Shared cyberthreat intelligence will soon be a critical component of security operations, enabling organizations to better protect their digital assets and respond more quickly to emerging threats.
April 1, 2016
3 Min Read
On March 17, the US Department of Homeland Security announced the deployment of the Automated Indicator Sharing (AIS) system, which allows the exchange of cyberthreat intelligence among private and public organizations. Increasing the breadth and speed of information sharing will reduce the number of security compromises, enabling all types of organizations to better defend themselves against emerging threats.
There is almost unanimous agreement among security professionals that cyberthreat information is valuable to their organizations. However, as we dig deeper into the attitudes and implementation barriers to sharing that information, we find myths and significant reticence.
First, let’s define cyberthreat intelligence and dispel a significant myth. Cyberthreat intelligence comprises details and metadata about suspicious and malicious activity, including attack vectors, weaknesses that are being exploited, and mitigation or containment actions. It does not contain any personally identifiable information, even when sharing a file reputation.
Next, let’s look at which threat and reputation data people are willing -- and unwilling -- to share. Intel Security recently surveyed almost 500 security professionals globally and found that about three-quarters of those involved with and knowledgeable about cyberthreat intelligence sharing are willing to pass on information about the behavior of observed malware. Malware details have been shared for a long time, typically with an incumbent vendor or nonaligned security organization. What is surprising is that this figure is not closer to 100%.
Around half of the security professionals surveyed are also willing to share reputation info on URLs, external IP addresses, and security certificates. This increased reluctance to share is typically attributed to company policy or industry regulations and often comes from concerns about legal repercussions from the entities that are identified as being potentially malicious.
Finally, only about one-third are willing to share file reputations, probably due to concerns about accidentally releasing some sensitive or confidential information in the file. Yet cyberthreat intelligence-sharing systems calculate a unique one-way hash to represent the file that is being convicted -- this is the only data that leaves the corporate system -- and the file cannot be recreated in any way using this value.
Sharing More Valuable Than Secrecy
Increasing support for cyberthreat-intelligence technical standards will help people understand exactly what is and is not included in a threat record and will broaden industry implementations. Although some organizations believe they stand a better chance of identifying and catching bad guys by themselves if they keep the attack details private, more and more realize that the changing nature of attacks makes sharing more valuable than secrecy. Standardization will also make it easier to combine and correlate multiple discrete observations into a larger and more accurate picture of a particular threat.
Catching modern, adaptive attacks is difficult for traditional endpoint and firewall defenses working in isolation because the attacks often mutate every few hours or days, faster than signature updates and scanning tools can keep up. The trend toward targeted attacks is also increasing interest in industry-specific cyberthreat intelligence. Although there are still barriers to overcome before cyberthreat intelligence sharing is widespread, those barriers are falling as successes are publicized and regulations are enacted to provide liability protection. Within a couple of years, shared cyberthreat intelligence will be a critical component of security operations, enabling organizations to better protect their digital assets and respond more quickly to emerging threats.
About the Author(s)
Senior Vice President, Intel Security
Vincent Weafer is Senior Vice President of Intel Security, managing more than 350 researchers across 30 countries. He's also responsible for managing millions of sensors across the globe, all dedicated to protecting our customers from the latest cyber threats. Vincent's team is dedicated to advancing the research and intelligence gathering capabilities required to provide the latest protection solutions in malware, host and network intrusion, email, vulnerability, regulatory compliance, and web security.
Vincent has an extensive range of experience gained over 25 years in the information technology industry, including 11 years as the leader of Symantec's Security Response team. He is also a highly regarded speaker on Internet security threats and trends, with coverage in national and international press and broadcast media. He has been invited to testify on multiple government committees including the States Senate Committee on the Judiciary hearing on Combating Cyber Crime and Identify Theft in the Digital Age in April 2010, the United States Sentencing Commission's Public Hearing on Identity Theft and Restitution Act of 2008 in March 2009, and the United States Senate Committee on Commerce, Science, and Transportation on Impact and Policy Implications of Spyware onConsumers and Businesses in June 2008. In addition he has presented at many international conferences and was a committee member of the IEEE Industry Connections Study Group (ICSG) 2009-2010, and has also co-authored a book on Internet Security.
You May Also Like
A screen displaying many different types of charts and graphs to show what data is being analyzed.Cybersecurity Analytics