Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

4/20/2013
06:26 PM
Wendy Nather
Wendy Nather
Commentary
50%
50%

Trickle-Down Threat Intelligence

Tiers are not enough when intel is at stake

There's threat intelligence, and then there's threat intelligence. There's the kind of "democratized data" that every vendor supplies to its customers, carefully anonymized and based on output from its own product install base. This tends to be automated, it's made to integrate with a wide number of systems, and it's often licensed out to vendor partners as well. It's full of signatures (or Indicators of Compromise) and reputational information, and if it has any attribution, it has been vetted before it has been added to the stream.

Then there's the kind of threat intelligence that always happens behind closed doors. It's the stuff "everyone knows" (where "everyone" means incident responders at a certain level of seniority), but that doesn't leave the circle of trust. Or it may be threat intelligence data that's sensitive enough that it's an open secret, but revealing it publicly Just Isn't Done. (Mandiant took a step forward into the spotlight to reveal some of this in its APT1 threat report (PDF). This data wasn't a surprise to anyone; it's just that nobody else wanted the political fallout from publishing it.)

Financial institutions have their closed circles of data exchange; so do defense, state and local government, law enforcement, health care, critical infrastructure, and payment processors. If there's a vertical for it, you can bet that there are quiet phone calls going on to the tune of, "There's something you need to know ..."

But you can't just walk into these meetings or email someone and say, "Hey, what do you know about X?" You need to be a member of the club by virtue of being in the same business and facing the same adversary. And some of these clubs are very, very 1337: those who face daily attacks and have money to build their own research and response teams -- and they know a lot more than the rest of us do.

So what about the rest of us? Ellen's Chocolate Shoppe and Tattoo Parlor won't ever know anything that doesn't come from CNN -- or maybe from the antivirus vendor. And by the time mainstream enterprises get it, it may or may not be fresh -- but it certainly won't be detailed; it'll have the secret bits bleached out. Now, you can argue that SMBs wouldn't know what to do with those details, anyway. But the fact remains that without complete knowledge of the threats facing them, those organizations are stuck making risk decisions with watered-down data.

If there's a solution to this, I suspect it'll come in the form of partnerships: The VAR, consultant, or provider will have a red phone going directly to its own intel sources, and without revealing classified information, it'll have to help its customers choose the right countermeasures and responses. The threat intelligence ecosystem will still have its eddies and pools, but there will be a creek that's more accessible through multiple levels of waterfalls, as the data lands in one area, gets processed (maybe they take some minerals out and put others in), and is then shared with the next trusted partner downstream.

This kind of sharing can't be mandated by legislation: It's the kind of data that is constantly being filtered to adapt to the level of trust, and you can't mandate trust. The most you can do is incent it. We need a framework that provides benefit to each participant -- not benefit to "all of us." The collective good isn't compelling enough. It has to be a benefit to each of us, every time we share. But that's an exercise best left to the game theorists and the economists.

Wendy Nather is Research Director of the Enterprise Security Practice at the independent analyst firm 451 Research. You can find her on Twitter as @451wendy. Wendy Nather is Research Director of the Enterprise Security Practice at independent analyst firm 451 Research. With over 30 years of IT experience, she has worked both in financial services and in the public sector, both in the US and in Europe. Wendy's coverage areas ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Todd Inskeep
50%
50%
Todd Inskeep,
User Rank: Apprentice
6/19/2013 | 11:25:17 PM
re: Trickle-Down Threat Intelligence
Many framework models will emerge. One framework will emerge from the continued adoption of cloud services. These intrinsically should provide security services but explicitly provide little if any security value (today). Simply put, IT services providers should be providing the value derived from consuming (and contributing to) Threat Intelligence to their clients, without actually needing to share most of the details with those clients. These providers have the resources and position to work with the higher levels of information sharing and build trust in those circles.

There are other models for exchanging value in contributing and consuming information - ad networks are a prominent example. No doubt Threat Intelligence information exchanges will develop over time.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17364
PUBLISHED: 2020-08-05
USVN (aka User-friendly SVN) before 1.0.9 allows XSS via SVN logs.
CVE-2020-4481
PUBLISHED: 2020-08-05
IBM UrbanCode Deploy (UCD) 6.2.7.3, 6.2.7.4, 7.0.3.0, and 7.0.4.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 181848.
CVE-2020-5608
PUBLISHED: 2020-08-05
CAMS for HIS CENTUM CS 3000 (includes CENTUM CS 3000 Small) R3.08.10 to R3.09.50, CENTUM VP (includes CENTUM VP Small, Basic) R4.01.00 to R6.07.00, B/M9000CS R5.04.01 to R5.05.01, and B/M9000 VP R6.01.01 to R8.03.01 allows a remote unauthenticated attacker to bypass authentication and send altered c...
CVE-2020-5609
PUBLISHED: 2020-08-05
Directory traversal vulnerability in CAMS for HIS CENTUM CS 3000 (includes CENTUM CS 3000 Small) R3.08.10 to R3.09.50, CENTUM VP (includes CENTUM VP Small, Basic) R4.01.00 to R6.07.00, B/M9000CS R5.04.01 to R5.05.01, and B/M9000 VP R6.01.01 to R8.03.01 allows a remote unauthenticated attacker to cre...
CVE-2020-8607
PUBLISHED: 2020-08-05
An input validation vulnerability found in multiple Trend Micro products utilizing a particular version of a specific rootkit protection driver could allow an attacker in user-mode with administrator permissions to abuse the driver to modify a kernel address that may cause a system crash or potentia...