources for cybersecurity intelligence,” in Proc. 14th Int. Conf. Netw. Syst. Security (NSS), Melbourne, VIC, Austraila, Nov. 2020, pp. 3–21.

“AlienVault open threat intelligence.” 2022. Accessed: Oct. 10, 2022. [Online]. Available: https://otx.alienvault.com/

“A community OpenIOC resource.” Accessed: Oct. 10, 2022. [Online]. Available: https://openiocdb.com/

“IOCbucket.” Accessed: Oct. 10, 2022. [Online]. Available: https://www.iocbucket.com/