Exploiting Cyber Threat Intelligence for Indirect Attacks Against Serverless Infrastructures

Download PDF
Open Webpage

Baojin Wang, Yongzhao Zhang, Xiong Li, Jie Yang, Yijun Liu, Jiazhen Liu, Ting Chen, Xiaosong Zhang, Dian Ding, Yi-Chao Chen

Published: 01 Jan 2026, Last Modified: 02 Apr 2026IEEE Transactions on Information Forensics and SecurityEveryoneRevisionsCC BY-SA 4.0
Abstract: Cyber Threat Intelligence (CTI) and serverless computing are two emerging technologies that have significantly impacted their respective domains in recent years. However, their interaction remains surprisingly underexplored. In this work, through in-depth semi-structured interviews with cybersecurity experts, we identify the trust issues within the CTI ecosystem that can be exploited to introduce fake CTI manipulation, enabling indirect attacks against entities with dynamic IP allocation, such as those in serverless computing. Furthermore, these attacks can be amplified by commercial CTI platforms due to their widespread adoption and sharing mechanisms. Based on these insights, we propose Ares, a novel attack strategy that leverages fake CTI manipulation to enable large-scale, stealthy indirect denial-of-service attacks against serverless infrastructures. We demonstrate the feasibility and impact of Ares through extensive evaluations in a controlled experimental environment. Our results show that Ares can rapidly and widely disseminate fake CTI within the CTI ecosystem, leading to an overall average reject rate of 23.03% and a high reject rate of up to 45.42% when accessing top websites in certain industries, while maintaining a low detection rate across state-of-the-art serverless security systems. These findings underscore the urgent need for more frequent communication and collaboration among CTI platforms and related stakeholders to develop a more robust trustworthiness model across the ecosystem.