Extended summary of "A different cup of TI? The added value of commercial threat intelligence"
1. 1
”A different cup of TI?
The added value of commercial threat intelligence”
Candidata:
Alessandra Amato
Relatore:
Alberto Bartoli
06.07.2021
Università degli Studi di Trieste
Dipartimento di Ingegneria e Architettura
Corso di Laurea in Ingegneria Elettronica e Informatica
Bouwman, X., Griffioen, H., Egbers, J., Doerr, C., Klievink, B., & van Eeten, M. (2020). A different cup of TI? The added value of commercial threat
intelligence. 433-450. Paper presented at 29th USENIX Security Symposium (Virtual/online event due to COVID-19), Online event, United States.
https://www.usenix.org/conference/usenixsecurity20/presentation/bouwman
Extended summary of
2. 2
Alessandra Amato
Table of Contents
01
02
03
04
Introduction
Methodology
Findings
Conclusions
• Paid TI services and pricing
• Comparison: overlap and timeliness
• Use cases and value perception of TI
3. Methodology Findings Conclusions
Introduction
Alessandra Amato 3
Threat intelligence, also known as TI, refers to the knowledge about attackers’ behavior and
techniques that help improve the defenses from cyber-attacks.
Focus of the study:
3 external sources of TI:
Shared TI (STI)
services and costs offered by PTI
differences in the data provided by PTI and OTI
customers’ value criteria and use cases of TI
Open TI (OTI) Paid TI (PTI)
4. Methodology Findings Conclusions
Introduction
Alessandra Amato 4
Collection of 3-5 subsets
from two market leaders
Comparison of the indicators to
each other
Comparison of the indicators to one
month of data by 4 OTI sources
Analytic codes from the responses
Interviews with 14 security
professionals
Methodology
5. Methodology Findings Conclusions
Introduction
Alessandra Amato 5
Indicators of compromise (IOCs): signals of the attacker’s presence.
Reports: information on the techniques and purposes of the attacker.
Requests for information (RFI)
Portals
Data mining platforms and aggregators
Custom alerts
COSTS: from $30,000 to $650,000 per year
Paid TI services and pricing
6. Methodology Findings Conclusions
Introduction
Alessandra Amato 6
PTI vendors
PTI versus OTI
• Average overlap for each indicator type: <4%
• PTI indicators observed by OTI sources: 1%
• Vendor 1’s indicators listed by Vendor 2: 13%
• Vendor 2’s indicators listed by Vendor 1: 1,3%
• OTI indicators observed by PTI sources: 0,0%
COMPARISON: Overlap
7. Methodology Findings Conclusions
Introduction
Alessandra Amato 7
The study was conducted by analyzing the delay in which an indicator, observed by
one source, is also observed by the other source.
PTI vendors
on average more than one month of delay
PTI versus OTI
no substantial conclusions
COMPARISON: Timeliness
8. Methodology Findings Conclusions
Introduction
Alessandra Amato 8
Network detection: concerns all the
instances in which TI is employed
automatically to mitigate cyber-
attacks.
Situational awareness:
to improve analysts’
perception of the
enterprise’s risk
situation.
SOC prioritization:
TI is applied to direct the
investigation of SOC
teams towards relevant
threats.
Use cases of TI
9. Methodology Findings Conclusions
Introduction
Alessandra Amato 9
Optimization of the inputs into
the analysts’ workflow:
Only 50% considered it as a valuable feature
Coverage of relevant threats
• Limited operational impact when automated
• Minimal number of false positives
• Smaller and accurate sets
Value perception of TI
10. Methodology Findings Conclusions
Introduction
Alessandra Amato 10
PTI and OTI are two different kinds of
threat intelligence.
Doubts on the coverage that PTI provides.
TI evaluation based on the impact on
anaylists’ time and false-positives ratio.
Minimal number of common indicators
between OTI e PTI sources:
Slight overlap and important delay between
the indicators of the two vendors:
Customers not optimizing for coverage:
Conclusions