Cyber Threat Management (CTM) involves prevention, detection, and response to cyber-attacks by identifying and understanding threats, and applying appropriate actions. This is not practical for an organization to perform these activities within the time-frame of an impending attack. Organizations should swiftly accumulate and share Cyber Threat Intelligence (CTI) with peers to make effective use of shared threat information. Efforts are underway for standardizing the expression of threats into a machine-understandable format. Structured Threat Information eXpression (STIX) is a comprehensive effort that structures CTI, enables its sharing, visualization, and analysis. Although a large volume of STIX reports is available publicly, their state remains poor. Reports are not appropriately formatted, use incorrect vocabulary, and mislabel or omit key components, which curtail their usefulness for effective cyber threat management. For a meaningful analysis, an analyst needs a curated document list categorized according to cyber threat management phases for the under-investigation threat. We believe that methods for valuation of structured threat documents based on cyber threat management phases are limited or non-existent. We present a novel framework named SCERM—Structured threat data Cleansing, Evaluation, and Refinement. SCERM formally models the STIX architecture and valuates reports on the basis of the use case “managing cyber threat response activities”. It uplifts CTI by remapping wrongly placed contents to the STIX data model. SCERM refines incomplete or missing components through a pre-prepared dataset of curated blog reports. This process is repeated until the reports improve to a threshold suitable for cyber threat management. A case study is presented to demonstrate the working of SCERM. The evaluation valuates publicly available STIXs for cyber threat management. It is observed that current STIX reports have limited information on prevention and almost none for the response phase of cyber threat management. The results demonstrate that SCERM significantly enriches STIX reports. The improvement in prevention is 73% and in the response is a 100%.

网络威胁管理（CTM）通过识别和了解威胁并采取适当的措施来进行预防，检测和对网络攻击的响应。对于组织而言，在即将发生的攻击时间内执行这些活动是不切实际的。组织应迅速积累并与对等方共享网络威胁情报（CTI），以有效利用共享的威胁信息。正在努力将威胁的表达标准化为机器可理解的格式。结构化威胁信息表达（STIX）是构建CTI，实现其共享，可视化和分析的一项综合工作。尽管公开发布了大量STIX报告，但其状态仍然很差。报告格式不正确，使用的词汇不正确，标签错误或省略了关键组成部分，从而降低了其对有效网络威胁管理的有用性。为了进行有意义的分析，分析人员需要根据网络威胁管理阶段针对调查不足的威胁分类的精选文档列表。我们认为，基于网络威胁管理阶段评估结构化威胁文档的方法是有限的或不存在的。我们提出一个名为新框架SCERM-小号tructured威胁数据Ç leansing，ē估值，以及[R efinement。SCERM正式为STIX体系结构建模，并根据用例“管理网络威胁响应活动”对报告进行评估。它通过将错误放置的内容重新映射到STIX数据模型来提升CTI。SCERM通过预先准备的精选博客报告数据集来完善不完整或缺失的组件。重复此过程，直到报告提高到适合网络威胁管理的阈值为止。提出了一个案例研究来证明SCERM的工作。该评估评估了用于网络威胁管理的公开可用的STIX。据观察，当前的STIX报告在预防方面的信息有限，在网络威胁管理的响应阶段几乎没有。结果表明，SCERM大大丰富了STIX报告。预防方面的改善为73％，反应方面的改善为100％。