MISP, research projects

Project (1) Pauline Bourmeau - Social Perspectives in Intelligence Activities within Sharing Communities - CNAM Paris Department of Criminology

Contact for this research project: social-perspective@misp-project.org

Social Perspectives in Intelligence Activities within Sharing Communities

Introduction

Subject scope

Intelligence activity, a prevalent practice across various fields, has continually evolved in response to the changing dynamics of human societies. The shift from analog to digital has significantly transformed social practices and modes of communication.

The transmission of information is a crucial component of intelligence activities and has attracted attention in anthropology and social sciences. This research is dedicated to understanding and describing the information exchange practices among threat intelligence communities, especially those using MISP. We aim to explore the functioning and limitations of these practices within their cultural context, focusing on how these communities operate and interact within these frameworks.

The interest in studying information sharing practices

While much of the research in information security and intelligence has traditionally emphasized practical, standardized, and technical facets of information sharing, the exploration of its social and cultural aspects has not been as extensive. Our research seeks to contribute to this area by offering insights and exploring potential avenues for further inquiry and improvement. We aim to enrich the understanding of information sharing by shedding light on these less explored dimensions, thereby opening the door for more comprehensive future research and practice advancements.

Problem statement

We face missed opportunities for successful information sharing within the research community. To understand and address this issue, we aim to describe the information sharing processes, examining functional challenges from social and cultural perspectives. This involves identifying both the incentives for and barriers to sharing.

State of the Art

A significant portion of academic research has been dedicated to examining the structure of information, with a particular emphasis on the tools employed for this purpose. Much of this research is specialized, focusing on areas like competitive analysis construction or the structuring of data exchanges.

In our bibliography, we have specifically included papers related to the MISP platform. This focus will facilitate our engagement with and interviews of groups actively involved in information sharing, leveraging insights from those who use MISP in their operations.

Research methodology

Research design

A series of interviews are conducted with various sharing communities. We aim to compare the actual usage of the platform, as observed by us, with the users’ perspectives as shared in the interviews.

We utilize both technical observations, such as platform statistics, and qualitative insights from the interviews, through discourse analysis.

As a starting point, we included a list of question related to information sharing addressed to participants “Example list”.

We narrow our questioning about the following points:

  • Common assumed (survey) reasons why organizations are not sharing.
  • Common reasons why organizations are sharing.

In order to integrate as much data as possible and to avoid pre-interview categorization, we perform free interviews.

Data Analysis Model

  • Collection of structured information from sharing platforms.
  • Conducting interviews using an unstructured or semi-structured approach[^2].

Expected Results and Contribution

Our research aims to detail the social practices that facilitate information sharing. The focus is on uncovering and testing social models to better understand specific dynamics in this area. Key areas of exploration will include:

  • Differentiating between organizations that primarily produce information and those that disseminate it [^1], acknowledging that producers and sharers may be distinct entities.
  • Describing the contextual factors surrounding the creation and dissemination of information.
  • Analyzing the dynamics of information sharing within communities.
  • Investigating factors that could enhance the effectiveness of sharing practices.

These insights are expected to contribute to the development of more sophisticated detection mechanisms within organizations.

Conclusion

The outcomes of our research could be influenced by several factors:

  • The challenge of managing a highly diverse (heterogeneous) dataset.
  • The presence of tampered or false information within sharing communities.
  • Constraints related to the representativeness of the dataset, particularly concerning specific sharing communities.
  • Significant deviations from established standards in data collection or analysis.
  • Challenges in data collection due to high confidentiality levels within certain sharing communities.

Bibliography

  • Beuving, J. and De Vries, G., 2015. Doing qualitative research: The craft of naturalistic inquiry. Amsterdam University Press.
  • Charmaz, K. and Belgrave, L.L., 2007. Grounded theory. The Blackwell encyclopedia of sociology.
  • Corballis, M.C., 2014. The recursive mind: The origins of human language, thought, and civilization-updated edition. Princeton University Press.
  • Corbin, J. and Strauss, A., 2014. Basics of qualitative research: Techniques and procedures for developing grounded theory. Sage publications.
  • Corsín Jiménez, A., 2011. Trust in anthropology. Anthropological Theory, 11(2), pp. 177-196.
  • Edgar, T.W. and Manz, D.O., 2017. Research methods for cyber security. Syngress. pp. 96-105.
  • Glaser, B.G. and Strauss, A.L., 2017. Discovery of grounded theory: Strategies for qualitative research. Routledge.
  • Goldenberg, I. and Dean, W.H., 2017. Enablers and barriers to information sharing in military and security operations: lessons learned. In Information Sharing in Military Operations (pp. 251-267). Springer, Cham.
  • Goldenberg, I., Soeters, J. and Dean, W.H. eds., 2017. Information sharing in military operations. Springer International Publishing.
  • Hernandez-Ardieta, J.L., Tapiador, J.E. and Suarez-Tangil, G., 2013, June. Information sharing models for cooperative cyber defence. In 2013 5th International Conference on Cyber Conflict (CYCON 2013) (pp. 1-28). IEEE.
  • Heuer, R.J., 1999. Psychology of intelligence analysis. Center for the Study of Intelligence.
  • Hunger, I. and Müller, J., 2016. Barney G. Glaser/Anselm L. Strauss: The Discovery of Grounded Theory. Strategies for Qualitative Research, Aldine Publishing Company: Chicago 1967, 271 S.(dt. Grounded Theory. Strategien qualitativer Forschung, Bern: Huber 1998, 270 S.). In Klassiker der Sozialwissenschaften (pp. 259-262). Springer VS, Wiesbaden.
  • Jiménez, A.C., 2017. The anthropology of organisations. Routledge.
  • Johnston, R., 2005. Analytic culture in the US intelligence community: An ethnographic study (No. 14). Central Intelligence Agency.
  • Mermoud, A., Keupp, M.M., Huguenin, K., Palmié, M. and Percia David, D., 2019. To share or not to share: a behavioral perspective on human participation in security information sharing. Journal of Cybersecurity, 5(1), p.tyz006.
  • Moore, D.T., 2010. Critical thinking and intelligence analysis (No. 14). Government Printing Office.
  • Murdoch, S. and Leaver, N., 2015, October. Anonymity vs. trust in cyber-security collaboration. In Proceedings of the 2nd ACM Workshop on Information Sharing and Collaborative Security (pp. 27-29).
  • Price, D.H., 2008. Anthropological intelligence: the deployment and neglect of American anthropology in the Second World War. Duke University Press.
  • Skopik, F., Settanni, G. and Fiedler, R., 2016. A problem shared is a problem halved: A survey on the dimensions of collective cyber defense through security information sharing. Computers & Security, 60, pp.154-176.
  • Soeters, J., 2017. Information sharing in military and security operations. In Information sharing in military operations (pp. 1-15). Springer, Cham.
  • Strauss, A. and Corbin, J., 1998. Basics of qualitative research techniques. Thousand Oaks, CA: Sage publications.
  • Sutton, R.I. and Staw, B.M., 1995. What theory is not. Administrative science quarterly, pp.371-384.
  • T. Sander and J. Hailpern. Ux aspects of threat information sharing platforms: An examination and lessons learned using personas. In Proceedings of the 2nd ACM Workshop on Information Sharing and Collaborative Security, WISCS ‘15, pages 51–59, New York, NY, USA, 2015. ACM.
  • Van den Heuvel, G., 2017. Information sharing in military organizations: a sociomaterial perspective. In Information Sharing in Military Operations (pp. 165-182). Springer, Cham.
  • Wagner, C., Dulaunoy, A., Wagener, G. and Iklody, A., 2016, October. Misp: The design and implementation of a collaborative threat intelligence sharing platform. In Proceedings of the 2016 ACM on Workshop on Information Sharing and Collaborative Security (pp. 49-56).
  • Zibak, A. and Simpson, A., 2019, August. Cyber threat information sharing: Perceived benefits and barriers. In Proceedings of the 14th International Conference on Availability, Reliability and Security (pp. 1-9).

Project (2) Borce STOJKOVSKI - a survey about MISP UX - University of Luxembourg

Project (3) Secure Distributed-Learning on Threat Intelligence - EPFL and armasuisse Science and Technology, Lausanne

Collaboration in the Framework of C4DT between armasuisse Science and Technology and the Laboratory for Data Security of EPFL.

Cyber security information is extremely sensitive and confidential. This introduces an information-sharing trade-off, between the benefits of improved threat-response capabilities and the drawbacks of disclosing national-security-related information to foreign agencies or institutions. The purpose of this project is to resolve the aforementioned trade-off by enabling secure collaborations with valuable sensitive data that is not normally shared. Each institution keeps full control over their data records, that never leave their security perimeter, whereas computations are protected by efficient and highly-scalable multiparty-homomorphic-encryption techniques. This will expand the range of available intelligence, thus leading to new and better threat analyses and predictions.

Website: https://lds.epfl.ch/secure-distributed-learning-on-threat-intelligence/

Contact:

Citing MISP

If you are write an academic paper relying or using MISP, you can cite MISP with the following BibTeX entry:

@inproceedings{wagner2016misp,
  title={MISP: The Design and Implementation of a Collaborative Threat Intelligence Sharing Platform},
  author={Wagner, Cynthia and Dulaunoy, Alexandre and Wagener, G{\'e}rard and Iklody, Andras},
  booktitle={Proceedings of the 2016 ACM on Workshop on Information Sharing and Collaborative Security},
  pages={49--56},
  year={2016},
  organization={ACM}
}