Crowdsourced Threat Intelligence: A Paradigm Shift in Cyber Security


What is common between your traffic data, music playlists, and news feeds today? Crowdsourcing. We all know the benefits of community-based services that take real-time user data to increase the relevance and accuracy of a service. Come to think of it bad guys are thriving by collaborating with each other, creating darknet marketplaces, establishing complex supply chains while maintaining anonymity, and using and sharing botnets to maximize their gains. It is high time the Cyber Security industry borrows a page from their playbook and steps up the game in threat intelligence feeds.

Today, there is a broad range of products and solutions available for firms to protect their networks, endpoints, applications, data, and users. Why then are data breaches common? Quite often there are silos within the organization with teams not sharing information in real-time regarding suspicious/malicious incidents or attacks. For example, the firewall team may have seen malicious activity from a particular IP and blocks the IP but does not inform the application team about the attack. But the attacker soon may use a different IP with a slightly modified signature and get past the firewall, leaving the application vulnerable. The benefits of sharing attack data between teams within the same firm are well established. Many solutions exist today that correlate different alerts using big data and significantly reduce the attack surface and can thwart attacks.

“75% of attacks spread from Victim 0 to Victim 1 within 24 hours. Over 40% hit the second organization in less than an hour” – Verizon DBIR 2015

“Sharing is Caring.” Imagine if we could take sharing of threat data to the next level between vendors, enterprises and law enforcement to make it truly crowdsourced with increased participation. The idea here is to stop the attack at Victim 0. Sharing of IP, URL and domain reputation data has already proven to be very effective. The speed of attacks is increasing which is driving the need for faster sharing of attack data.  There are several factors to consider when providing a thread feed:

  • Feeds must provide contextual data with detailed information regarding the attack
  • Intelligence must be actionable, for example, provide an API returning risk scores
  • Quality over quantity, the threat feeds themselves should not overwhelm the security infrastructure
  • Keep it simple, arrive at simple format that helps drive quicker decision-making
  • Do the security team members have the know-how to take the feeds and realize the maximum potential
  • Are there enough participants contributing to the community? For example, Imperva ThreatRadar has a significant number of customers enabling community defense helping drive up its effectiveness

A Recent study from SMU on “Identifying How Firms Manage Cybersecurity Investment” published in Oct 2015 states “CISOs who relied on third-party threat intelligence data feeds were the only ones that felt comfortable managing risk and prioritizing threats.”

“When asked about how useful Cyber Threat Intelligence would be for defense and response over the next five years, 75% of respondents felt it was very important and would be embedded into most detection and response systems”  SANS Institute Feb 2015.

Cybersecurity vendors are actively contributing to the community with a continuous focus on research to discover vulnerabilities and exploits. The day is not far when the majority of the security vendors share attack data to better protect enterprises against attacks. Enterprises also need to embrace threat intelligence by contributing the attack data to the community.