Researchers from Georgia Tech have found that the supply chain for threat intelligence data is susceptible to adversarial action, and proposed a method to improve data sharing that they think will make it stronger.
Brenden Kuerbis, a research scientist at the Georgia Tech’s School of Public Policy sketched the proposal on Monday by noting that in January 2026, China appeared to ban security software developed by some US and Israeli firms – probably because it fears data leakage if local firms use the foreign software.
“This move represents more than just another salvo in ongoing tech tensions between the two governments,” he wrote. “It threatens to fracture a foundational practice of internet cybersecurity: the global threat intelligence ecosystem that allows defenders worldwide to collect, analyze, and share information about emerging attacks and responses to cyber threats that know no borders.”
According to other researchers at the institution, the ecosystem was already weak before China’s action.
They will discuss their work at the Network and Distributed System Security (NDSS) Symposium in San Diego, when they present a paper titled “Actively Understanding the Dynamics and Risks of the Threat Intelligence Ecosystem.”
The researchers identified three main players in the ecosystem:
- Threat intelligence platforms like VirusTotal and MalwareBazaar;
- Antivirus companies that produce their own threat intelligence, and tools to make it usable;
- Malware sandbox services that offer analysis-as-a-service to anyone trying to understand the behavior of a binary.
The paper points out that threat intelligence is a big business, but that the quality of information available is not great because different stakeholders release different data.
They reached that conclusion after creating “benign yet suspicious binaries” and sharing them with 30 security vendors. The binaries included code that allowed the researchers to track how the vendors shared the packages.
That experiment revealed that 67 percent of infosec vendors conduct sandbox analysis of newly discovered malware, but only 17 percent share any threat intelligence they gather with that technique. They also found that many researchers share indicators of compromise, but few share binaries that would let other researchers and defenders develop a better understanding of attacks.
Another finding is that a handful of “nexus vendors” share more threat intelligence than others. While those vendors are very useful, other info-sharing bottlenecks among supply chain participants slow the propagation of information – often by “hours to days” – and therefore increase the amount of time before defenders act against attacks.
The researchers think not all threat intelligence researchers do a great job.
“Our study revealed that while a few vendors thoroughly analyze malware, most conduct shallow analysis and ignore dropped files by the initial binary,” they wrote, and suggest more comprehensive analysis techniques would improve the threat intel supply chain.
Another finding is that some security researchers have hosted infrastructure at the same IP addresses for years, which helps adversarial actors to evade sandboxes.
The researchers therefore propose a system that securely encodes data about the provenance of threat intelligence, so stakeholders feel more confident sharing it.
Kuerbis thinks the technique described in the paper suggests it will become possible for network operators to “use or filter policy-compliant threat intelligence without necessarily relying on the country of origin.”
If he’s right, that could mean China has nothing to fear from foreign sources of threat intelligence – and perhaps the rest of us could get along with the likes of Kaspersky.
“What’s needed now are governance structures that allow operators, vendors, and researchers to continue cooperating globally while adhering to various governments’ incompatible notions of jurisdictionally-bound identity, sovereignty, and compliance,” he wrote.
“Chinese, American, and other participants (both public and private) will have incentives to use the same provenance system, not out of altruism, but because exclusion from the verifiable pool of TI is operationally costly in a threat environment that remains stubbornly global,” he wrote, before noting that the real challenge is institutional, not technical.
“Secure provenance requires transnational governance structure(s) perceived as legitimate by participants operating under conflicting state mandates – without which threat intelligence risks becoming a zero-sum geopolitical competition.” ®