Evaluation of Open-source Threat Intelligence Platforms Considering Developments in Cyber Security

Sammanfattning: Background. With the increase in cyberattacks and cyber related threats, it is of great concern that the area still lacks the needed amount of practitioners. Open-source threat intelligence platforms are free platforms hosting related information to cyber threats. These platforms can act as a gateway for new practitioners and be of use during research on all levels. For this to be the case, they need to be up-to-date, active user base and show a correlation to commercial companies and platforms. Objectives. In the research, data will be gathered from a multitude of open-source threat intelligence platforms to determine if they have increased usage and correlation to other sources. Furthermore, the research will look at if there are overrepresentations for certain countries and if the platforms are affected by real world events. Methods. Platforms were gathered using articles and user curated lists, they were filtered based on if the data could be used and if they were free or partially free. The data was then, and processed to only include information from after 2017 and all be unique entries. It was then filtered through a tool to remove potential false positives. For IP addresses and domains, a WHOIS query was done for each entry to get additional information. Results. There was a noticeable increase in the amount of unique submission for the categories CVE and IP addresses, the other categories showed no clear increase or decrease. The United States was the most represented country when analyzing domains and IP addresses. The WannaCry ransomware had a notable effect on the platforms, with an increase in submission during the month of the attack and after, and samples of the malware making out 7.03\% of the yearly submissions. The Russian invasion of Ukraine did not show any effect on the platforms. Comparing the result to the annual Microsoft security reports, there was a clear correlation for some years and sources, while others showed none at all. This was the case for all the statistic applicable to, reported countries, noticeable trend increases and most prominent malware. Conclusions. While some results showed that there was an increase in cyberattacks and correlation to real world event, others did not. Open-Source threat intelligence platforms often provides the necessary data, but problems starts showing up when analyzing it. The data itself is extremely sensitive depending on what processing methods are used, which in turn can lead to varying results.