Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

4/20/2013
06:26 PM
Wendy Nather
Wendy Nather
Commentary
50%
50%

Trickle-Down Threat Intelligence

Tiers are not enough when intel is at stake

There's threat intelligence, and then there's threat intelligence. There's the kind of "democratized data" that every vendor supplies to its customers, carefully anonymized and based on output from its own product install base. This tends to be automated, it's made to integrate with a wide number of systems, and it's often licensed out to vendor partners as well. It's full of signatures (or Indicators of Compromise) and reputational information, and if it has any attribution, it has been vetted before it has been added to the stream.

Then there's the kind of threat intelligence that always happens behind closed doors. It's the stuff "everyone knows" (where "everyone" means incident responders at a certain level of seniority), but that doesn't leave the circle of trust. Or it may be threat intelligence data that's sensitive enough that it's an open secret, but revealing it publicly Just Isn't Done. (Mandiant took a step forward into the spotlight to reveal some of this in its APT1 threat report (PDF). This data wasn't a surprise to anyone; it's just that nobody else wanted the political fallout from publishing it.)

Financial institutions have their closed circles of data exchange; so do defense, state and local government, law enforcement, health care, critical infrastructure, and payment processors. If there's a vertical for it, you can bet that there are quiet phone calls going on to the tune of, "There's something you need to know ..."

But you can't just walk into these meetings or email someone and say, "Hey, what do you know about X?" You need to be a member of the club by virtue of being in the same business and facing the same adversary. And some of these clubs are very, very 1337: those who face daily attacks and have money to build their own research and response teams -- and they know a lot more than the rest of us do.

So what about the rest of us? Ellen's Chocolate Shoppe and Tattoo Parlor won't ever know anything that doesn't come from CNN -- or maybe from the antivirus vendor. And by the time mainstream enterprises get it, it may or may not be fresh -- but it certainly won't be detailed; it'll have the secret bits bleached out. Now, you can argue that SMBs wouldn't know what to do with those details, anyway. But the fact remains that without complete knowledge of the threats facing them, those organizations are stuck making risk decisions with watered-down data.

If there's a solution to this, I suspect it'll come in the form of partnerships: The VAR, consultant, or provider will have a red phone going directly to its own intel sources, and without revealing classified information, it'll have to help its customers choose the right countermeasures and responses. The threat intelligence ecosystem will still have its eddies and pools, but there will be a creek that's more accessible through multiple levels of waterfalls, as the data lands in one area, gets processed (maybe they take some minerals out and put others in), and is then shared with the next trusted partner downstream.

This kind of sharing can't be mandated by legislation: It's the kind of data that is constantly being filtered to adapt to the level of trust, and you can't mandate trust. The most you can do is incent it. We need a framework that provides benefit to each participant -- not benefit to "all of us." The collective good isn't compelling enough. It has to be a benefit to each of us, every time we share. But that's an exercise best left to the game theorists and the economists.

Wendy Nather is Research Director of the Enterprise Security Practice at the independent analyst firm 451 Research. You can find her on Twitter as @451wendy. Wendy Nather is Research Director of the Enterprise Security Practice at independent analyst firm 451 Research. With over 30 years of IT experience, she has worked both in financial services and in the public sector, both in the US and in Europe. Wendy's coverage areas ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Todd Inskeep
50%
50%
Todd Inskeep,
User Rank: Apprentice
6/19/2013 | 11:25:17 PM
re: Trickle-Down Threat Intelligence
Many framework models will emerge. One framework will emerge from the continued adoption of cloud services. These intrinsically should provide security services but explicitly provide little if any security value (today). Simply put, IT services providers should be providing the value derived from consuming (and contributing to) Threat Intelligence to their clients, without actually needing to share most of the details with those clients. These providers have the resources and position to work with the higher levels of information sharing and build trust in those circles.

There are other models for exchanging value in contributing and consuming information - ad networks are a prominent example. No doubt Threat Intelligence information exchanges will develop over time.
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16863
PUBLISHED: 2019-11-14
STMicroelectronics ST33TPHF2ESPI TPM devices before 2019-09-12 allow attackers to extract the ECDSA private key via a side-channel timing attack because ECDSA scalar multiplication is mishandled, aka TPM-FAIL.
CVE-2019-18949
PUBLISHED: 2019-11-14
SnowHaze before 2.6.6 is sometimes too late to honor a per-site JavaScript blocking setting, which leads to unintended JavaScript execution via a chain of webpage redirections targeted to the user's browser configuration.
CVE-2011-1930
PUBLISHED: 2019-11-14
In klibc 1.5.20 and 1.5.21, the DHCP options written by ipconfig to /tmp/net-$DEVICE.conf are not properly escaped. This may allow a remote attacker to send a specially crafted DHCP reply which could execute arbitrary code with the privileges of any process which sources DHCP options.
CVE-2011-1145
PUBLISHED: 2019-11-14
The SQLDriverConnect() function in unixODBC before 2.2.14p2 have a possible buffer overflow condition when specifying a large value for SAVEFILE parameter in the connection string.
CVE-2011-1488
PUBLISHED: 2019-11-14
A memory leak in rsyslog before 5.7.6 was found in the way deamon processed log messages are logged when $RepeatedMsgReduction was enabled. A local attacker could use this flaw to cause a denial of the rsyslogd daemon service by crashing the service via a sequence of repeated log messages sent withi...