MISP Research Projects

Project (1) Pauline Bourmeau - The Social Perspective in the Intelligence Activity among Information Sharing Communities - CNAM Paris (Supervisor Philippe Baumard).

Contact for this research project: social-perspective@misp-project.org

The Social Perspective in Intelligence Activity Among Information Sharing Communities

Introduction

(1) Subject scope

Intelligence activity is a common practice shared among different fields. The practice of intelligence evolved to adapt to the evolution of human societies. The transition from analog to digital introduced changes in social practices and communications.

Transmission of information is a key element to intelligence activity, as such a subject of studies in anthropology and social sciences. The subject scope is to analyse the social activities among sharing communities, in order to understand and describe the practices of information exchange.

(1.1) The interest in studying information sharing

Information sharing has become a key in our societies effectiveness, as in facing information warfare.

Many studies and researches in the field of information security and intelligence focused mainly (cf. state-of-the-art) on the practical, the standardisation, the usage perspective and the technical aspects of information sharing, without an analysis of its social or cultural aspects.

(1.2) Intelligence and information sharing in the age of online criminal activities, study of group and practices

Information sharing plays a key role in law enforcement investigations and especially to track and take-down criminal activities. Efficient information exchange ensure resolution and prosecution in a timely fashion. Information strongly relies on the existence of sharing communities among law enforcement and intelligence.

(2) Problem statement

We lack some opportunities to make successful sharing among the community of research. In order to tackle this issue, we must first understand how information sharing happen.

(2.1) State of the Art

An extensive review has been performed in the field of information sharing. A significant number of academic papers focused on the structure of information and especially the tools used. A majority of the researches focus on a niche in intelligence, such as building competitive analysis or structuring data exchange.

In the bibliography, we reviewed papers which are related to the main information sharing platform MISP, which will allow us to meet and interview groups who are actively performing information sharing.

(2.2) Fundamental question

Does the existence of the information depend on the existence of the community?

(3) Research methodology

(3.1) Research design

We assume that we can observe replicates of social practices from real to digital environment, and a specific set of practices on sharing platforms such as MISP (“people need to make sense out of it”).

A serie of interviews will be conducted among sharing communities. We are interested in the comparison between usages of the platform that we observe, in one hand, and what people can tell us about it, in the other hand.

We assume that both technical observations, as statistics from the platform, and qualitative observations from the interviews can reveal “abnormal” behaviors from participants.

As a starting point, a list of reasons are included below in the section “Example list”.

We narrow our questioning about the following points:

  • Common assumed (survey) reasons why organisations are not sharing
  • Common reasons why organisations are sharing

In order to integrate as much data as possible and to avoid pre-interview categorization, we will perform free interviews.

In this case, the observer is a participant : an interview is a conversation between two “analysts”. The participant and the researcher agree on the meaning of words, they use during the conversation. The idea is to note these keywords definitions and update their meaning during the research.

Keywords here can illustrate or reflect social practices among the community, and help in creating a first set of variables. Those initial “variables” can be used to discover reasons (explanations of behaviors) or new parameters (unknown reasons) which can emerge after additional interviews, and can be used as a first set of constants for further analysis.

Example list

Common reasons why organisations are not sharing (ref. Goldenberg, I., Soeters, J. and Dean, W.H. eds.,) as an example list:

  • Lack of trust within the community
  • Cultural reason (language)
  • Cultural reason (geopolitical)
  • Prideness (my information is so critical, so I don’t share it)
  • Shame on the information owned (cannot share because it’s not interesting in their point-of-view)
  • Don’t see the benefit of sharing
  • Not used to share information
  • Don’t share information in communities (only ad-hoc mode - email/phone/conf call)

Common reasons why organisations are sharing:

  • Increasing cohesion (positive effect on the community)
  • Create common approaches (such as: context, data model, predictability)
  • Increase network and partnership (it increases trust)
  • Cross-checking (creates a validation or counter analysis)

(3.2) Data analysis model

  • Collecting structured information from sharing platforms (e.g. MISP data to refine or use existing)
  • Interviews (unstructured or semi-structured model) [^2]

Structured information from sharing platforms such as the type of information shared, the activity per organisations or the contextualisation applied. Partially structured information from the interviews. Different data analysis will be applied especially to cross-check data from sharing platforms and the unstructured data collected from interviews.

(3.3) Expected results and contribution

The research results will include the description of social practices which participate to information sharing.

Our goal is to discover, elaborate and test social models to qualify specific aspects.

  • The distinction between producing and conveying[^1] organisations (producing and sharing participants can be different)
  • The description of the context surrounding the production and sharing of an information
  • The description of sharing dynamics in sharing communities
  • An exploration of factors to improve sharing

These qualifications can be then used to improve detection mechanisms within organisations.

(4) Conclusion

The research results might be impacted by the following parameters:

  • Risk of too much diversity (heterogeneous) in dataset
  • Tampered/false information from the sharing communities
  • Limited dataset (representativity) on specific sharing communities
  • Potential strong deviation from standards
  • Inability to collect data due to the confidentiality level of specific sharing communities

Bibliography

  • Beuving, J. and De Vries, G., 2015. Doing qualitative research: The craft of naturalistic inquiry. Amsterdam University Press.
  • Charmaz, K. and Belgrave, L.L., 2007. Grounded theory. The Blackwell encyclopedia of sociology.
  • Corballis, M.C., 2014. The recursive mind: The origins of human language, thought, and civilization-updated edition. Princeton University Press.
  • Corbin, J. and Strauss, A., 2014. Basics of qualitative research: Techniques and procedures for developing grounded theory. Sage publications.
  • Corsín Jiménez, A., 2011. Trust in anthropology. Anthropological Theory, 11(2), pp. 177-196.
  • Edgar, T.W. and Manz, D.O., 2017. Research methods for cyber security. Syngress. pp. 96-105.
  • Glaser, B.G. and Strauss, A.L., 2017. Discovery of grounded theory: Strategies for qualitative research. Routledge.
  • Goldenberg, I. and Dean, W.H., 2017. Enablers and barriers to information sharing in military and security operations: lessons learned. In Information Sharing in Military Operations (pp. 251-267). Springer, Cham.
  • Goldenberg, I., Soeters, J. and Dean, W.H. eds., 2017. Information sharing in military operations. Springer International Publishing.
  • Hernandez-Ardieta, J.L., Tapiador, J.E. and Suarez-Tangil, G., 2013, June. Information sharing models for cooperative cyber defence. In 2013 5th International Conference on Cyber Conflict (CYCON 2013) (pp. 1-28). IEEE.
  • Heuer, R.J., 1999. Psychology of intelligence analysis. Center for the Study of Intelligence.
  • Hunger, I. and Müller, J., 2016. Barney G. Glaser/Anselm L. Strauss: The Discovery of Grounded Theory. Strategies for Qualitative Research, Aldine Publishing Company: Chicago 1967, 271 S.(dt. Grounded Theory. Strategien qualitativer Forschung, Bern: Huber 1998, 270 S.). In Klassiker der Sozialwissenschaften (pp. 259-262). Springer VS, Wiesbaden.
  • Jiménez, A.C., 2017. The anthropology of organisations. Routledge.
  • Johnston, R., 2005. Analytic culture in the US intelligence community: An ethnographic study (No. 14). Central Intelligence Agency.
  • Mermoud, A., Keupp, M.M., Huguenin, K., Palmié, M. and Percia David, D., 2019. To share or not to share: a behavioral perspective on human participation in security information sharing. Journal of Cybersecurity, 5(1), p.tyz006.
  • Moore, D.T., 2010. Critical thinking and intelligence analysis (No. 14). Government Printing Office.
  • Murdoch, S. and Leaver, N., 2015, October. Anonymity vs. trust in cyber-security collaboration. In Proceedings of the 2nd ACM Workshop on Information Sharing and Collaborative Security (pp. 27-29).
  • Price, D.H., 2008. Anthropological intelligence: the deployment and neglect of American anthropology in the Second World War. Duke University Press.
  • Skopik, F., Settanni, G. and Fiedler, R., 2016. A problem shared is a problem halved: A survey on the dimensions of collective cyber defense through security information sharing. Computers & Security, 60, pp.154-176.
  • Soeters, J., 2017. Information sharing in military and security operations. In Information sharing in military operations (pp. 1-15). Springer, Cham.
  • Strauss, A. and Corbin, J., 1998. Basics of qualitative research techniques. Thousand Oaks, CA: Sage publications.
  • Sutton, R.I. and Staw, B.M., 1995. What theory is not. Administrative science quarterly, pp.371-384.
  • T. Sander and J. Hailpern. Ux aspects of threat information sharing platforms: An examination and lessons learned using personas. In Proceedings of the 2nd ACM Workshop on Information Sharing and Collaborative Security, WISCS ‘15, pages 51–59, New York, NY, USA, 2015. ACM.
  • Van den Heuvel, G., 2017. Information sharing in military organizations: a sociomaterial perspective. In Information Sharing in Military Operations (pp. 165-182). Springer, Cham.
  • Wagner, C., Dulaunoy, A., Wagener, G. and Iklody, A., 2016, October. Misp: The design and implementation of a collaborative threat intelligence sharing platform. In Proceedings of the 2016 ACM on Workshop on Information Sharing and Collaborative Security (pp. 49-56).
  • Zibak, A. and Simpson, A., 2019, August. Cyber threat information sharing: Perceived benefits and barriers. In Proceedings of the 14th International Conference on Availability, Reliability and Security (pp. 1-9).

Project (2) Borce STOJKOVSKI - a survey about MISP UX - University of Luxembourg

Project (3) Secure Distributed-Learning on Threat Intelligence - EPFL and armasuisse Science and Technology, Lausanne

Collaboration in the Framework of C4DT between aramasuisse Science and Technology and the Laboratory for Data Security of EPFL.

Cyber security information is extremely sensitive and confidential. This introduces an information-sharing trade-off, between the benefits of improved threat-response capabilities and the drawbacks of disclosing national-security-related information to foreign agencies or institutions. The purpose of this project is to resolve the aforementioned trade-off by enabling secure collaborations with valuable sensitive data that is not normally shared. Each institution keeps full control over their data records, that never leave their security perimeter, whereas computations are protected by efficient and highly-scalable multiparty-homomorphic-encryption techniques. This will expand the range of available intelligence, thus leading to new and better threat analyses and predictions.

Website: https://lds.epfl.ch/secure-distributed-learning-on-threat-intelligence/

Contact:

Citing MISP

If you are write an academic paper relying or using MISP, you can cite MISP with the following BibTeX entry:

@inproceedings{wagner2016misp,
  title={MISP: The Design and Implementation of a Collaborative Threat Intelligence Sharing Platform},
  author={Wagner, Cynthia and Dulaunoy, Alexandre and Wagener, G{\'e}rard and Iklody, Andras},
  booktitle={Proceedings of the 2016 ACM on Workshop on Information Sharing and Collaborative Security},
  pages={49--56},
  year={2016},
  organization={ACM}
}