Context-Aware Cyber Threat Intelligence Exchange Platform Michael Motlhabi, Phumeza Pantsi, Bokang Mangoale, Rofhiwa Netshiya and Samson Chishiri Council for Scientific and Industrial Research, Pretoria, South Africa mmotlhabi@csir.co.za ppantsi@csir.co.za bmangoale@csir.co.za rnetshiya@csir.co.za schishiri@csir.co.za Abstract: The ubiquity of network and internet-connected devices has increased exponentially in the past decade. The proliferation of end-user devices has created a lucrative environment for cybercriminals to exploit unsuspecting users at a personal and organizational level. Moreover, businesses and governments are heavily reliant on cyberspace to conduct their business. According to Accenture, in 2019 South Africa saw a spike in cyberattacks on all fronts—banks, Internet Service Providers (ISPs), utilities and eCommerce platforms. This shows that threat actors are continuously looking to exploit new and old vulnerabilities at ever-increasing rates. Furthermore, threat actors are sharing tactics, tools, and procedures to expand their attack surface and to improve the effectiveness of their attacks. Security research tends to be an insular process and rarely do individuals or groups share threat data. This is due to lack of trust, organizational policies, or simply the inability to get the information out to the masses. The idea behind this paper is to design a context-aware threat intelligence exchange platform that encourages collaboration and creates a federated environment amongst different industry stakeholders to share Indicators of Compromise. This paper further aims to define the process of transforming raw Indicators of Compromise into cyber threat intelligence. The platform described in this paper, when implemented, would provide the basic building blocks for developing a highly effective cybersecurity intelligence-sharing system that can improve vulnerability detection and remediation by speeding up the time required to identify/resolve incidents. Keywords: Security Event Management; Security Information Management, Threat Intelligence, Cybersecurity, Collaboration, Data exchange, Indicators of Compromise, TAXI/STIXX, Tactics, Techniques and Procedures 1. Introduction There has been significant improvements to technology and the internet over the years, yielding to the enlargement of communication options thereby an increased reliance on Information Technology (IT). In as much as these improvements have changed human livelihood for the better, they have in turn increased opportunities for cybercriminals. South Africa (SA) is currently ranked 34th out of 108 countries, with a score of 0.417 on the global scale for the Cybersecurity Exposure Index (CEI) published in October 2020 (Frisby, 2020). The CEI is based on data collected from the dark web and the deep web’s publicly available sources (Cyber Intelligence House, 2020). According to a report by Accenture, SA has seen an increase in cyber-crimes in recent years with notable spikes in 2019 (Accenture, 2020). The report indicates that several sectors in SA were affected by coordinated cyber-attacks from international threat actors who reused some of their attacks. The force of the attacks included stakeholders in banking, e-commerce, telecommunication provides, Non-Governmental Organizations (NGOs) and provincial utility platforms such as water and sanitation. The Experian Security Breach was one of the cyberattacks which occurred in 2020, affecting approximately 24 million and 793000 thousand local businesses (Cimpanu, 2020) (Burger-Smidt, 2020). In 2021, a most recent cyber-attack that occurred in July, South Africa’s largest logistics company, Transnet was targeted. The company was hit by a Death Kitty ransomware which disrupted some of its services (CybercrimeSA, 2014-2021) (TechCentral, 2021). Consequences of cyberattacks do not only include compromise of intellectual property and loss of data but also disruptions to business operations that may lead to financial loss, reputational damage and regulatory fines. According to a financial stability report by the SA Reserve Bank, cyberattacks continually present a danger to the availability of financial services and the functioning of its infrastructures, thereby creating reputational and direct financial risks (South African Reserve Bank, 2021). The increased adoption of Internet of Things (IoT) technology-based processes within the SA government and private sectors has expanded the threat surface as IoT is not secure by default (Allen, 2021). The Operational Technology (OT), industrial control systems (ICS) and supervisory control and data acquisition systems (SCADA) environments are also part of the idea for connectivity and are by design vulnerable to cybersecurity attacks due to the use of legacy IT systems. The most vulnerable industries to cyberattacks in 2021 as reported by CDNetworks, include but are not limited to government Proceedings of the 17th International Conference on Information Warfare and Security, 2022 201