Cyber threat intelligence sharing

Nowadays, Cyber Threat Intelligence (CTI) sharing is considered necessary to survive current and future cyberattacks by working proactively. Organizations may be compelled to have a threat intelligence program and share their information. As such, stakeholders may be held responsible in the future for not sharing known threats that might affect other organizations.

The core idea behind threat intelligence sharing is to create situation awareness among stakeholders through sharing information about the newest threats and vulnerabilities. Furthermore, CTI can aid stakeholders in making tactical decisions.

This article aimed to identify the current state of CTI and to set future research directions. The authors analyzed 102 articles, reports, and government bills with a focus on CTI sharing or related areas.

Implementing a CTI program that uses and disseminates the information in a timely fashion can be challenging. Moreover, stakeholders struggle to implement a system that properly uses CTI and makes the information relevant. Manual sharing is a widely used approach to exchange information about vulnerabilities. However, a manual approach to sharing CTI may be ineffective and labor-intensive (e-mails, phone calls, shared databases, etc.). Consequently, automating some of the processes may increase the effectiveness of CTI sharing.

To be effective, CTI should be exchanged globally, but cultural differences may impede the threat exchange. Challenges lie in the communication, in the language itself, and comprehension of specialized words. Also, a common reason why organizations do not share their CTI is that they believe they do possess nothing worth sharing and that competitors could use the information against them. Some organizations still hesitate to share their CTI because of missing incentives but expect to receive knowledge from their peers in the community. As such, there is very limited support for efficient collaboration.

Establishing a CTI sharing collaboration requires a comprehensive trust relationship between stakeholders. Trust is normally established over time and in face-to-face meetings. It is considered the most difficult attribute in the threat intelligence sharing ecosystem because CTI can contain information that should only be revealed to trusted stakeholders. The trustworthiness of a stakeholder is evaluated through trust and reputation, where trust is established through direct contact and reputation from the opinions of other peers.

Stakeholders have to build up their reputation to become trusted members of a threat sharing community. Reputation is built over time by sharing high quality and actionable threat information and conforming to threat sharing policies. On the contrary, once a bad reputation has been entrenched, it is challenging to reverse the effect.

Threat sharing has gained the interest of many organizations to be more proactively regarding cyber threats. Although there is still research needed on CTI, this article highlighted the challenges of CTI among organizations.

Cite: Wagner, T. D., Mahbub, K., Palomar, E. and Abdallah, A. E. (2019). Cyber threat intelligence sharing: Survey and research directions. Computers & Security, 87.