Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:05 PM
Connect Directly

Intelligence-Sharing Suffers Growing Pains

For most organizations, intelligence-sharing remains mainly ad-hoc and informal -- and thus fraught with frustration and pitfalls, new report from Ponemon finds.

Target's epic data breach was the final push the retail industry needed to finally formalize threat and attack intelligence-sharing within its community. Retail until recently was one of the last high-profile holdouts to create its own official intelligence-sharing mechanism and the end product is likely to mirror the model of existing Information Sharing and Analysis Centers (ISACs) in other industries.

"We're not all in with an ISAC yet. We are sharing protocols and procedures we expect could be transformed into an ISAC," says David French, senior vice president for government relations at the National Retail Federation (NRF), who confirmed with Dark Reading last month that the retail industry was considering its own ISAC. "We've opened a sharing platform that will serve as a portal for the time being. It's not the same [model] as the FS-ISAC uses," but we are investigating that option, says French, whose organization last week announced the industry was making it official and going with its own intel-sharing model.

To date, some retailers have informally shared threat and attack experience and information among one another, and law enforcement and government entities haven't had a central place to share with retail their intel about active attacks and other types of threat information. "Our members told us they'd like to have information in real-time... [a central model] would give them a better understanding of what the threats are," says NRF's French. The plan is to stand up an intel-sharing platform or ISAC this summer, he says.

Most organizations consider intelligence-sharing crucial for fighting back against the bad guys: new data from the Ponemon Institute shows that 61% of organizations say threat intel could have prevented the cyberattacks they have experienced in the past 24 months. Only 30% of the organizations say they are "satisfied" or "very satisfied" with their current method of gathering threat intelligence.

When a company hit by a cyberattack shares some details of the attack with another firm, it typically gives them a call or shoots them an email with some intelligence on the malware or other fingerprints of the attack. It's then up to the recipient to manually translate that information into a format it can use to automatically protect itself from falling prey to that attack.

More than half of the respondents in the Ponemon survey get threat intel informally -- the most common method for many organizations -- via phone, email, or in-person meetings, and these methods can be too slow, inconsistent, and not to mention, far from secure. That gap of time between receiving the intel and converting it into something useful can make all the difference in deflecting or mitigating an attack. Nearly 70% of them say intel actually expires within seconds or minutes, and more than 50% have gotten this information in days, weeks, or months, rendering much of it useless.

Lars Harvey, CEO of IID, which commissioned the Ponemon report, says the most useful information is that which arrives within microseconds. "And they have to immediately apply it to their infrastructure – that is the most useful [approach] and helped prevent things [attacks] from happening," says Harvey of IID, a threat intelligence firm. "As time goes by, the value of the information diminishes."

Harvey says many organizations hesitate to enter into intel-sharing for legal reasons. "The doomsday scenario is someone misusing the information they share and causing harm, and the harmed party comes back to the original source looking" for compensation, for instance he says, even though the source had no control over how that information was shared. "That's what attorneys are most afraid of," he says. "Scaling trust is a big challenge."

Receiving information with context, rather than raw data, also is crucial, and there are plenty of interoperability challenges to automating a response to a threat within the organization, for example, he says. That's where emerging standards like Structured Threat Information eXpression, or STIX, and Trusted Automated eXchange of Indicator Information (TAXII) come into play. STIX is the intel-sharing language architecture and TAXII is the protocol for transporting that information.  The two are seen as the future of creating a standard machine-readable language and transport for incorporating the latest threat information into an organization's security infrastructure.

Nearly 70% of the respondents in the Ponemon survey give real-time, machine-to-machine exchange of intelligence, a thumbs up.  Sixty-two percent say current sharing relationships are typically limited by industry, geography, or community.

ISACs provide an official mechanism for sharing information about the latest malware and cybercrime activity spotted targeting specific industries and others. They also include databases of those threats and vulnerabilities for their members. There are some 16 ISACs to date for specific industries, including the financial industry's FS-ISAC, as well as ISACs in the electricity, water, supply chain, and research and education sectors. The goal is to help the industries better team in the face of cybercrime and cyberespionage.

The financial services industry's FS-ISAC and the Defense industry's ISAC both are considered the gold standard for intel-sharing. "We've seen in a few industries, such as financial services and education, very effective programs for exchanging threat information. Other ISACs are not as mature and not as effective," IID's Harvey says.

"Information sharing and analysis centers (ISACs) are a proven way for organizations to hear from peer organizations about emerging advanced threats to data, criminal behavior patterns, best practices to manage risk, and as a forum to learn about how new technologies, like data-centric encryption and tokenization, can mitigate them economically," says Mark Bower, vice president of product management and solution architecture for Voltage Security. "Extending this to retail entities makes a lot of sense and facilitates a no-nonsense vehicle to solve problems quickly across industry participants."

Bower says getting firsthand perspective from victims who have suffered an attack is especially useful. "While advanced technology can solve big risk issues, one of the biggest gaps industry faces today is education and understanding the true cost and risk of advanced threats when they hit vulnerable entities," he says. That's where ISACs come in.

IID's Harvey echoed that: "The first key is identifying [activity] as an attack. Has anyone seen behavior like this? The more you know," the better, Harvey says.

"What was clear in our findings is that businesses and government agencies know that exchanging cyber threat intelligence will help secure the Internet more so than any other method or technology," says Larry Ponemon, Chairman and Founder of the Ponemon Institute, which surveyed 700+ IT and security professionals in enterprises and government agencies. "Yet what is really confounding is that while most of the people participating in the survey are clearly sharing cyberattack information, they know they aren’t doing it correctly or effectively."

The full Ponemon report, "Exchanging Cyber Threat Intelligence: There Has to Be a Better Way," is available here for download.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
4/24/2014 | 4:21:58 PM
Re: Intel-sharing -- seems like a no brainer for retail
On fire, probably, I would imagine. It will be interesting to see what they come up with up. Looking forward to your reporting about it, Kelly.
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
4/24/2014 | 4:18:00 PM
Re: Intel-sharing -- seems like a no brainer for retail
It's not clear why they were laggards in this, but they will have something in place soon. The heat is on.  
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
4/24/2014 | 3:55:35 PM
Intel-sharing -- seems like a no brainer for retail
It's hard for me to understand why -- after the recent spate of data breaches at Target, Michaels etc.. -- the retail industry isn't rushing forward to create industry-wide intelligence-sharing mechanisms. I suppose a baby step is better than standing still....
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-11-21
ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be zero.
PUBLISHED: 2019-11-21
btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because rcu_dereference(root->node) can be zero.
PUBLISHED: 2019-11-21
__btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in a certain ENOENT case, which allows local users to obtain potentially sensitive information about register values via the dmesg program.
PUBLISHED: 2019-11-20
A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
PUBLISHED: 2019-11-20
A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.