Threat Intelligence
11/11/2016
11:00 AM
Derek Manky
Derek Manky
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Sharing Threat Intel: Easier Said Than Done

For cyber intelligence-sharing to work, organizations need two things: to trust each other and better processes to collect, exchange, and act on information quickly.

As cyber threats become more sophisticated and expand to the cloud and the Internet of Things, the sharing of meaningful threat intel  between trusted organizations has become more critical than ever before. At Fortinet this year, our teams witnessed the benefits of info sharing first hand as part of a joint operation that helped INTERPOL and the Nigerian Economic & Financial Crime Commission uncover the head of an international criminal network.

What did we learn? For one thing, these partnerships demonstrate the importance of global threat intelligence research and analytics that security vendors can offer in dealing with cyber threats. In my opinion, security vendors have a responsibility to share threat findings with each other, as well as end-user advocacy groups. It is essentially the best way to combat adversaries and assist law enforcement in fighting cybercriminals. Yet, serious challenges remain to the worthwhile goal of info sharing, even among classified, trusted networks.

One of the major barriers to information sharing is the perception of liability. In a 2014 Ponemon survey of over 700 IT security practitioners, 71% of respondents who participate in information sharing said that sharing improves their security posture. But for organizations that don’t share, half pointed to "potential liability" as the principal reason for holding back. 

To get beyond these obstacles, two things must be in place: trust between organizations and a process to receive and implement threat intelligence information quickly.

Trust but Verify
Not only do organizations need detailed protocols in place about what information can be shared, but they also need to trust the organizations with whom they are sharing, or the process being used to collect, process and exchange such information.

Another major concern revolves around data privacy and protecting personally identifiable information (PII). How can you share information that provides details about an attack and attacker without having it be connected, even contextually, to customers and thereby risk customer privacy and assume liability? Organizations have to rely on trusted partners who rigidly adhere to and enforce agreed-upon protocols, e.g. only sharing information related to the adversary, and anonymizing PII.

Here are a few tips for developing trusted relationships:

  • Start with folks you know in your industry. Ask them their thoughts about threat sharing.
  • Join an ISAO (Information Sharing and Analysis Organization) or ISAC (Information Sharing and Analysis Center). These are groups focused on sharing threat intelligence relevant to that vertical that have established protocols and procedures best suited for an industry’s needs.
  • Organizations like INTERPOL, the NATO Industry Cyber Partnership (NICP), and even regional organizations have active partnerships with vendors and industry leaders to collect and share threat data. For security vendors, participation in industry organizations such as the Cyber Threat Alliance (CTA) and the OASIS Cyber Threat Intelligence (CTI) group makes everyone safer.
  • Meet people in person. Trust is a slow process and few things work better than meeting with peers over dinner or drinks to establish a rapport. There are dozens of industry-related conferences, local meet-ups and user groups designed to bring folks together.
  • As Ronald Reagan famously said, "Trust, but verify." Sharing and receiving critical security information requires constant monitoring. Are you sharing critical information but receiving junk? Is data being appropriately anonymized? Are you receiving the same data you shared? Keeping everyone honest is critical for maintaining a trusted relationship.

Rapid Processing
A common critique of many information-sharing services is that they are slow and unreliable. For sharing to work, organizations need to be able to receive, process, and implement threat intelligence information quickly. They also need to ensure that any threat intelligence they share is immediately useful. 

Dark Reading's all-day virtual event Nov. 15 offers an in-depth look at myths surrounding data defense and how to put business on a more effective security path. 

Actionable information is the best way to move from being reactive to proactive. It allows organizations to move from simply stopping attacks to actually catching cybercriminals. Developing and sharing truly actionable intelligence requires the efforts of a trained security team on the part of the organization developing that information, as well as on the part of the users or organizations consuming it.

While many organizations are actively engaged in collecting as much data as they can from a variety of sources — including their own — much of the work in processing, correlating, and converting it into policy is still done manually. This makes it very difficult to respond to an active threat quickly, or share timely and actionable information. Ideally, the consumption, processing, and correlation of threat intelligence is automated.

Security vendors also need to automate the sharing of threat intelligence information – and not just with outside entities. Many organizations are still struggling to share threat intelligence between deployed security devices or even between different team members. Automation ensures that time-sensitive threat information immediately reaches all stakeholders so it can be shared in real time and acted on.

Trusted sharing, even with a known partner or community, is easier said than done. When evaluating your security landscape, characteristics of network design should be considered that will securely facilitate the receiving and sharing of threat intelligence. Given that the time to compromise for today’s attacks continues to shorten, it is essential that we begin to to automate as much of the process as possible — including time-sensitive activities such as sharing, consuming, hand-correlating intelligence, and distributing updated policies. 

Related Content:

Derek Manky formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.