Architecting threat hunting system based on the DODAF framework

The importance of large data analytic systems for cyber security is expanding. Thus, collecting systematically, thoroughly assessing, and synthesizing the literature on architectural techniques for developing such systems is critical. There is a general lack of an overview of architectural techniques for developing threat intelligence systems. Threat hunting is an analyst-centric process that helps organizations discover hidden advanced threats that miss by automatic preventative and investigative systems. The Department of Defense Architecture Framework (DODAF) establishes a modeling framework for capturing high-level system design and operational requirements. This paper presents different threat hunting system viewpoints using the DODAF attribute-based method. The proposed architecture enriches by state-of-the-art MITRE's ATT&CK and D3FEND frameworks. Also, we proposed a unique approach to infer malicious threats category associations by comparing suspicious and malicious events' similarities. Using ATT&CK's rich techniques made the similarity between malicious and suspicious files more accurate. Finally, we used a survey questionnaire approach to collect relational data to assess the impact of qualitative attributes on the development of threat hunting processes. We evaluated the proposed hunting architecture using twelve essential quality attributes indirectly. We believe that the proposed method can reduce the architectural shortcomings in threat hunting systems development.