Trickle-Down Threat IntelligenceTiers are not enough when intel is at stake
There's threat intelligence, and then there's threat intelligence. There's the kind of "democratized data" that every vendor supplies to its customers, carefully anonymized and based on output from its own product install base. This tends to be automated, it's made to integrate with a wide number of systems, and it's often licensed out to vendor partners as well. It's full of signatures (or Indicators of Compromise) and reputational information, and if it has any attribution, it has been vetted before it has been added to the stream.
Then there's the kind of threat intelligence that always happens behind closed doors. It's the stuff "everyone knows" (where "everyone" means incident responders at a certain level of seniority), but that doesn't leave the circle of trust. Or it may be threat intelligence data that's sensitive enough that it's an open secret, but revealing it publicly Just Isn't Done. (Mandiant took a step forward into the spotlight to reveal some of this in its APT1 threat report (PDF). This data wasn't a surprise to anyone; it's just that nobody else wanted the political fallout from publishing it.)
Financial institutions have their closed circles of data exchange; so do defense, state and local government, law enforcement, health care, critical infrastructure, and payment processors. If there's a vertical for it, you can bet that there are quiet phone calls going on to the tune of, "There's something you need to know ..."
But you can't just walk into these meetings or email someone and say, "Hey, what do you know about X?" You need to be a member of the club by virtue of being in the same business and facing the same adversary. And some of these clubs are very, very 1337: those who face daily attacks and have money to build their own research and response teams -- and they know a lot more than the rest of us do.
So what about the rest of us? Ellen's Chocolate Shoppe and Tattoo Parlor won't ever know anything that doesn't come from CNN -- or maybe from the antivirus vendor. And by the time mainstream enterprises get it, it may or may not be fresh -- but it certainly won't be detailed; it'll have the secret bits bleached out. Now, you can argue that SMBs wouldn't know what to do with those details, anyway. But the fact remains that without complete knowledge of the threats facing them, those organizations are stuck making risk decisions with watered-down data.
If there's a solution to this, I suspect it'll come in the form of partnerships: The VAR, consultant, or provider will have a red phone going directly to its own intel sources, and without revealing classified information, it'll have to help its customers choose the right countermeasures and responses. The threat intelligence ecosystem will still have its eddies and pools, but there will be a creek that's more accessible through multiple levels of waterfalls, as the data lands in one area, gets processed (maybe they take some minerals out and put others in), and is then shared with the next trusted partner downstream.
This kind of sharing can't be mandated by legislation: It's the kind of data that is constantly being filtered to adapt to the level of trust, and you can't mandate trust. The most you can do is incent it. We need a framework that provides benefit to each participant -- not benefit to "all of us." The collective good isn't compelling enough. It has to be a benefit to each of us, every time we share. But that's an exercise best left to the game theorists and the economists.
Wendy Nather is Research Director of the Enterprise Security Practice at the independent analyst firm 451 Research. You can find her on Twitter as @451wendy.
Wendy Nather is Research Director of the Enterprise Security Practice at independent analyst firm 451 Research. With over 30 years of IT experience, she has worked both in financial services and in the public sector, both in the US and in Europe. Wendy's coverage areas ... View Full Bio