Methodology to Improve the Quality of Cyber Threat Intelligence Production Through Open Source Platforms

Abstract

In cyberspace, boundaries are constantly being crossed in the name of progress and convenience, and invariably result in new vulnerabilities and potential attacks. Traditional security approaches are not able to contain the dynamic nature of new techniques and threats, which are increasingly resilient and complex. In this scenario, the sharing of threat intelligence is growing. However, the vast majority of data is shared in the form of unstructured textual reports, or extracted from blogs and social media. These data sources have been imposing great limitation on security analysts due to the high volume and low quality of Cyber Threat Intelligence (CTI). Among the various aspects that impose limitations on the use of CTI, we focus on data quality. Inaccurate, incomplete or outdated information makes actions reactive, in no way different from traditional approaches. However, quality threat intelligence has a positive impact on incident response time. In this work we propose an Indicator of Compromise enrichment process to improve the quality of CTI, based on the intelligence production cycle, we conduct research to define metrics capable of evaluating the CTI produced through open source licensed threat intelligence platforms.