Author Name(s)
Richard Biever, Eric Hope
Paper Type
Data Solution
Summary of Paper
How Duke has adapted an approach to collect threat intelligence on our network, actively respond to attacks, and share that information with other higher education groups. More information may be found at: https://stingar.security.duke.edu/.
Paper

Creating and Sharing Threat Intelligence Information

Data analytics has been and continues to be a key part of our security program.  Several key examples include:

  • analysis of login times and locations to identify compromised accounts or machines.
  • analysis of network flow data for trends (identification of deviations from baselines of traffic in/out of the university, patterns of types of traffic, and identification of large consumers or producers of network traffic).
  • collection of attack data from honeypots and analysis of the data to identify attack and target trends.

This last item is an integral part of our threat intelligence and information sharing effort which we call STINGAR (Sharing Threat Intelligence for Network Gatekeeping with Automated Response).  The work has resulted in two grants intended to operationalize and provide schools with the ability to quickly deploy sensors (honeypots), receive actionable threat intelligence, and use the data to rapidly block malicious traffic and share the information with trusted partners.  One of the goals of the grant is to build a repository of attack data for analysis by researchers and security professionals.