{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,23]],"date-time":"2025-12-23T10:02:15Z","timestamp":1766484135121,"version":"build-2065373602"},"reference-count":46,"publisher":"MDPI AG","issue":"7","license":[{"start":{"date-parts":[[2019,7,23]],"date-time":"2019-07-23T00:00:00Z","timestamp":1563840000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Future Internet"],"abstract":"<jats:p>The complication of information technology and the proliferation of heterogeneous security devices that produce increased volumes of data coupled with the ever-changing threat landscape challenges have an adverse impact on the efficiency of information security controls and digital forensics, as well as incident response approaches. Cyber Threat Intelligence (CTI)and forensic preparedness are the two parts of the so-called managed security services that defendants can employ to repel, mitigate or investigate security incidents. Despite their success, there is no known effort that has combined these two approaches to enhance Digital Forensic Readiness (DFR) and thus decrease the time and cost of incident response and investigation. This paper builds upon and extends a DFR model that utilises actionable CTI to improve the maturity levels of DFR. The effectiveness and applicability of this model are evaluated through a series of experiments that employ malware-related network data simulating real-world attack scenarios. To this extent, the model manages to identify the root causes of information security incidents with high accuracy (90.73%), precision (96.17%) and recall (93.61%), while managing to decrease significantly the volume of data digital forensic investigators need to examine. The contribution of this paper is twofold. First, it indicates that CTI can be employed by digital forensics processes. Second, it demonstrates and evaluates an efficient mechanism that enhances operational DFR.<\/jats:p>","DOI":"10.3390\/fi11070162","type":"journal-article","created":{"date-parts":[[2019,7,23]],"date-time":"2019-07-23T10:44:51Z","timestamp":1563878691000},"page":"162","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":21,"title":["Improving Forensic Triage Efficiency through Cyber Threat Intelligence"],"prefix":"10.3390","volume":"11","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-9793-2020","authenticated-orcid":false,"given":"Nikolaos","family":"Serketzis","sequence":"first","affiliation":[{"name":"Department of Electrical &amp; Computer Engineering, Aristotle University of Thessaloniki, 54124 Thessaloniki, Greece"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Vasilios","family":"Katos","sequence":"additional","affiliation":[{"name":"Department of Computing and Informatics, Bournemouth University, Poole BH12 5BB, UK"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Christos","family":"Ilioudis","sequence":"additional","affiliation":[{"name":"Department of Information and Electronic Engineering, International Hellenic University, 57400 Thessaloniki, Greece"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Dimitrios","family":"Baltatzis","sequence":"additional","affiliation":[{"name":"School of Science &amp; Technology, International Hellenic University, 57001 Thermi, Greece"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Georgios","family":"Pangalos","sequence":"additional","affiliation":[{"name":"Department of Electrical &amp; Computer Engineering, Aristotle University of Thessaloniki, 54124 Thessaloniki, Greece"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2019,7,23]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"212","DOI":"10.1016\/j.cose.2017.09.001","article-title":"A survey on technical threat intelligence in the age of sophisticated cyber attacks","volume":"72","author":"Tounsi","year":"2018","journal-title":"Comput. Secur."},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"273","DOI":"10.1108\/ICS-09-2018-0110","article-title":"Actionable threat intelligence for digital forensics readiness","volume":"27","author":"Serketzis","year":"2019","journal-title":"Inf. Comput. Secur."},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"57","DOI":"10.4018\/IJSS.2017070105","article-title":"A Socio-Technical Perspective on Threat Intelligence Informed Digital Forensic Readiness","volume":"4","author":"Serketzis","year":"2017","journal-title":"Int. J. Syst. Soc."},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Bilge, L., and Dumitras, T. (2012, January 16\u201318). Before we knew it: An empirical study of zero-day attacks in the real world. Proceedings of the 2012 ACM conference on Computer and communications security, Raleigh, NC, USA.","DOI":"10.1145\/2382196.2382284"},{"key":"ref_5","unstructured":"Mandiant (2018). M-Trends Report, Mandiant."},{"key":"ref_6","unstructured":"Lillis, D., Becker, B.A., Sullivan, T.O., O\u2019Sullivan, T., and Scanlon, M. (2016, January 13). Current Challenges and Future Research Areas for Digital Forensic Investigation. Proceedings of the 11th ADFSL Conference on Security and Law (CDFSL 2016), Digital Forensics, Daytona Beach, FL, USA."},{"key":"ref_7","unstructured":"Tan, J. (2019, July 23). Available online: http:\/\/citeseerx.ist.psu.edu\/viewdoc\/download?doi=10.1.1.644.9645&rep=rep1&type=pdf."},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Pangalos, G., Ilioudis, C., and Pagkalos, I. (2010). The Importance of Corporate Forensic Readiness in the Information Security Framework. 2010 19th IEEE Int. Workshops Enabling Technol. Infrastruct. Collab. Enterp., 12\u201316.","DOI":"10.1109\/WETICE.2010.57"},{"key":"ref_9","unstructured":"International Organization for Standardization (2015). ISO\/IEC 27043: Information Technology, Security Techniques, Incident Investigation Principles and Processes, International Organization for Standardization."},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"101","DOI":"10.1016\/j.diin.2007.06.006","article-title":"Specifying digital forensics: A forensics policy approach","volume":"4","author":"Taylor","year":"2007","journal-title":"Digit. Investig."},{"key":"ref_11","first-page":"1","article-title":"Security Considerations in the Information System Development Life Cycle","volume":"800","author":"Grance","year":"2004","journal-title":"Nist Spec. Publ."},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Grobler, C.P., Louwrens, C.P., and Von Solms, S.H. (2010, January 15\u201318). A framework to guide the implementation of proactive digital forensics in organizations. Proceedings of the ARES 2010-5th International Conference on Availability, Reliability, and Security, Krakow, Poland.","DOI":"10.1109\/ARES.2010.62"},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"70","DOI":"10.1016\/j.cose.2015.04.003","article-title":"Digital forensic readiness: Expert perspectives on a theoretical framework","volume":"52","author":"Elyas","year":"2015","journal-title":"Comput. Secur."},{"key":"ref_14","unstructured":"Al-Mahrouqi, A., Abdalla, S., and Kechadi, T. (2019, July 23). Network Forensics Readiness and Security Awareness Framework. Available online: https:\/\/researchrepository.ucd.ie\/bitstream\/10197\/6498\/1\/insight_publication.pdf."},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Kebande, V.R., Karie, N.M., and Venter, H.S. (2016, January 11\u201313). A generic Digital Forensic Readiness model for BYOD using honeypot technology. Proceedings of the 2016 IST-Africa Week, Durban, South Africa.","DOI":"10.1109\/ISTAFRICA.2016.7530590"},{"key":"ref_16","unstructured":"Kebande, V.R., and Venter, H.S. (2014). A Cloud Forensic Readiness Model Using a Botnet as a Service. Int. Conf. Digit. Secur. Forensics, 23\u201332. Available online: https:\/\/www.researchgate.net\/profile\/Natalie_Walker4\/publication\/263617788_Proceedings_of_the_International_Conference_on_Digital_Security_and_Forensics_DigitalSec2014\/links\/0f31753b5cd085c06a000000\/Proceedings-of-the-International-Conference-on-Digital-Security-and-Forensics-DigitalSec2014.pdf#page=25."},{"key":"ref_17","unstructured":"Kebande, V.R., and Venter, H.S. (2015, January 24\u201325). Obfuscating a Cloud-Based Botnet Towards Digital Forensic Readiness. Proceedings of the 10th International Conference on Cyber Warfare and Security ICCWS 2015, Kruger National Park, South Africa."},{"key":"ref_18","unstructured":"Kebande, V., Ntsamo, H.S., and Venter, H.S.S. (2016, January 7\u20138). Towards a prototype for Achieving Digital Forensic Readiness in the Cloud using a Distributed NMB Solution. Proceedings of the European Conference on Cyber Warfare and Security, Munich, Germany."},{"key":"ref_19","first-page":"1","article-title":"A Ten Step Process for Forensic Readiness","volume":"2","author":"Rowlingson","year":"2004","journal-title":"Int. J. Digit. Evid."},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Grobler, C.P., and Louwrens, C.P. (2007). Digital Forensic Readiness as a Component of Information Security Best Practice. IFIP International Information Security Conference, Springer.","DOI":"10.1007\/978-0-387-72367-9_2"},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Valjarevic, A., and Venter, H. (2011, January 15\u201317). Towards a Digital Forensic Readiness Framework for Public Key Infrastructure systems. Proceedings of the 2011 Information Security for South Africa, Johannesburg, South Africa.","DOI":"10.1109\/ISSA.2011.6027536"},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Valjarevic, A., and Venter, H. (2013, January 14\u201316). Implementation guidelines for a harmonised digital forensic investigation readiness process model. Proceedings of the 2013 Information Security for South Africa, Johannesburg, South Africa.","DOI":"10.1109\/ISSA.2013.6641041"},{"key":"ref_23","first-page":"97","article-title":"Towards A Systemic Framework for Digital Forensic Readiness","volume":"54","author":"Elyas","year":"2014","journal-title":"J. Comput. Inf. Syst."},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Jusas, V., Birvinskas, D., and Gahramanov, E. (2017). Methods and Tools of Digital Triage in Forensic Context: Survey and Future Directions. Symmetry, 9.","DOI":"10.3390\/sym9040049"},{"key":"ref_25","unstructured":"Miller, J. (2013). Graph Database Applications and Concepts with Neo4j. Proc. 2013 South. Assoc., 141\u2013147. Available online: https:\/\/pdfs.semanticscholar.org\/322a\/6e1f464330751dea2eb6beecac24466322ad.pdf."},{"key":"ref_26","unstructured":"Bellis, E. (2019, July 23). The Problem with Your Threat Intelligence 2015. Available online: http:\/\/pages.kennasecurity.com\/rs\/958-PRK-049\/images\/Kenna_WP_TheProblemwithYourThreatIntelligence.pdf."},{"key":"ref_27","unstructured":"(2019, January 11). Neo4j.Neo4j Graph Platform. Available online: https:\/\/neo4j.com\/."},{"key":"ref_28","unstructured":"Elastic (2018, December 02). Elastic Stack Suite. Available online: https:\/\/www.elastic.co\/products."},{"key":"ref_29","unstructured":"Vicknair, C., Macias, M., Zhao, Z., and Nan, X. (2019, July 23). A Comparison of a Graph Database and a Relational Database: A Data Provenance Perspective. Available online: https:\/\/john.cs.olemiss.edu\/~ychen\/publications\/conference\/vicknair_acmse10.pdf."},{"key":"ref_30","first-page":"21824","article-title":"Paper on Searching and Indexing Using Elasticsearch","volume":"6","author":"Kalyani","year":"2017","journal-title":"Int. J. Eng. Comput. Sci."},{"key":"ref_31","unstructured":"AlienVault (2019, December 02). \u2018AlienVault-Open Threat Exchange. Available online: https:\/\/otx.alienvault.com\/dashboard\/new."},{"key":"ref_32","unstructured":"Stratpsphere Lab (2018, December 04). Datasets Overview\u2014Stratosphere IPS. Available online: https:\/\/www.stratosphereips.org\/datasets-overview\/."},{"key":"ref_33","unstructured":"VirusTotal (2018, December 02). VirusTotal Malware Analysis Platform. Available online: https:\/\/www.virustotal.com\/."},{"key":"ref_34","unstructured":"Crowdstrike (2018, December 02). Hybrid Analysis-Free Automated Analysis Service\u2019, 2018. Available online: https:\/\/www.hybrid-analysis.com."},{"key":"ref_35","unstructured":"ThreatConnect (2019, January 11). ThreatConnect Enterprise Threat Intelligence Platform. Available online: https:\/\/threatconnect.com."},{"key":"ref_36","unstructured":"Garcia, S. (2019, July 23). Modelling the Network Behaviour of Malware to Block Malicious Patterns. The Stratosphere Project: A Behavioural Ips. Available online: https:\/\/www.virusbulletin.com\/uploads\/pdf\/conference\/vb2015\/Garcia-VB2015.pdf."},{"key":"ref_37","unstructured":"Stratosphere Lab (2018, August 10). Stratosphere Datasets. Available online: https:\/\/www.stratosphereips.org\/."},{"key":"ref_38","unstructured":"Ma\u0142owidzki, M., Berezi, P., and Mazur, M. (2017, January 29\u201330). Network Intrusion Detection: Half a Kingdom for a Good Dataset. ECCWS 2017 PDF. Proceedings of the 16th European Conference on Cyber Warfare and Security, Dublin, Ireland."},{"key":"ref_39","unstructured":"The Zeek Project (2019, January 03). Bro Network Intrusion Detection System. Available online: https:\/\/docs.zeek.org\/en\/latest\/intro\/index.html."},{"key":"ref_40","first-page":"383","article-title":"A brief study and comparison of Snort and Bro Open Source Network Intrusion Detection Systems","volume":"1","author":"Mehra","year":"2012","journal-title":"Int. J. Adv. Res. Comput. Commun. Eng."},{"key":"ref_41","first-page":"1","article-title":"Electronic Evidence and Computer Forensics","volume":"12","author":"Volonino","year":"2003","journal-title":"Commun. Assoc. Inf. Syst."},{"key":"ref_42","doi-asserted-by":"crossref","first-page":"35","DOI":"10.1016\/j.cose.2014.09.006","article-title":"Combating advanced persistent threats: From network event correlation to incident detection","volume":"48","author":"Friedberg","year":"2015","journal-title":"Comput. Secur."},{"key":"ref_43","doi-asserted-by":"crossref","first-page":"1061","DOI":"10.1007\/s10796-011-9333-x","article-title":"Using time-driven activity-based costing to manage digital forensic readiness in large organisations","volume":"14","author":"Reddy","year":"2012","journal-title":"Inf. Syst. Front."},{"key":"ref_44","unstructured":"Roberts, K., and Anderson, S.R. (2007). Time-Driven Activity-Based Costing: A Simpler and More Powerful Path to Higher Profits, Harvard Business Review Press."},{"key":"ref_45","unstructured":"Lockheed Martin (2019, February 10). The Cyber Kill Chain. Available online: https:\/\/www.lockheedmartin.com\/en-us\/capabilities\/cyber\/cyber-kill-chain.html."},{"key":"ref_46","unstructured":"Bianco, D. (2017, September 26). The Pyramid of Pain. Available online: http:\/\/detect-respond.blogspot.gr\/2013\/03\/the-pyramid-of-pain.html."}],"container-title":["Future Internet"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1999-5903\/11\/7\/162\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T13:08:37Z","timestamp":1760188117000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1999-5903\/11\/7\/162"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,7,23]]},"references-count":46,"journal-issue":{"issue":"7","published-online":{"date-parts":[[2019,7]]}},"alternative-id":["fi11070162"],"URL":"https:\/\/doi.org\/10.3390\/fi11070162","relation":{},"ISSN":["1999-5903"],"issn-type":[{"type":"electronic","value":"1999-5903"}],"subject":[],"published":{"date-parts":[[2019,7,23]]}}}