A survey on technical threat intelligence in the age of sophisticated cyber attacks

Increasing complexity requires enhanced information sharing among cyber-attack preventing entities. Hence, threat intelligence emerges as an increasingly valuable commodity. It is in large agreement that threat intelligence sharing is beneficial. Information sharing has shown to mitigate attacks, prevent future hazards, and identify the malicious actors. The action is also cost-effective, saving individual smaller institutions money by not having to collect all security data on their own. However, there are also natural barriers and sometimes counter incentives to such sharing. Companies fear negative publicity reporting attacks, which can damage their stock price. CERTs sometimes fear that sharing sensitive information might break federal law. Security data shared among parties doesn’t always arrive in a timely manner in a relevant format with clarity, coherence, and thus utility. And, participation in information sharing is deterred when some participants begin to distrust other participants who “take more” security data than they give. information sharing is very useful for Tactical Threat Intelligence (TTI) to address zero-day cyber attacks. However, to prevent against targeted cyber attacks, a team must collect and filter their own threat data with a focus on their “internal vulnerabilities and weaknesses.” Key Words: Technical threat intelligence; Indicators of compromise (IOC); Malware; Trust; Reputation; Ontologies; Cyber crime; Preventative strategies; Risk analysis; Threat sharing