News & Commentary

6/18/2016
10:00 AM
Nathan Burke
Nathan Burke
Commentary
50%
50%

The Gamble Behind Cyber Threat Intelligence Sharing

In theory, sharing threat intel makes sense. But in cybersecurity you're not dealing with known individuals, you're dealing with anonymous adversaries capable of rapid change.

The U.S. Department of Homeland Security deployed its Automated Indicator Sharing (AIS) system in March to enable the exchange of cyber threat intelligence among private and public organizations. Their motivation is clear: to increase the breadth and speed of information sharing in order to help all types of organizations act more quickly and better defend themselves against emerging threats.

The concept of sharing information to fight common adversaries is nothing new. It’s similar to the Griffin Book or the blacklist used by casinos to identify known cheaters. The casinos share information on shady characters with the gaming board or Griffin Investigations, and they disseminate that information to all casinos so they can identify and ban cheaters. It's a great idea – share the intelligence and everybody (but the cheater) wins. And in the case of casinos fighting criminals in physical locations, it makes all the sense in the world.

There is almost unanimous agreement among security professionals that cyber threat information is similarly valuable to their organizations. However, digging deeper into the attitudes and implementation barriers to sharing that information unveils myths and significant reticence that make it a lot less simple than it might sound.

The known but evolving threat

In theory, the idea of sharing threat intelligence to fight cybercrime makes a lot of sense. But the problem in cybersecurity is that you're not dealing with known individuals, you’re dealing with anonymous adversaries that are capable of rapid change.

In casinos, if Dom “Roll Star” Spinale decided to get a new name and bag the aviator sunglasses, chances are he'd still be recognizable – and most likely sitting at a craps table. When you bring the same approach to the cybersecurity world, you don't have a photo, a name, a defined M.O. or any other clues as to who is on the other end. Instead, you have the type of attack (malware, phishing, ransomware), an IP range and maybe an email. So what you’re sharing are file hashes, IPs to block, and maybe known email addresses. All really important, but clearly not as easy to pinpoint as a specific person with a set of defined habits or physical features that are impossible to mask from facial recognition technology that many casinos use today.

Image Source: Shutterstock via Hexadite
Image Source: Shutterstock via Hexadite

Additionally, unlike in casinos, cyber threats are capable of multiplying and morphing at a breakneck pace. As everything shifts to digital, there’s a seemingly endless supply of new threats and possible attack vectors. Monitoring for and blocking known threats is something that every organization should be doing, but it’s not as effective as it once was. By the time a threat signature is identified and shared, there’s ample opportunity for it to be masked again. And if the bad guys are getting the same threat feed as everyone else – which happens – they have real-time visibility into whether they're getting caught and can quickly change their tactics. We’re giving them real-time feedback into what’s working and what’s not so they can adjust on-the-fly.

Lingering fears

Without a doubt, threat intelligence sharing takes on a new level of complexity when we start talking about malicious systems instead of people. While many organizations want to benefit from collective threat intelligence, they are reticent about sharing back. This makes perfect sense when you consider the potential consequences of sharing attack information that could be connected back to a company. Were that to happen, you'd be broadcasting to the world that:

  1. My company was targeted in an attack that made it through my detection systems.
  2. The vulnerability that precipitated a breach is an open door to everyone else.
  3. I may now be required to report this breach.

Add to that the fact that sharing threat intelligence could also be informing the bad guys’ next attacks, and it can be hard for organizations to see the upside.

Where do we go from here?

As cyber threats grow and evolve, organizations have been focused on the “what.” We dwell on what information we’d be willing to share, knowing that adversaries have the power to use that information against us.

Perhaps what we should be doing is focusing more on the “how.” How do we share information in a way that empowers organizations to collectively fight back?

While I don’t have all the answers, here are a few thoughts for consideration:

What if threat feeds were only machine-to-machine accessible? For instance, if the threat intelligence was shared in a machine-readable format to a SIEM, then only the companies that have detection systems could use that information. It's unlikely that a scammer is going to buy an expensive system to check their work. The question then becomes about how those systems report back to the people in charge of them.

What if we could completely de-couple the organization from the threat, and there was no way to associate the two? There is a fine line between how much information is needed to be useful, and how much puts an organization’s concealed identity at risk. Still, cracking this code would allay many fears about providing intelligence back to the mother ship.

What if opt-in isn’t the right way to go about information sharing? When companies need to opt in to share data, overabundance of caution may get the best of them. On the other hand, if they’re already sharing information (albeit anonymously), would that change their mindset?

Each of these questions are deeper discussions in themselves. Please share your thoughts in the comments.

Related Content: 

Nathan has written extensively about the intersection of collaboration and security, focusing on how businesses can keep information safe while accelerating the pace of sharing and collaborative action. For 10 years, Nathan has taken on marketing leadership roles in ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
BlueBorne Attack Highlights Flaws in Linux, IoT Security
Kelly Sheridan, Associate Editor, Dark Reading,  12/14/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
[Strategic Security Report] Cloud Security's Changing Landscape
[Strategic Security Report] Cloud Security's Changing Landscape
Cloud services are increasingly becoming the platform for mission-critical apps and data. Heres how enterprises are adapting their security strategies!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.