Georgia Tech researchers find the threat intelligence ecosystem is fragmented and slow, with most vendors conducting shallow analysis and few sharing critical data. They propose a secure provenance system to improve global cooperation despite geopolitical tensions.
Researchers from Georgia Tech have identified critical vulnerabilities in the global threat intelligence supply chain, warning that the ecosystem is fragmented, slow, and increasingly stressed by geopolitical tensions that threaten to disrupt vital data-sharing efforts.
China's Ban Exposes Deeper Problems
In January 2026, China appeared to ban security software developed by some US and Israeli firms, likely due to concerns about data leakage if local companies use foreign tools. According to Brenden Kuerbis, a research scientist at Georgia Tech's School of Public Policy, this move "represents more than just another salvo in ongoing tech tensions between the two governments."
"It threatens to fracture a foundational practice of internet cybersecurity: the global threat intelligence ecosystem that allows defenders worldwide to collect, analyze, and share information about emerging attacks and responses to cyber threats that know no borders," Kuerbis wrote.
The Three Main Players
The researchers identified three primary stakeholders in the threat intelligence ecosystem:
- Threat intelligence platforms like VirusTotal and MalwareBazaar
- Antivirus companies that produce their own threat intelligence and tools to make it usable
- Malware sandbox services that offer analysis-as-a-service to anyone trying to understand binary behavior
Alarming Data Sharing Gaps
The team conducted experiments by creating "benign yet suspicious binaries" and sharing them with 30 security vendors. These binaries included tracking code to monitor how vendors shared the packages.
Their findings were concerning:
- 67% of infosec vendors conduct sandbox analysis of newly discovered malware
- Only 17% share any threat intelligence they gather using that technique
- Many researchers share indicators of compromise, but few share the actual binaries that would help others understand attacks
Nexus Vendors and Bottlenecks
The research revealed that a handful of "nexus vendors" share more threat intelligence than others, making them extremely valuable to the ecosystem. However, information-sharing bottlenecks among supply chain participants slow the propagation of information by "hours to days," increasing the window during which defenders cannot act against attacks.
Quality Concerns
Not all threat intelligence researchers perform thorough analysis. "Our study revealed that while a few vendors thoroughly analyze malware, most conduct shallow analysis and ignore dropped files by the initial binary," the researchers wrote. They suggest more comprehensive analysis techniques would significantly improve the threat intelligence supply chain.
Another surprising finding: some security researchers have hosted infrastructure at the same IP addresses for years, making it easier for adversarial actors to evade sandboxes.
Proposed Solution: Secure Provenance
To address these issues, the researchers propose a system that securely encodes data about the provenance of threat intelligence. This would help stakeholders feel more confident sharing information, as they could verify its source and authenticity.
Kuerbis believes this technique could allow network operators to "use or filter policy-compliant threat intelligence without necessarily relying on the country of origin." If successful, this could mean China has nothing to fear from foreign sources of threat intelligence, potentially allowing continued cooperation with companies like Kaspersky.
The Real Challenge: Governance
While the technical solution appears feasible, the researchers identify the real challenge as institutional rather than technical. "Secure provenance requires transnational governance structure(s) perceived as legitimate by participants operating under conflicting state mandates – without which threat intelligence risks becoming a zero-sum geopolitical competition," Kuerbis explained.
"What's needed now are governance structures that allow operators, vendors, and researchers to continue cooperating globally while adhering to various governments' incompatible notions of jurisdictionally-bound identity, sovereignty, and compliance," he wrote.
The researchers argue that Chinese, American, and other participants will have incentives to use the same provenance system, not out of altruism, but because exclusion from the verifiable pool of threat intelligence is operationally costly in a threat environment that remains stubbornly global.
The findings will be presented at the Network and Distributed System Security (NDSS) Symposium in San Diego, where the team will discuss their paper titled "Actively Understanding the Dynamics and Risks of the Threat Intelligence Ecosystem."
The research highlights how geopolitical tensions are increasingly impacting cybersecurity cooperation, potentially leaving defenders more vulnerable as information sharing becomes more difficult and fragmented across national boundaries.
Comments
Please log in or register to join the discussion