Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing

by Alex Pinto, Alexandre Sieira
Sept. 18, 2017 1 comment Black Hat belen_caty Detection & Response

For the past 18 months, Niddel have been collecting threat intelligence indicator data from multiple sources in order to make sense of the ecosystem and try to find a measure of efficiency or quality in these feeds. This initiative culminated in the creation of Combine and TIQ-test, two of the open source projects from MLSec Project. These projects have been improved upon for the last year and are able to gather and compare data from multiple Threat Intelligence sources on the Internet. We take this analysis a step further and extract insights form more than 12 months of collected threat intel data to verify the overlap and uniqueness of those sources. If we are able to find enough overlap, there could be a strategy that could put together to acquire an optimal number of feeds, but as Niddel demonstrated on the 2015 Verizon DBIR, that is not the case.

Steven Ulm 5 months, 4 weeks ago

I wasn't a big fan of Niddel's policies to be honest, but your article is well written and objective. I appreciate that ! :)