Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

4/20/2013
06:26 PM
Wendy Nather
Wendy Nather
Commentary
50%
50%

Trickle-Down Threat Intelligence

Tiers are not enough when intel is at stake

There's threat intelligence, and then there's threat intelligence. There's the kind of "democratized data" that every vendor supplies to its customers, carefully anonymized and based on output from its own product install base. This tends to be automated, it's made to integrate with a wide number of systems, and it's often licensed out to vendor partners as well. It's full of signatures (or Indicators of Compromise) and reputational information, and if it has any attribution, it has been vetted before it has been added to the stream.

Then there's the kind of threat intelligence that always happens behind closed doors. It's the stuff "everyone knows" (where "everyone" means incident responders at a certain level of seniority), but that doesn't leave the circle of trust. Or it may be threat intelligence data that's sensitive enough that it's an open secret, but revealing it publicly Just Isn't Done. (Mandiant took a step forward into the spotlight to reveal some of this in its APT1 threat report (PDF). This data wasn't a surprise to anyone; it's just that nobody else wanted the political fallout from publishing it.)

Financial institutions have their closed circles of data exchange; so do defense, state and local government, law enforcement, health care, critical infrastructure, and payment processors. If there's a vertical for it, you can bet that there are quiet phone calls going on to the tune of, "There's something you need to know ..."

But you can't just walk into these meetings or email someone and say, "Hey, what do you know about X?" You need to be a member of the club by virtue of being in the same business and facing the same adversary. And some of these clubs are very, very 1337: those who face daily attacks and have money to build their own research and response teams -- and they know a lot more than the rest of us do.

So what about the rest of us? Ellen's Chocolate Shoppe and Tattoo Parlor won't ever know anything that doesn't come from CNN -- or maybe from the antivirus vendor. And by the time mainstream enterprises get it, it may or may not be fresh -- but it certainly won't be detailed; it'll have the secret bits bleached out. Now, you can argue that SMBs wouldn't know what to do with those details, anyway. But the fact remains that without complete knowledge of the threats facing them, those organizations are stuck making risk decisions with watered-down data.

If there's a solution to this, I suspect it'll come in the form of partnerships: The VAR, consultant, or provider will have a red phone going directly to its own intel sources, and without revealing classified information, it'll have to help its customers choose the right countermeasures and responses. The threat intelligence ecosystem will still have its eddies and pools, but there will be a creek that's more accessible through multiple levels of waterfalls, as the data lands in one area, gets processed (maybe they take some minerals out and put others in), and is then shared with the next trusted partner downstream.

This kind of sharing can't be mandated by legislation: It's the kind of data that is constantly being filtered to adapt to the level of trust, and you can't mandate trust. The most you can do is incent it. We need a framework that provides benefit to each participant -- not benefit to "all of us." The collective good isn't compelling enough. It has to be a benefit to each of us, every time we share. But that's an exercise best left to the game theorists and the economists.

Wendy Nather is Research Director of the Enterprise Security Practice at the independent analyst firm 451 Research. You can find her on Twitter as @451wendy. Wendy Nather is Research Director of the Enterprise Security Practice at independent analyst firm 451 Research. With over 30 years of IT experience, she has worked both in financial services and in the public sector, both in the US and in Europe. Wendy's coverage areas ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Todd Inskeep
50%
50%
Todd Inskeep,
User Rank: Apprentice
6/19/2013 | 11:25:17 PM
re: Trickle-Down Threat Intelligence
Many framework models will emerge. One framework will emerge from the continued adoption of cloud services. These intrinsically should provide security services but explicitly provide little if any security value (today). Simply put, IT services providers should be providing the value derived from consuming (and contributing to) Threat Intelligence to their clients, without actually needing to share most of the details with those clients. These providers have the resources and position to work with the higher levels of information sharing and build trust in those circles.

There are other models for exchanging value in contributing and consuming information - ad networks are a prominent example. No doubt Threat Intelligence information exchanges will develop over time.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16137
PUBLISHED: 2020-08-12
** UNSUPPORTED WHEN ASSIGNED ** A privilege escalation issue in Cisco Unified IP Conference Station 7937G 1-4-4-0 through 1-4-5-7 allows attackers to reset the credentials for the SSH administrative console to arbitrary values. Note: We cannot prove this vulnerability exists. Out of an abundance of ...
CVE-2020-16138
PUBLISHED: 2020-08-12
** UNSUPPORTED WHEN ASSIGNED ** A denial-of-service issue in Cisco Unified IP Conference Station 7937G 1-4-4-0 through 1-4-5-7 allows attackers to remotely disable the device until it is power cycled. Note: We cannot prove this vulnerability exists. Out of an abundance of caution, this CVE is being ...
CVE-2020-16139
PUBLISHED: 2020-08-12
** UNSUPPORTED WHEN ASSIGNED ** A denial-of-service in Cisco Unified IP Conference Station 7937G 1-4-4-0 through 1-4-5-7 allows attackers restart the device remotely through sending specially crafted packets. Note: We cannot prove this vulnerability exists. Out of an abundance of caution, this CVE i...
CVE-2020-16186
PUBLISHED: 2020-08-12
A stored Cross-site scripting (XSS) vulnerability in Firco Continuity 6.2.0.0 allows remote unauthenticated attackers to inject arbitrary web script or HTML through the username field of the login page.
CVE-2020-8904
PUBLISHED: 2020-08-12
An arbitrary memory overwrite vulnerability in the trusted memory of Asylo exists in versions prior to 0.6.0. As the ecall_restore function fails to validate the range of the output_len pointer, an attacker can manipulate the tmp_output_len value and write to an arbitrary location in the trusted (en...