Dealing with trust and confidence in cyber threat intelligence during pandemics

By Maria Carolan Project Blogs October 9, 2024

SUNRISE CRITICAL INFRASTRUCTURE SERIES

In collaborative environments, sharing schemes, or platforms, especially those that are based on voluntary contributions, there are often two unwanted extremes: too much silence and too much noise. For the cyber threat intelligence (CTI) sharing, silence is frequently attributed to the lack of incentives and motivations for organization to share this type of data. However, we might soon find situation where the main problem is not the lack of CTI, but rather too much of it, with related risks such as increase of untrusted contributors, CTI processing fatigue or creation of false positives through automation.

During temporary and unforeseen circumstances like pandemics, operational conditions of critical infrastructure cybersecurity teams change significantly, because of absenteeism, change of priorities or other reasons. The availability of qualified staff that oversees CTI may fluctuate, potentially impacting the credibility of certain sources within the ecosystem. CTI sources can become untrusted or unreliable due to accidental mistakes (misinformation) or deliberate deception (disinformation), but both reduce CTI’s effectiveness and eroding trust in shared intelligence.

This is where systems that ingest CTI must dynamically adjust their trust assessments, not only in received data, but also in threat intelligence sources in CTI ecosystem, based on evolving contextual factors and through the combination of different open intelligence feeds to reduce false positives. In SUNRISE we use well known open-source platform called Malware Information Sharing Platform (MISP) [1] as the sharing of indicators of compromise (IoC) such as virus signatures, IP addresses, URLs or domain names of botnet command and control servers. The dynamic and automatic adjustment of source confidence score in the incoming MISP events allows CTI systems to recalibrate their trust scores in real-time, accounting for changes in threat intelligence source reliability and relevance and focus the efforts of the CI incident response and security operation teams in reliable information.

[1] https://www.misp-project.org/

Written by: Aljosa Pasic and Susana Gonzalez Zarzosa (Eviden)