Abstract
We uncover the different patterns by which users on the open source intelligence platforms ThreatFox and MISP share information. We let these patterns inform a simulation model that describes how decentral users share indicators of compromise (IoC). The results suggest that both platform approaches have unique strenghts and drawbacks, and they highlight a trade-off between the speed with which IoC are shared and the reputational risk involved with this sharing. We find that single-community platforms such as ThreatFox let agents share low-value IoC fast, whereas closed-user communities such as MISP create conditions that enable users to share high-value IoC. We discuss the extent to which a combination of both designs may prove to be effective.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
References
Böhme, R. (2016). Back to the roots: Information sharing economics and what we can learn for security. In Proceedings of the 2016 ACM Workshop on Information Sharing and Collaborative Security, (pp. 1–2).
Böhme, R. (Ed.). (2013). The economics of information security and privacy. Springer.
Dulaunoy, A., Wagener, G., Iklody, A., Mokaddem, S., & Wagner, C. (2018). An indicator scoring method for MISP platforms. In Proceedings of the 2018 TNC conference, Trondheim (Norway).
ENISA. (2017). Information sharing and analysis centres (ISACs): Cooperative models. European Union Agency For Network and Information Security.
ENISA. (2010). Incentives and barriers to information sharing. European Union Agency for Network and Information Security.
Falco, G., et al. (2019). Cyber risk research impeded by disciplinary barriers. Science, 366(6469), 1066–1069.
Gal-Or, E., & Ghose, A. (2005). The economic incentives for sharing security information. Information Systems Research, 16, 186–208.
Garrido-Pelaz, R., González-Manzano, L., Pastrana, S. (2016). Shall we collaborate? A model to analyse the benefits of information sharing. In Proceedings of the 2016 ACM Workshop on Information Sharing and Collaborative Security, (pp. 15–24).
He, M., Devine, L., & Zhuang, J. (2018). Perspectives on cybersecurity information sharing among multiple stakeholders using a decision-theoretic approach. Risk Analysis, 38(2), 215–225.
Horák, M., Stupka, V., & Husák, M. (2019). GDPR compliance cybersecurity software: A case study of DPIA in information sharing platform. In Proceedings of the 14th ACM International Conference on Availability, Reliability and Security (pp. 1–8).
Iklody, A., Wagener, G., Dulaunoy, A., Mokaddem, S., & Wagner, S. (2018). Decaying indicators of compromise. arXiv:1803.11052.
Jollès, E., & Mermoud, A. (2022). Building collaborative cybersecurity for critical infrastructure protection: Empirical evidence of collective intelligence information-sharing dynamics on ThreatFox. In Proceedings of the 17th International Conference on Critical Information Infrastructures Security (CRITIS), forthcoming.
Laube, S., & Böhme, R. (2017). Strategic aspects of cyber risk information sharing. ACM Computing Surveys, 50(5), 77: 1–36.
Malone, T. W. (2019). Superminds: How hyperconnectivity is changing the way we solve problems. Oneworld Publications.
Mermoud, A., Keupp, M. M., Huguenin, K., Palmié, M., & Percia David, D. (2019). To share or not to share: A behavioral perspective on human participation in security information sharing. Journal of Cybersecurity, 5(1), tyz006.
Mokaddem, S., Wagener, G., Dulaunoy, A., & Iklody, A. (2019). Taxonomy driven indicator scoring in MISP threat intelligence platforms. arXiv:1902.03914.
Moore, T. (2010). The economics of cybersecurity: Principles and policy options. International Journal of Critical Infrastructure Protection, 3, 103–117.
Murdoch, S., & Leaver, N. (2015). Anonymity vs. trust in cyber-security collaboration. In Proceedings of the 2nd ACM Workshop on Information Sharing and Collaborative Security (pp. 27–29).
Pang, R., Allman, M., Paxson, V., & Lee, J. (2006). The devil and packet trace anonymization. ACM SIGCOMM Computer Communication Review, 36(1), 29–38.
Postmes, T., & Brunsting, S. (2002). Collective action in the age of the internet: Mass communication and online mobilization. Social Science Computer Review, 3, 290–301.
Wagner, C., Dulaunoy, A., Wagener, G., & Iklody, A. (2016). MISP—The design and implementation of a collaborative threat intelligence sharing platform. In Proceedings of the 2016 ACM Workshop on Information Sharing and Collaborative Security (pp. 49–56).
Webster, G. D., Harris, R. L., Hanif, Z. D., Hembree, B. A., Grossklags, J., & Eckert, C. (2018). Sharing is caring: Collaborative analysis and real-time enquiry for security analytics. In Proceedings of the 2018 IEEE International Conference on Internet of Things (pp. 1402–1409).
Woolley, A. W., Chabris, C., Pentland, A., Hashmi, N., & Malone, T. W. (2010). Evidence for a collective intelligence factor in the performance of human groups. Science, 330(6004), 686–688.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
1 Electronic supplementary material
Below is the link to the electronic supplementary material.
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this chapter
Cite this chapter
Fischer, P., Gillard, S. (2023). Next Generation ISACs: Simulating Crowdsourced Intelligence for Faster Incident Response. In: Keupp, M.M. (eds) Cyberdefense. International Series in Operations Research & Management Science, vol 342. Springer, Cham. https://doi.org/10.1007/978-3-031-30191-9_4
Download citation
DOI: https://doi.org/10.1007/978-3-031-30191-9_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-30190-2
Online ISBN: 978-3-031-30191-9
eBook Packages: Business and ManagementBusiness and Management (R0)