Georgia Tech researchers highlight vulnerabilities in threat intelligence sharing - SC Media

Georgia Tech researchers have identified significant vulnerabilities within the global threat intelligence data supply chain, potentially impacting cybersecurity defenses worldwide. Their findings suggest that geopolitical tensions and inherent weaknesses in current sharing practices could fracture the ecosystem, with further coverage provided by The Register. The research, set to be presented at the NDSS Symposium, reveals that the threat intelligence ecosystem, comprising platforms like VirusTotal, antivirus companies, and sandbox services, suffers from inconsistent data quality and sharing practices. An experiment involving benign yet suspicious binaries shared with 30 security vendors showed that while 67% conduct sandbox analysis, only 17% share the resulting threat intelligence. Furthermore, a few "nexus vendors" dominate sharing, creating bottlenecks that delay information propagation by hours to days. Some vendors also perform shallow analysis, and shared infrastructure among researchers can aid adversaries in evading detection. The researchers propose a secure data provenance system to enhance trust and encourage more comprehensive sharing, aiming to allow operators to use threat intelligence regardless of its origin country. This could mitigate the impact of geopolitical fragmentation on cybersecurity. However, the primary challenge lies in establishing transnational governance structures that are perceived as legitimate by participants operating under conflicting national mandates, preventing threat intelligence from devolving into a geopolitical competition. Source: The Register