Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

Collective Intelligence: Realities and Hardships of Crowdsourced Threat Intel

Enterprise security teams need to move from the consumption of crowdsourced threat intelligence (CTI) to an additional mode of contribution

Enterprise security teams need to move from the consumption of crowdsourced threat intelligence (CTI) to an additional mode of contribution

Cybersecurity has an information sharing problem. We are a community with grand ideas around the concept of crowdsourced threat intelligence (CTI), but with little history or previous successes that show CTI as a viable idea. In this context, the crowdsourced data could be from the many open-source projects or the third-party vendors who provide threat intel. It is essentially the desire to aggregate valuable information sources and provide value back to those sources. The concept of crowdsourcing is not new to enterprise security teams – we have all been sharing our intel for a while, mostly in small private friendly circles through email, instant message, and other messaging platforms. 

As technology has advanced and converged to support sharing in more recent times, there has been a stronger desire to leverage these new technical capabilities for greater sharing at higher volumes and faster speeds. The number of attacks we see daily has increased, and our need to keep up has done so as well. Today, though, CTI sharing has yet to evolve into the utopia we have wanted it to be. We see the way our adversaries share information for profit, destruction, and other nefarious deeds. Their success only makes our desire to share greater because we want to defend ourselves better and together. 

Challenges of Defending Together

While the idea of CTI has the good intention of a cybersecurity community defending itself “together,” there are still numerous challenges we must overcome for it to become more real. I would sum these challenges up with the four comparisons in the graphic below:
crowdsourced threat intel

The lack of quantitative indicators is not the challenge of leveraging threat intel anymore. We are in a day and age where the ability to inundate security teams with high-volume threat intel is common. What is missing from this equation is uncovering quality or getting signals from all the noise. Changing our focus from quantity to quality is not an easy move. Moving towards quality requires a mature team with the technical ability to know how to mine data instead of generically applying indicators that come inbound. 

We also have many security teams improperly consuming indicators without context. Context refers to the valuable pieces of data surrounding an indicator. This is not something a crowdsourced solution or even a vendor can provide. Each company creates context as to what an indicator means to them. A single indicator, let alone all the aggregate indicators, can tell something entirely different to a specific business vertical, let alone a specific company. Injecting context into CTI is foundational for making it have worth in its proper use. In a CTI based model, it’s additionally essential when contributing to provide context as well. 

An additional qualifier that affects many security teams is the legal challenge behind data sharing. Not surprisingly, there might exist the capability and desire to share information and accomplish the above challenges inside an enterprise security team. However, many times there also exists a legal hurdle about the sensitivity or risk associated with doing so. This challenge can spin off into many different threads depending on the business vertical, legal team, data types, etc. Still, permission to share data for many is strictly forbidden in many companies. Legal challenges behind data sharing can be frustrating because our adversary has no such limitations, and watching them do it so successfully proves the value while leaving us wanting. 

Lastly, to do CTI correctly, enterprise security teams need to move from the consumption of CTI to an additional mode of contribution. This is the most important part of the ‘crowdsourced’ equation! Over the years of attempting to do crowdsourcing, many companies consumed while not giving back. It’s hard to build a community and protect one another if only a handful of companies contribute to the community. Contributing back typically requires tooling and scripting skills to pull data from internal systems and post to the CTI provider. People with these skills have been uncommon on enterprise security teams because it usually resides more on software engineering teams. More mature enterprise security teams are hiring for this skill set because they value the expertise required to build such pipelines. 

Look out soon for Part 2 of this column, where I’ll summarize the customer challenges inside the enterprise security world and offer suggestions on making CTI easier for everyone.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...