I recently came across an interesting research paper from University of Innsbruck. The title of the parer is “Threat Intelligence Sharing Platforms: An Exploratory Study of Software Vendors and Research Perspectives“.

According to the abstract of the paper: “In the last couple of years, organizations have demonstrated an increased willingness to exchange information and knowledge regarding vulnerabilities, threats, incidents and mitigation strategies in order to collectively protect against today’s sophisticated cyber attacks. As a reaction to this trend, software vendors started to create offerings that facilitate this exchange and appear under the umbrella term “Threat Intelligence Sharing Platforms”. To which extent these platforms provide the needed means for exchange and information sharing remains unclear as they lack a common definition, innovation in this area is mostly driven by vendors and empirical research is rare. To close this gap, we examine the state-of-the-art software vendor landscape of these platforms, identify gaps and present arising research perspectives. Therefore, we conducted a systematic study of 22 threat intelligence sharing platforms and compared them. We derived 8 key findings and discuss how existing gaps should be addressed by future research.”

The authors conduct their research by exploring the capabilities of the following 22 Threat Intelligence Platforms:

1. Accenture Cyber Intelligence Platform
2. Anomali ThreatStream
3. Anubis Networks Cyberfeed
4. BrightPoint Security Sentinel
5. Collaborative Research into Threats (CRITs)
6. Collective Intelligence Framework (CIF)
7. Comilion
8. Eclectic IQ Platform
9. Facebook Threat Exchange
10. Falcon Intelligence Crowdstrike
11. HP ThreatCentral
12. IBM X-Force Exchange
13. MANTIS Cyber Threat Intelligence Management Framework
14. Malware Information Sharing Platform (MISP)
15. McAfee Threat Intelligence Exchange
16. Microsoft Interflow
17. Open Threat Exchange (OTX)
18. Soltra Edge
19. ThreatCloud IntelliStore
20. ThreatConnect
21. ThreatQ
22. ThreatTrack ThreatIQ

The key findings of the authors are the following ones (interesting and worth being discussed within our community):

1. There is no common definition of threat intelligence sharing  platforms.
2. STIX is the de-facto standard for describing threat intelligence.
3. Platforms primarily focus on sharing of indicators of compromise.
4. The Majority of platforms is closed source.
5. Most platforms focus on data collection instead of analysis.
6. Trust issues between users and platform providers are mostly neglected.
7. Academic and commercial interest in threat intelligence  sharing increases.
8. Many manual tasks make the user the bottleneck.