Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing

  • Tuesday, 19 Jan 2016 3:00PM EST (19 Jan 2016 20:00 UTC)
  • Speaker: Alex Pinto

For the last 18 months, MLSec Project and Niddel collected threat intelligence indicator data from multiple sources in order to make sense of the ecosystem and try to find a measure of efficiency or quality in these feeds. This initiative culminated in the creation of Combine and TIQ-test, two of the open source projects from MLSec Project. These projects have been improved upon for the last year, and are able to gather and compare data from multiple Threat Intelligence sources on the Internet. This research culminated on a talk on SANS CTI Summit 2015 and a contribution to the Verizon DBIR on the same year.

On this talk, we have gathered aggregated usage information from intelligence sharing communities in order to determine if the added interest and \push" towards sharing is really being followed by the companies and if its adoption is putting us in the right track to close these gaps. We propose a new set of metrics on the same vein as TIQ-test to help you understand what does a "healthy" threat intelligence sharing community looks like.

To better illustrate the points and metrics, we will be conducting part of this analysis using usage data from some high-profile threat intelligence platforms and sharing communities, that have been kind enough to contribute with usage data for this research.

Join us in an data-driven analysis of threat intelligence sharing communities and their impact on operational usage of indicators!


Learn more about data-driven threat intelligence at the upcoming CTI Summit in Alexandria, VA February 3-4, 2016.

The fourth annual Cyber Threat Intelligence Summit brings experienced intelligence practitioners together - onstage and off - to feature contemporary theories, research, and tradecraft divided along tactical, operational, and strategic levels. By adopting this format change, with exciting keynotes to usher in each of the three sections, we hope to better frame the summit content so participants can immediately see where in their organizations each of the tools, methodologies, and processes can be applied as soon as they are back in the office.

  • Decrease your adversary's likelihood of success with each subsequent attempt.
  • Ensure your security programs are up-to-date to outsmart sophisticated attacks.
  • Obtain accurate and timely information to monitor new and evolving attacks.
  • Utilize this information to detect and ultimately avoid a security breach.