Helping hands: Measuring the impact of a large threat intelligence sharing community

Conference Paper (2022)
Author(s)

Xander Bouwman (TU Delft - Organisation & Governance)

Victor Le Pochat (Katholieke Universiteit Leuven)

Pawel Foremski (Farsight Security, Inc.)

Tom Van Goethem (Katholieke Universiteit Leuven)

Carlos Hernandez Hernandez Ganan (ICCAN, TU Delft - Organisation & Governance)

Giovane C.M. Moura (SIDN)

Samaneh Tajalizadehkhoob (ICCAN)

Wouter Joosen (Katholieke Universiteit Leuven)

MJG Van Eeten (TU Delft - Organisation & Governance)

Research Group
Organisation & Governance
Copyright
© 2022 X.B. Bouwman, Victor Le Pochat, Pawel Foremski, Tom Van Goethem, C. Hernandez Ganan, Giovane C.M. Moura, Samaneh Tajalizadehkhoob, Wouter Joosen, M.J.G. van Eeten
More Info
expand_more
Publication Year
2022
Language
English
Copyright
© 2022 X.B. Bouwman, Victor Le Pochat, Pawel Foremski, Tom Van Goethem, C. Hernandez Ganan, Giovane C.M. Moura, Samaneh Tajalizadehkhoob, Wouter Joosen, M.J.G. van Eeten
Research Group
Organisation & Governance
Pages (from-to)
1149-1165
Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Abstract

We tracked the largest volunteer security information sharing community known to date: the COVID-19 Cyber Threat Coalition, with over 4,000 members. This enabled us to address long-standing questions on threat information sharing. First, does collaboration at scale lead to better coverage? And second, does making threat data freely available improve the ability of defenders to act? We found that the CTC mostly aggregated existing industry sources of threat information. User-submitted domains often did not make it to the CTC's blocklist as a result of the high threshold posed by its automated quality assurance using VirusTotal. Although this ensured a low false positive rate, it also caused the focus of the blocklist to drift away from domains related to COVID-19 (1.4%-3.6%) to more generic abuse, such as phishing, for which established mitigation mechanisms already exist. However, in the slice of data that was related to COVID-19, we found promising evidence of the added value of a community like the CTC: just 25.1% of these domains were known to existing abuse detection infrastructures at time of listing, as compared to 58.4% of domains on the overall blocklist. From the unique experiment that the CTC represented, we draw three lessons for future threat data sharing initiatives.

Files

Sec22_bouwman.pdf
(pdf | 2 Mb)
License info not available