Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

4/26/2017
01:30 PM
Paul Kurtz
Paul Kurtz
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Threat Intelligence Is (Still) Broken: A Cautionary Tale from the Past

There is much to be learned from the striking parallels between counter-terrorism threat analysis before 9-11 and how we handle cyber threat intelligence today.

When it comes to threats in cyberspace, is it fair to say “what’s past is prologue”?

Maybe.

Former CIA Director George Tenet’s statement less than two months before 9-11 that “the system was blinking red” is eerily familiar to our current threat environment in cyberspace. We have a preponderance of reporting on adversaries but the availability of specific, actionable detail is sparse.

This is not a prediction of a “cyber 9-11” but rather identification of the striking parallels between how we approached counter-terrorism threat analysis before 9-11 to how we handle cyber threat intelligence today. Our approach to cyber threat intelligence is broken.

Image Source: Adam Parent via Shutterstock
Image Source: Adam Parent via Shutterstock

Before Everything Changed
As a member of the counter terrorism team at the White House for two years leading up to 9-11, we had more than a sinking suspicion that the most important intelligence about al-Qaeda’s attack plans was kept inside the walls of our own intelligence agencies. During daily video conferences with FBI, NSA, and CIA, I was told certain reporting details could not be shared with all of the participants because of source sensitivity, legal constraints, or bureaucratic turf wars. It was disturbing and disastrous, as we know what ultimately happened. Critical data —including information on the hijackers’ pilot training classes— remained unavailable to other agencies.

On the counter terrorism team we had extensive access to terrorism reporting, but as documented in the 9-11 Commission’s report, the team did not have access to “internal, non-disseminated information at the NSA, CIA, or FBI.” While agencies were charged to work together, in reality, each worked independently to gather and assess threat data while withholding certain details from each other, failing to understand the dangers of non-disclosure.

The challenge that we faced then —and now— is how to gain access to what is really happening inside company networks.

What’s the Same?

  • The most important data remains inside organizations. Before 9-11, we understood al-Qaeda was a threat, but we did not have access to specific details, which if fused could have shed light on the plot underway to launch the attacks. Today we know that Russia, Iran, North Korea, and China and criminal organizations represent a serious threat, yet the specific details of tactics, techniques, and procedures (TTP) they use to gain access to systems remain closely held. For example, consider the email hacks against the DNC that were attributed to Russia during the 2016 election called Grizzly Steppe. The U.S. government’s first release of Grizzly Steppe information on December 29 was not useful because it lacked context. After the security community voiced concern, the government released additional information providing more context. Individual organizations are aware of TTP, but are unwilling to release data in a timely way because it’s seen as too risky from a market perspective.
  • The system is blinking red. There was a drumbeat of intelligence in the summer of 9-11 with reporting presented to top officials on Bin Ladin launching attacks in the U.S., India, Israel, Italy, and the Gulf. Analysts could barely keep pace with the reporting. Today, similarly, data on cybersecurity threats is continually growing, as is the frequency and severity of attacks. The “blinking red” analogy is an apt description of the situation at Target prior to the attack in 2013 and several more since, illustrating a race to the bottom with an endless offering of threat data - much of which is not timely, actionable or relevant.
  • No common situational awareness. Our current picture of cyberspace is strikingly similar to the pre-9-11 environment. Much like each intelligence agency having its own view prior to 9-11, we have a company-centric view of cyberspace. It is necessary but not sufficient to self-select into sector-specific sharing when we know that adversaries use the same tools and infrastructure to strike multiple sectors. 

What’s Different?

  • Government can’t help. In the case of counterterrorism, government has the mandate, authority, and resources to track and address the threat. This is not the case in cyberspace. Government’s ability to act is limited. Government agencies are unaware of the attacks occurring on a daily basis inside companies. Companies assume that the U.S. government can provide “tip off,” when, in fact, the private sector may possess the most useful data and either not know it, or be unable to share it or access it effectively.
  • Adversaries are more plentiful. There are numerous terrorist organizations in existence today, and unfortunately, the number of cyber adversaries are more plentiful. Adversaries range from terrorists themselves to hacktivists, criminals, and nation states. Their motives vary and they can easily mask their identities, obfuscate attribution, or piggyback on the work of others. We learned from the recent Wikileaks Vault 7 dump that the CIA’s alleged “Marble Framework” has obfuscation technology that can make it appear that an attack has come from elsewhere.
  • Doing more damage with less. Adversaries have an asymmetric advantage as they leverage computers to do their work for them from afar and need only find one way in to render significant damage ranging from the theft and destruction of data. They are using software to increase their speed, reach, and returns. They share attack infrastructure as well.

Change is Necessary NOW
Avoiding large scale disasters in cyberspace requires a shift in thinking. While individual companies are responsible for securing themselves, it is no longer possible for any one company to “go it alone” and defend itself without real-time insight of what attacks are happening against others.

The current landscape of threat intelligence platforms (TIPs) and tools can assist with the aggregation of external threat feeds from thousands of open source feeds or proprietary intelligence providers inside an organization. But this siloed approach creates a noisy false sense of security, and does little to protect or incentivize actual intelligence exchange and collaboration across teams, tools, and companies. These platforms lack the technology needed to scale real-time exchange between companies that can discern market risk, and identify what has immediate value to security operators.

While the government is hamstrung by bureaucracy and regulations, the private sector has the imperative to determine its own destiny when it comes to threat intelligence sharing. This isn’t a pipe dream; we’re seeing organizations like the Cloud Security Alliance and OASIS take steps towards this new era of intelligence exchange today.

We must continue to lay the groundwork for a secure exchange network across the private sector so that we can avoid future large-scale hacks.

Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.

Related Content:



 

Paul Kurtz is the CEO and cofounder of TruSTAR Technology. Prior to TruSTAR, Paul was the CISO and chief strategy officer for CyberPoint International LLC where he built the US government and international business verticals. Prior to CyberPoint, Paul was the managing partner ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprise
Assessing Cybersecurity Risk in Today's Enterprise
Security leaders are struggling to understand their organizations risk exposure. While many are confident in their security strategies and processes, theyre also more concerned than ever about getting breached. Download this report today and get insights on how today's enterprises assess and perceive the risks they face in 2019!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18862
PUBLISHED: 2019-11-11
maidag in GNU Mailutils before 3.8 is installed setuid and allows local privilege escalation in the url mode.
CVE-2019-18853
PUBLISHED: 2019-11-11
ImageMagick before 7.0.9-0 allows remote attackers to cause a denial of service because XML_PARSE_HUGE is not properly restricted in coders/svg.c, related to SVG and libxml2.
CVE-2019-18854
PUBLISHED: 2019-11-11
A Denial Of Service vulnerability exists in the safe-svg (aka Safe SVG) plugin through 1.9.4 for WordPress, related to unlimited recursion for a '<use ... xlink:href="#identifier">' substring.
CVE-2019-18855
PUBLISHED: 2019-11-11
A Denial Of Service vulnerability exists in the safe-svg (aka Safe SVG) plugin through 1.9.4 for WordPress, related to potentially unwanted elements or attributes.
CVE-2019-18856
PUBLISHED: 2019-11-11
A Denial Of Service vulnerability exists in the SVG Sanitizer module through 8.x-1.0-alpha1 for Drupal because access to external resources with an SVG use element is mishandled.