Helping hands: Measuring the impact of a large threat intelligence sharing community

X.B. Bouwman, Victor Le Pochat, Pawel Foremski, Tom Van Goethem, C. Hernandez Ganan, Giovane C.M. Moura, Samaneh Tajalizadehkhoob, Wouter Joosen, M.J.G. van Eeten

Research output: Chapter in Book/Conference proceedings/Edited volumeConference contributionScientificpeer-review

27 Downloads (Pure)


We tracked the largest volunteer security information sharing community known to date: the COVID-19 Cyber Threat Coalition, with over 4,000 members. This enabled us to address long-standing questions on threat information sharing. First, does collaboration at scale lead to better coverage? And second, does making threat data freely available improve the ability of defenders to act? We found that the CTC mostly aggregated existing industry sources of threat information. User-submitted domains often did not make it to the CTC's blocklist as a result of the high threshold posed by its automated quality assurance using VirusTotal. Although this ensured a low false positive rate, it also caused the focus of the blocklist to drift away from domains related to COVID-19 (1.4%-3.6%) to more generic abuse, such as phishing, for which established mitigation mechanisms already exist. However, in the slice of data that was related to COVID-19, we found promising evidence of the added value of a community like the CTC: just 25.1% of these domains were known to existing abuse detection infrastructures at time of listing, as compared to 58.4% of domains on the overall blocklist. From the unique experiment that the CTC represented, we draw three lessons for future threat data sharing initiatives.
Original languageEnglish
Title of host publication31st USENIX Security Symposium
PublisherUSENIX Association
Publication statusPublished - 2022
Event31th Usenix security symposium - Boston, United States
Duration: 10 Aug 202212 Aug 2022
Conference number: 31


Conference31th Usenix security symposium
Country/TerritoryUnited States
Internet address


Dive into the research topics of 'Helping hands: Measuring the impact of a large threat intelligence sharing community'. Together they form a unique fingerprint.

Cite this