Helping hands: Measuring the impact of a large threat intelligence sharing community

X.B. Bouwman; Victor  Le Pochat; Pawel Foremski; Tom   Van Goethem; C. Hernandez Ganan; Giovane C.M. Moura; Samaneh Tajalizadehkhoob; Wouter Joosen; M.J.G. van Eeten

Helping hands: Measuring the impact of a large threat intelligence sharing community

X.B. Bouwman, Victor Le Pochat, Pawel Foremski, Tom Van Goethem, C. Hernandez Ganan, Giovane C.M. Moura, Samaneh Tajalizadehkhoob, Wouter Joosen, M.J.G. van Eeten

Organisation & Governance

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

56 Downloads (Pure)

Abstract

We tracked the largest volunteer security information sharing community known to date: the COVID-19 Cyber Threat Coalition, with over 4,000 members. This enabled us to address long-standing questions on threat information sharing. First, does collaboration at scale lead to better coverage? And second, does making threat data freely available improve the ability of defenders to act? We found that the CTC mostly aggregated existing industry sources of threat information. User-submitted domains often did not make it to the CTC's blocklist as a result of the high threshold posed by its automated quality assurance using VirusTotal. Although this ensured a low false positive rate, it also caused the focus of the blocklist to drift away from domains related to COVID-19 (1.4%-3.6%) to more generic abuse, such as phishing, for which established mitigation mechanisms already exist. However, in the slice of data that was related to COVID-19, we found promising evidence of the added value of a community like the CTC: just 25.1% of these domains were known to existing abuse detection infrastructures at time of listing, as compared to 58.4% of domains on the overall blocklist. From the unique experiment that the CTC represented, we draw three lessons for future threat data sharing initiatives.

Original language	English
Title of host publication	31st USENIX Security Symposium
Publisher	USENIX Association
Pages	1149-1165
Publication status	Published - 2022
Event	31th Usenix security symposium - Boston, United States Duration: 10 Aug 2022 → 12 Aug 2022 Conference number: 31 https://www.usenix.org/conference/usenixsecurity22

Conference

Conference	31th Usenix security symposium
Country/Territory	United States
City	Boston
Period	10/08/22 → 12/08/22
Internet address	https://www.usenix.org/conference/usenixsecurity22

Access to Document

sec22-bouwmanFinal published version, 1.84 MB

https://www.usenix.org/conference/usenixsecurity22/presentation/bouwman

Cybersecurity (TPM)
van Eeten, M. J. G., Hernandez Ganan, C., Gürses, F. S., van Wegberg, R. S., Parkin, S. E., Zhauniarovich, Y., van Engelenburg, S. H., Kadenko, N. I., Labunets, K., Akyazi, U., Bouwman, X. B., Jansen, B. A., Kaur, M., Al Alsadi, A., Lone, Q. B., Turcios Rodriguez, E. R., Vermeer, M., van Harten, V. T. C., Vetrivel, S., Oomens, E. (. C. )., Kustosch, L. F., Bisogni, F., Ciere, M., Fiebig, T., Korczynski, M. T., Moreira Moura, G. C., Noroozian, A., Pieters, W., Tajalizadehkhoob, S., Dacier, B. H. A., San José Sanchez, J., Çetin, F. O. & Zannettou, S.
1/01/10 → …
Project: Research

Cite this

Bouwman, X. B., Le Pochat, V., Foremski, P., Van Goethem, T., Hernandez Ganan, C., Moura, G. C. M., Tajalizadehkhoob, S., Joosen, W., & van Eeten, M. J. G. (2022). Helping hands: Measuring the impact of a large threat intelligence sharing community. In 31st USENIX Security Symposium (pp. 1149-1165). USENIX Association. https://www.usenix.org/conference/usenixsecurity22/presentation/bouwman

@inproceedings{3c76cebec7e14cacb347e9619d21db2d,

title = "Helping hands: Measuring the impact of a large threat intelligence sharing community",

abstract = "We tracked the largest volunteer security information sharing community known to date: the COVID-19 Cyber Threat Coalition, with over 4,000 members. This enabled us to address long-standing questions on threat information sharing. First, does collaboration at scale lead to better coverage? And second, does making threat data freely available improve the ability of defenders to act? We found that the CTC mostly aggregated existing industry sources of threat information. User-submitted domains often did not make it to the CTC's blocklist as a result of the high threshold posed by its automated quality assurance using VirusTotal. Although this ensured a low false positive rate, it also caused the focus of the blocklist to drift away from domains related to COVID-19 (1.4%-3.6%) to more generic abuse, such as phishing, for which established mitigation mechanisms already exist. However, in the slice of data that was related to COVID-19, we found promising evidence of the added value of a community like the CTC: just 25.1% of these domains were known to existing abuse detection infrastructures at time of listing, as compared to 58.4% of domains on the overall blocklist. From the unique experiment that the CTC represented, we draw three lessons for future threat data sharing initiatives.",

author = "X.B. Bouwman and {Le Pochat}, Victor and Pawel Foremski and {Van Goethem}, Tom and {Hernandez Ganan}, C. and Moura, {Giovane C.M.} and Samaneh Tajalizadehkhoob and Wouter Joosen and {van Eeten}, M.J.G.",

year = "2022",

language = "English",

pages = "1149--1165",

booktitle = "31st USENIX Security Symposium",

publisher = "USENIX Association",

note = "31th Usenix security symposium ; Conference date: 10-08-2022 Through 12-08-2022",

url = "https://www.usenix.org/conference/usenixsecurity22",

}

Bouwman, XB, Le Pochat, V, Foremski, P, Van Goethem, T, Hernandez Ganan, C, Moura, GCM, Tajalizadehkhoob, S, Joosen, W & van Eeten, MJG 2022, Helping hands: Measuring the impact of a large threat intelligence sharing community. in 31st USENIX Security Symposium. USENIX Association, pp. 1149-1165, 31th Usenix security symposium, Boston, United States, 10/08/22. <https://www.usenix.org/conference/usenixsecurity22/presentation/bouwman>

TY - GEN

T1 - Helping hands: Measuring the impact of a large threat intelligence sharing community

AU - Bouwman, X.B.

AU - Le Pochat, Victor

AU - Foremski, Pawel

AU - Van Goethem, Tom

AU - Hernandez Ganan, C.

AU - Moura, Giovane C.M.

AU - Tajalizadehkhoob, Samaneh

AU - Joosen, Wouter

AU - van Eeten, M.J.G.

N1 - Conference code: 31

PY - 2022

Y1 - 2022

N2 - We tracked the largest volunteer security information sharing community known to date: the COVID-19 Cyber Threat Coalition, with over 4,000 members. This enabled us to address long-standing questions on threat information sharing. First, does collaboration at scale lead to better coverage? And second, does making threat data freely available improve the ability of defenders to act? We found that the CTC mostly aggregated existing industry sources of threat information. User-submitted domains often did not make it to the CTC's blocklist as a result of the high threshold posed by its automated quality assurance using VirusTotal. Although this ensured a low false positive rate, it also caused the focus of the blocklist to drift away from domains related to COVID-19 (1.4%-3.6%) to more generic abuse, such as phishing, for which established mitigation mechanisms already exist. However, in the slice of data that was related to COVID-19, we found promising evidence of the added value of a community like the CTC: just 25.1% of these domains were known to existing abuse detection infrastructures at time of listing, as compared to 58.4% of domains on the overall blocklist. From the unique experiment that the CTC represented, we draw three lessons for future threat data sharing initiatives.

AB - We tracked the largest volunteer security information sharing community known to date: the COVID-19 Cyber Threat Coalition, with over 4,000 members. This enabled us to address long-standing questions on threat information sharing. First, does collaboration at scale lead to better coverage? And second, does making threat data freely available improve the ability of defenders to act? We found that the CTC mostly aggregated existing industry sources of threat information. User-submitted domains often did not make it to the CTC's blocklist as a result of the high threshold posed by its automated quality assurance using VirusTotal. Although this ensured a low false positive rate, it also caused the focus of the blocklist to drift away from domains related to COVID-19 (1.4%-3.6%) to more generic abuse, such as phishing, for which established mitigation mechanisms already exist. However, in the slice of data that was related to COVID-19, we found promising evidence of the added value of a community like the CTC: just 25.1% of these domains were known to existing abuse detection infrastructures at time of listing, as compared to 58.4% of domains on the overall blocklist. From the unique experiment that the CTC represented, we draw three lessons for future threat data sharing initiatives.

M3 - Conference contribution

SP - 1149

EP - 1165

BT - 31st USENIX Security Symposium

PB - USENIX Association

T2 - 31th Usenix security symposium

Y2 - 10 August 2022 through 12 August 2022

ER -

Helping hands: Measuring the impact of a large threat intelligence sharing community

Abstract

Conference

Access to Document

Fingerprint

Projects

Cybersecurity (TPM)

Cite this