Rethinking Information Sharing for Actionable Threat Intelligence
This work addresses challenges in cybersecurity threat intelligence sharing for defenders, but it is incremental as it calls for further exploration rather than introducing new solutions.
The paper identifies issues in current threat intelligence sharing paradigms and argues for improvements through well-defined models, risk measurement, privacy preservation, and mechanisms to prevent free-riding, without presenting specific results or numbers.
In the past decade, the information security and threat landscape has grown significantly making it difficult for a single defender to defend against all attacks at the same time. This called for introduc- ing information sharing, a paradigm in which threat indicators are shared in a community of trust to facilitate defenses. Standards for representation, exchange, and consumption of indicators are pro- posed in the literature, although various issues are undermined. In this paper, we rethink information sharing for actionable intelli- gence, by highlighting various issues that deserve further explo- ration. We argue that information sharing can benefit from well- defined use models, threat models, well-understood risk by mea- surement and robust scoring, well-understood and preserved pri- vacy and quality of indicators and robust mechanism to avoid free riding behavior of selfish agent. We call for using the differential nature of data and community structures for optimizing sharing.