December 4, 2019

Show You Mine If You Show Me Yours: The role of threat information exchange in strengthening cyber-defenses

Sharing is Caring

Speed and efficiency are essential to success in the digital economy. Businesses and organizations with an online presence need accurate, stealthy cybersecurity measures to counter the myriad of threats aimed at them. Working in isolation to tackle these attacks and shore-up cyber defenses is a costly and often futile exercise. As Grayson Milbourne, Security Intelligence Director at cybersecurity firm Webroot puts it:

Today’s cyber threat landscape is polymorphic in nature — constantly changing and making it nearly impossible to detect with traditional security approaches.

For this reason, many businesses are coming to the realization that a collective offensive may be the best defense. Sharing threat information across public and private industries and organizations could reduce cybersecurity workloads and provide access to a wide pool of security resources, something smaller companies, in particular, are latching on to.

In a recent study of 200 US IT security experts commissioned by cybersecurity and analysis company IronNet, 94% were willing to increase the level of threat sharing with industry peers. And not just their peers, 92% said they would also increase threat sharing with the government if it used its clout to prevent cyber attacks on enterprises, both public and private.

Commitment Phobes?

Sharing cybersecurity information isn't an entirely new paradigm, but neither is it pervasive. Many businesses and organizations share malicious information relating to  IP addresses, file hashes, domains, and other signature-based indicators. The dissemination process is somewhat limited, however. The information businesses share tends towards the familiar, drawing attention to existing threats instead of patterns in threat signatures or warnings about future dangers. The timeframe for these communications is also an issue. Intermittent, slow, and even late sharing of warnings is of little or no benefit in the fight against persistent and devious cyber adversaries. IronNet’s take on this approach?

Snapshots and bandages that cover yesterday's attacks but don't fully protect you from tomorrow's threats.

Businesses and organizations often share threat information in the form of raw data, which presents its own issues. IT security people need both time and resources to transform this data into valuable intel, many businesses are low on both commodities.

Whatever the reason, there appears to be a reluctance to commit wholeheartedly to threat information sharing. Clearly, enterprises need greater assurance of the benefits and safety of pooling their experiences and databases. Time for a top-down approach?

Top Down

If we are all to start sharing our cyber-threat information, It is important that governments lead by example. After all, their resources and reach far outweigh that of most private industries.  
To this end, the Department of Homeland Security established the Cyber Information Sharing and Collaboration Program with the aim of greasing the information pipeline between public and private entities. More than 200 businesses in the program, receiving direct, credible threat information; worryingly, most still don't use this information to prevent attacks. This could be a resource issue or relate to the quality of the indicators they receive, which might not include enough information to determine relevance or urgency.

Clearly, we are still some way from achieving an acceptable tradeoff between satisfying calls from the private sector for greater federal cooperation, and fears from the intelligence community that greater declassification and sharing of information with private companies could put technical sources and methods at risk.

Top-down isn't quite there yet. This calls for Plan B.

Avengers Assemble

Since its informal inception in 2014 by Fortinet, McAfee, Palo Alto Networks, and Symantec, the Cyber Threat Alliance (CTA), is quietly pooling intelligence about all things cybersecurity. A white paper on the value of cyber-community collaboration in 2015 made enough waves to warrant a full-scale relaunch in 2017 as an independent, not for profit, organization dedicated to the dissemination of advanced threat information amongst businesses and organizations of all types and sizes.  Members can send anonymized Structured Threat Information Expression (STIX™) packages with threat observables to the CTA platform. CTAs own algorithm scores the submissions and returns real, actionable and contextualized threat data. At present, daily submissions reach approximately 65,000 STIX™ packages per day, meaning businesses of all types and levels of liquidity can avail of an extensive wellspring of cyber-threat data. Speaking about the benefits of cyber-threat collaboration, Neil Jenkins, former Department of Homeland Security Cybersecurity official, leading the CTA initiative, says this:

Our members are big enough that they cover a big chunk of real estate...When we do this at the same time, it makes it much harder for bad actors

Case in point, just last year, Cisco shared information about a powerful strain of malicious software called VPNFilter. They believed Russian hackers might use the malware to prevent 500,000 voters in Ukraine from exercising their constitutional rights by preventing access to the internet on their Constitution Day. As a result of this warning, the CTA provided all members with urgent notifications and details about how to protect their businesses and customers from this attack.

Information sharing enables us to provide more specific, actionable, and timely information to our industry partners so they can protect their systems in a proactive manner.
-Howard S. Marshall, Deputy Assistant Director of the Cyber Division of the FBI

Because of the scale and spread of its membership, the CTA, the online answer to Neighborhood Watch, represents a substantial cyber-security umbrella. Access to data from some of the world’s largest security vendors could greatly reduce exposure to cyber-crime and thus reduce cyber-security budgets.Its worth chewing over!

A Problem Shared

The number of tech firms hopping on the cyber-threat intelligence-sharing bandwagon is increasing daily. Webroot’s BrightCloud and IBM’s epic-sounding X-Force Exchange are just two examples of a community-based approach to cybersecurity.
The growth of Information Sharing and Analysis Organizations (ISAOs) like the Small business SMB-ISAO, the DEFENSE INDUSTRIAL BASE ISAC (Defence ISAO) and Legal Services ISAO indicates a shift in midset from a policy of cosseting cybersecurity information to consolidating security resources thus ensuring greater visibility into the threat landscape.

Small and medium-sized businesses (SMBs), are sitting ducks for cyber criminals. The risk level for SMBs is increasing exponentially, with 57% of SMBs reporting an increase in attack volume in the past year alone. The old tried and tested security backstops are not holding water against the onslaught of such a serpentine adversary.

With bigger fish to fry, it might be time to get all touchy-feely, sharing our toys with the other kids. After all, a problem shared...