TY - GEN
T1 - Quality Evaluation of Cyber Threat Intelligence Feeds
AU - Griffioen, Harm
AU - Booij, Tim
AU - Doerr, Christian
PY - 2020
Y1 - 2020
N2 - In order to mount an effective defense, information about likely adversaries, as well as their techniques, tactics and procedures is needed. This so-called cyber threat intelligence helps an organization to better understand its threat profile. Next to this understanding, specialized feeds of indicators about these threats downloaded into a firewall or intrusion detection system allow for a timely reaction to emerging threats. These feeds however only provide an actual benefit if they are of high quality. In other words, if they provide relevant, complete information in a timely manner. Incorrect and incomplete information may even cause harm, for example if it leads an organization to block legitimate clients or if the information is too unspecific and results in an excessive amount of collateral damage. In this paper, we evaluate the quality of 17 open source cyber threat intelligence feeds over a period of 14 months, and 7 additional feeds over 7 months. Our analysis shows that the majority of indicators are active for at least 20 days before they are listed. Additionally, we have found that many list have biases towards certain countries. Finally, we also show that blocking listed IP addresses can yield large amounts of collateral damage.
AB - In order to mount an effective defense, information about likely adversaries, as well as their techniques, tactics and procedures is needed. This so-called cyber threat intelligence helps an organization to better understand its threat profile. Next to this understanding, specialized feeds of indicators about these threats downloaded into a firewall or intrusion detection system allow for a timely reaction to emerging threats. These feeds however only provide an actual benefit if they are of high quality. In other words, if they provide relevant, complete information in a timely manner. Incorrect and incomplete information may even cause harm, for example if it leads an organization to block legitimate clients or if the information is too unspecific and results in an excessive amount of collateral damage. In this paper, we evaluate the quality of 17 open source cyber threat intelligence feeds over a period of 14 months, and 7 additional feeds over 7 months. Our analysis shows that the majority of indicators are active for at least 20 days before they are listed. Additionally, we have found that many list have biases towards certain countries. Finally, we also show that blocking listed IP addresses can yield large amounts of collateral damage.
KW - Blocklist
KW - Cyber threat intelligence
UR - http://www.scopus.com/inward/record.url?scp=85091305571&partnerID=8YFLogxK
U2 - 10.1007/978-3-030-57878-7_14
DO - 10.1007/978-3-030-57878-7_14
M3 - Conference contribution
AN - SCOPUS:85091305571
SN - 978-3-030-57877-0
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 277
EP - 296
BT - Applied Cryptography and Network Security
A2 - Conti, Mauro
A2 - Zhou, Jianying
A2 - Casalicchio, Emiliano
A2 - Spognardi, Angelo
PB - Springer
CY - Cham
T2 - 18th International Conference on Applied Cryptography and Network Security, ACNS 2020
Y2 - 19 October 2020 through 22 October 2020
ER -