Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

4/20/2013
06:26 PM
Wendy Nather
Wendy Nather
Commentary
50%
50%

Trickle-Down Threat Intelligence

Tiers are not enough when intel is at stake

There's threat intelligence, and then there's threat intelligence. There's the kind of "democratized data" that every vendor supplies to its customers, carefully anonymized and based on output from its own product install base. This tends to be automated, it's made to integrate with a wide number of systems, and it's often licensed out to vendor partners as well. It's full of signatures (or Indicators of Compromise) and reputational information, and if it has any attribution, it has been vetted before it has been added to the stream.

Then there's the kind of threat intelligence that always happens behind closed doors. It's the stuff "everyone knows" (where "everyone" means incident responders at a certain level of seniority), but that doesn't leave the circle of trust. Or it may be threat intelligence data that's sensitive enough that it's an open secret, but revealing it publicly Just Isn't Done. (Mandiant took a step forward into the spotlight to reveal some of this in its APT1 threat report (PDF). This data wasn't a surprise to anyone; it's just that nobody else wanted the political fallout from publishing it.)

Financial institutions have their closed circles of data exchange; so do defense, state and local government, law enforcement, health care, critical infrastructure, and payment processors. If there's a vertical for it, you can bet that there are quiet phone calls going on to the tune of, "There's something you need to know ..."

But you can't just walk into these meetings or email someone and say, "Hey, what do you know about X?" You need to be a member of the club by virtue of being in the same business and facing the same adversary. And some of these clubs are very, very 1337: those who face daily attacks and have money to build their own research and response teams -- and they know a lot more than the rest of us do.

So what about the rest of us? Ellen's Chocolate Shoppe and Tattoo Parlor won't ever know anything that doesn't come from CNN -- or maybe from the antivirus vendor. And by the time mainstream enterprises get it, it may or may not be fresh -- but it certainly won't be detailed; it'll have the secret bits bleached out. Now, you can argue that SMBs wouldn't know what to do with those details, anyway. But the fact remains that without complete knowledge of the threats facing them, those organizations are stuck making risk decisions with watered-down data.

If there's a solution to this, I suspect it'll come in the form of partnerships: The VAR, consultant, or provider will have a red phone going directly to its own intel sources, and without revealing classified information, it'll have to help its customers choose the right countermeasures and responses. The threat intelligence ecosystem will still have its eddies and pools, but there will be a creek that's more accessible through multiple levels of waterfalls, as the data lands in one area, gets processed (maybe they take some minerals out and put others in), and is then shared with the next trusted partner downstream.

This kind of sharing can't be mandated by legislation: It's the kind of data that is constantly being filtered to adapt to the level of trust, and you can't mandate trust. The most you can do is incent it. We need a framework that provides benefit to each participant -- not benefit to "all of us." The collective good isn't compelling enough. It has to be a benefit to each of us, every time we share. But that's an exercise best left to the game theorists and the economists.

Wendy Nather is Research Director of the Enterprise Security Practice at the independent analyst firm 451 Research. You can find her on Twitter as @451wendy. Wendy Nather is Research Director of the Enterprise Security Practice at independent analyst firm 451 Research. With over 30 years of IT experience, she has worked both in financial services and in the public sector, both in the US and in Europe. Wendy's coverage areas ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Todd Inskeep
50%
50%
Todd Inskeep,
User Rank: Apprentice
6/19/2013 | 11:25:17 PM
re: Trickle-Down Threat Intelligence
Many framework models will emerge. One framework will emerge from the continued adoption of cloud services. These intrinsically should provide security services but explicitly provide little if any security value (today). Simply put, IT services providers should be providing the value derived from consuming (and contributing to) Threat Intelligence to their clients, without actually needing to share most of the details with those clients. These providers have the resources and position to work with the higher levels of information sharing and build trust in those circles.

There are other models for exchanging value in contributing and consuming information - ad networks are a prominent example. No doubt Threat Intelligence information exchanges will develop over time.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness
Robert Lemos, Contributing Writer,  7/28/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14310
PUBLISHED: 2020-07-31
There is an issue on grub2 before version 2.06 at function read_section_as_string(). It expects a font name to be at max UINT32_MAX - 1 length in bytes but it doesn't verify it before proceed with buffer allocation to read the value from the font value. An attacker may leverage that by crafting a ma...
CVE-2020-14311
PUBLISHED: 2020-07-31
There is an issue with grub2 before version 2.06 while handling symlink on ext filesystems. A filesystem containing a symbolic link with an inode size of UINT32_MAX causes an arithmetic overflow leading to a zero-sized memory allocation with subsequent heap-based buffer overflow.
CVE-2020-5413
PUBLISHED: 2020-07-31
Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains mali...
CVE-2020-5414
PUBLISHED: 2020-07-31
VMware Tanzu Application Service for VMs (2.7.x versions prior to 2.7.19, 2.8.x versions prior to 2.8.13, and 2.9.x versions prior to 2.9.7) contains an App Autoscaler that logs the UAA admin password. This credential is redacted on VMware Tanzu Operations Manager; however, the unredacted logs are a...
CVE-2019-11286
PUBLISHED: 2020-07-31
VMware GemFire versions prior to 9.10.0, 9.9.1, 9.8.5, and 9.7.5, and VMware Tanzu GemFire for VMs versions prior to 1.11.0, 1.10.1, 1.9.2, and 1.8.2, contain a JMX service available to the network which does not properly restrict input. A remote authenticated malicious user may request against the ...