ORISHA: Improving Threat Detection through Orchestrated Information Sharing

The exponential growth in the number of cyber threats requires sharing in a timely and efficient manner a wide range of Indicators of Compromise (IoCs), i.e., fragments of forensics data that can be used to recognize malicious network or system activities. To this aim, a suitable architecture is required, especially to distribute and process the various IoCs. Unfortunately, the continuous creation of offensive techniques, along with the diffusion of advanced persistent threats, imposes the ability to update and extend the platform used to manage the multitude of IoCs collected in the wild. In this paper, we present the ORISHA architecture, which takes advantage of a distributed threat detection system to match performance and scalability requirements. The paper also discusses how the platform can be extended to handle the most recent "stealthy" malware as well as campaigns aimed at spreading fake news.