Article

Quality Evaluation of Cyber Threat Intelligence Feeds

Authors:

Applied Cryptography and Network Security: 18th International Conference, ACNS 2020, Rome, Italy, October 19–22, 2020, Proceedings, Part II

Pages 277 - 296

https://doi.org/10.1007/978-3-030-57878-7_14

Published: 19 October 2020 Publication History

Abstract

In order to mount an effective defense, information about likely adversaries, as well as their techniques, tactics and procedures is needed. This so-called cyber threat intelligence helps an organization to better understand its threat profile. Next to this understanding, specialized feeds of indicators about these threats downloaded into a firewall or intrusion detection system allow for a timely reaction to emerging threats.

These feeds however only provide an actual benefit if they are of high quality. In other words, if they provide relevant, complete information in a timely manner. Incorrect and incomplete information may even cause harm, for example if it leads an organization to block legitimate clients or if the information is too unspecific and results in an excessive amount of collateral damage.

In this paper, we evaluate the quality of 17 open source cyber threat intelligence feeds over a period of 14 months, and 7 additional feeds over 7 months. Our analysis shows that the majority of indicators are active for at least 20 days before they are listed. Additionally, we have found that many list have biases towards certain countries. Finally, we also show that blocking listed IP addresses can yield large amounts of collateral damage.

References

[1]

Evaluating threat intelligence feeds. https://www.first.org/resources/papers/munich2016/kompanek-pawlinski-evaluating-threat-ntelligence-feeds.pdf

Google Scholar

[2]

Measuring the IQ of your threat intelligence. https://www.slideshare.net/AlexandrePinto10/defcon-22-measuring-the

Google Scholar

[3]

The second annual study on exchanging cyber threat intelligence: there has to be a better way. https://www.ponemon.org/blog/the-second-annual-study-on-exchanging-cyber-threat-intelligence-there-has-to-be-a-better-way

Google Scholar

[4]

Abbink, J., Doerr, C.: Popularity-based detection of domain generation algorithms. In: 2nd International Workshop on Malware Analysis (2017)

Google Scholar

[5]

EclecticIQ: Intelligence-powered defences. https://www.eclecticiq.com/dss

Google Scholar

[6]

Foukarakis, M., Antoniades, D., Antonatos, S., Markato, E.P.: Flexible and high-performance anonymization of NetFlow records using anontool. In: Third International Conference on Security and Privacy in Communications Networks and the Workshops (2007)

Google Scholar

[7]

Kührer M, Rossow C, and Holz T Stavrou A, Bos H, and Portokalidis G Paint it black: evaluating the effectiveness of malware blacklists Research in Attacks, Intrusions and Defenses 2014 Cham Springer 1-21

Crossref

Google Scholar

[8]

Oest, A., Safaei, Y., Doupé, A., Ahn, G.J., Wardman, B., Tyers, K.: PhishFarm: a scalable framework for measuring the effectiveness of evasion techniques against browser phishing blacklists. IEEE (2019)

Google Scholar

[9]

Ramachandran, A., Feamster, N., Vempala, S.: Filtering spam with behavioral blacklisting. In: Proceedings of the 14th ACM Conference on Computer and communications Security, pp. 342–351. ACM (2007)

Google Scholar

[10]

Sheng, S., Wardman, B., Warner, G., Cranor, L.F., Hong, J., Zhang, C.: An empirical analysis of phishing blacklists. In: Sixth Conference on Email and Anti-Spam (CEAS), California, USA (2009)

Google Scholar

[11]

Sinha, S., Bailey, M., Jahanian, F.: Shades of grey: on the effectiveness of reputation-based “blacklists”. In: 2008 3rd International Conference on Malicious and Unwanted Software (MALWARE), pp. 57–64. IEEE (2008)

Google Scholar

[12]

Tounsi W and Rais H A survey on technical threat intelligence in the age of sophisticated cyber attacks Comput. Secur. 2018 72 212-233

Crossref

Google Scholar

[13]

Xu, J., Fan, J., Ammar, M., Moon, S.B.: On the design and performance of prefix-preserving IP traffic trace anonymization. In: Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement, IMW 2001 (2001)

Google Scholar

Cited By

View all

Paladini TFerro LPolino MZanero SCarminati M(2024)You Might Have Known It Earlier: Analyzing the Role of Underground Forums in Threat IntelligenceProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678930(368-383)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678930
Chatziamanetoglou DRantos K(2023)Blockchain-Based Cyber Threat Intelligence Sharing Using Proof-of-Quality ConsensusSecurity and Communication Networks10.1155/2023/33031222023Online publication date: 1-Jan-2023
https://dl.acm.org/doi/10.1155/2023/3303122
Morgese Zangrandi LVan Ede TBooij TSciancalepore SAllodi LContinella A(2022)Stepping out of the MUD: Contextual threat information for IoT devices with manufacturer-provided behavior profilesProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3564644(467-480)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1145/3564625.3564644
Show More Cited By

Index Terms

Quality Evaluation of Cyber Threat Intelligence Feeds

Index terms have been assigned to the content through auto-classification.

Recommendations

A heterogeneous graph-based approach for cyber threat attribution using threat intelligence
ICMLC '24: Proceedings of the 2024 16th International Conference on Machine Learning and Computing

Cyber Threat attribution is the process of associating a cyberattack with the threat groups. This process is essential for enhancing defense strategies and enabling rapid response to threats, making threat attribution a critical component of an ...
Visualizing Interesting Patterns in Cyber Threat Intelligence Using Machine Learning Techniques
Abstract
In an advanced and dynamic cyber threat environment, organizations need to yield more proactive methods to handle their cyber defenses. Cyber threat data known as Cyber Threat Intelligence (CTI) of previous incidents plays an important role by ...
Cyber threat intelligence sharing: Survey and research directions
Abstract
Cyber Threat Intelligence (CTI) sharing has become a novel weapon in the arsenal of cyber defenders to proactively mitigate increasing cyber attacks. Automating the process of CTI sharing, and even the basic consumption, has raised new ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

Applied Cryptography and Network Security: 18th International Conference, ACNS 2020, Rome, Italy, October 19–22, 2020, Proceedings, Part II

Oct 2020

488 pages

ISBN:978-3-030-57877-0

DOI:10.1007/978-3-030-57878-7

Editors:
Mauro Conti
Department of Mathematics, University of Padua, Padua, Italy
,
Jianying Zhou
Singapore University of Technology and Design, Singapore, Singapore
,
Emiliano Casalicchio
Dipt di Informatica Sistemi e Produ, Università di Roma “Tor Vergata”, Rome, Roma, Italy
,
Angelo Spognardi
Sapienza University of Rome, Rome, Italy

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 19 October 2020

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 04 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Paladini TFerro LPolino MZanero SCarminati M(2024)You Might Have Known It Earlier: Analyzing the Role of Underground Forums in Threat IntelligenceProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678930(368-383)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678930
Chatziamanetoglou DRantos K(2023)Blockchain-Based Cyber Threat Intelligence Sharing Using Proof-of-Quality ConsensusSecurity and Communication Networks10.1155/2023/33031222023Online publication date: 1-Jan-2023
https://dl.acm.org/doi/10.1155/2023/3303122
Morgese Zangrandi LVan Ede TBooij TSciancalepore SAllodi LContinella A(2022)Stepping out of the MUD: Contextual threat information for IoT devices with manufacturer-provided behavior profilesProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3564644(467-480)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1145/3564625.3564644
Griffioen HOosthoek Kvan der Knaap PDoerr CKim YKim JVigna GShi E(2021)Scan, Test, Execute: Adversarial Tactics in Amplification DDoS AttacksProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484747(940-954)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484747

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Abstract

References

Cited By

Index Terms

Recommendations

A heterogeneous graph-based approach for cyber threat attribution using threat intelligence

Visualizing Interesting Patterns in Cyber Threat Intelligence Using Machine Learning Techniques

Cyber threat intelligence sharing: Survey and research directions

Comments

Information

Published In

Publisher

Publication History

Author Tags

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Get Access

Login options

Full Access

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations