Actively Understanding the Dynamics and Risks of the Threat Intelligence Ecosystem
Tillson Galloway
Network and Distributed System Security (NDSS) Symposium 2026 · Day 3 · Malware & RE
The **threat intelligence (TI) ecosystem** is a multi-billion dollar industry where vendors ingest, analyze, and share malware samples and indicators of compromise (IoCs) through complex supply chain relationships. This talk presents a novel active probing methodology that maps these hidden relationships by submitting **specially crafted binaries** to TI vendors and tracking their propagation through the ecosystem. The binaries contain a **replicating provenance mechanism** -- each execution generates a child binary that carries the chain of fingerprints from all previous execution environments, creating trails that map vendor-to-vendor sharing relationships. Key findings include: **two-thirds of vendors** execute submitted binaries in sandboxes, **a quarter** of executions get shared with other vendors, **4 "nexus" vendors** serve as critical sharing hubs, some vendors maintain **static fingerprints and IP addresses for 5+ years** (enabling adversary evasion), and domain suspension takes up to **10 days** despite blocking occurring within 24 hours. The research also reveals **cyclic sharing relationships** and that downstream vendors often receive only domain indicators without the originating binary, forcing them to trust upstream classifications.
AI review
An active probing study that maps the hidden supply chain of the threat intelligence ecosystem using self-replicating binaries. Reveals nexus vendors, cyclic sharing, static sandbox fingerprints for 5+ years, and that VirusTotal detection counts are not independent. Essential intelligence for anyone doing offensive operations or malware analysis.