Sharing Is Caring: Hurdles and Prospects of Open, Crowd-Sourced Cyber Threat Intelligence

Abstract

Abstract—Cyber threat intelligence (CTI) is widely recognized as an important area in cybersecurity but it remains an area showing silos and reserved for large organizations. For an area whose strength is in open and responsive sharing, we see that the generation of feeds has a small scale, is secretive, and is nearly always from specialized businesses that have a commercial interest in not publicly sharing insights at a speed where it could be effective in raising preparedness or stopping an attack. This article has three purposes. First, we extensively review the state and challenges of open, crowd-sourced CTI, with a focus on the perceived barriers. Second, having identified that confidentiality (in multiple forms) is a key barrier, we perform a confidentiality threat analysis of existing sharing architectures and standards, including reviewing circa one million of real-world feeds between 2014 and 2022 from the popular open platform MISP toward quantifying the inherent risks. Our goal is to build the case that, either by redesigning sharing architectures or simply performing simple sanitization of shared information, the confidentiality argument is not as strong as one may have presumed. Third, after identifying key requirements for open crowd-based sharing of CTI, we propose a reference (meta-) architecture. Managerial Relevance—CTI is widely recognized as a key advantage toward cyber resilience in its multiple dimensions, from business continuity to reputation/regulatory protection. Furthermore, as we review in this article, there are strong indications that the next generation of approaches to cybersecurity will be centered on CTI. Whereas CTI is an established business area, we see little adoption, closed communities, or high costs that small businesses cannot afford. For an area that, intuitively, should be open, as velocity and accuracy of information is crucial, we shed light on why we have no significant open, crowd-sourced CTI. In other words, why is usage so lacking? We identify reasons and deconstruct unclear and unhelpful rationales by looking at a wide range of literature (research and professional) and an analysis of nearly ten years of open CTI data. Our findings from current data indicate two types of reasons. One, and dominant, is unhelpful perceptions (e.g., confidentiality), and another stems from market factors (e.g., “free-riding”) that need collective movement as no single player may be able to break the cycle. After looking at motivations and barriers, we review existing technologies, elicit requirements, and propose a high-level open CTI sharing architecture that could be used as a reference for practitioners

Publication DOI: https://doi.org/10.1109/TEM.2023.3279274
Divisions: College of Business and Social Sciences > Aston Business School
College of Business and Social Sciences > Aston Business School > Operations & Information Management
College of Engineering & Physical Sciences > School of Computer Science and Digital Technologies > Software Engineering & Cybersecurity
College of Engineering & Physical Sciences > School of Computer Science and Digital Technologies
Additional Information: This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
Uncontrolled Keywords: Confidentiality,cyber security,cybersecurity management,cyber threat intelligence (CTI)
Publication ISSN: 0018-9391
Last Modified: 18 Nov 2024 08:42
Date Deposited: 09 Jun 2023 09:24
Full Text Link:
Related URLs: https://ieeexpl ... cument/10146036 (Publisher URL)
http://www.scop ... tnerID=8YFLogxK (Scopus URL)
PURE Output Type: Article
Published Date: 2023-06-07
Published Online Date: 2023-06-07
Accepted Date: 2023-05-13
Authors: Jesus, Vitor (ORCID Profile 0000-0002-5884-0446)
Bains, Balraj
Chang, Victor (ORCID Profile 0000-0002-8012-5852)

Download

[img]

Version: Published Version

License: Creative Commons Attribution

| Preview

Export / Share Citation


Statistics

Additional statistics for this record