Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

04:12 PM
Connect Directly

Hacking The Threat Intelligence-Sharing Model

A new report shines light on what's holding back more widespread, efficient sharing of attack intelligence among organizations

Threat intelligence-sharing among businesses, government agencies, and organizations is considered crucial for getting a jump on potential or active cyberattacks, and while the number of these exchanges is growing, much of the process remains mostly ad hoc, manual, and fraught with legal hurdles.

Most intel-sharing today occurs one-on-one between companies, using mainly old-school communications. "The bulk of sharing is using 1900s technology, email, and phone," says Lars Harvey, CEO of IID, which today published a new report on the state of intel-sharing. They share via email lists, server lists, spreadsheets, text files, and PDFs, he says.

"Certain exchanges are going on machine-to-machine-sharing at some level -- but very little," Harvey says.

So when a company hit by an attack shares information on malware or other indicators of the attack with another company, it often does so via a phone call or an email. The recipient then has to manually convert the intelligence into a format that can be fed into its computer systems and security tools to automate any protections against the attack. But it's that gap between the receipt and the application of threat data that can make all the difference in thwarting an attack.

More advanced exchanges, such as that of the financial services FS-ISAC as well as Microsoft, which recently announced its own threat intel-sharing platform, are adopting emerging industry protocols -- such as Structured Threat Information eXpression (STIX) for a machine-readable language for threat intel, and the Trusted Automated eXchange of Indicator Information (TAXII) protocol for transporting that information -- to automate the exchange and use of that intel.

The manual process remains one of the biggest hurdles to effective intel-sharing today, according to the IID report, as are the trust, legal, and manpower challenges. According to the white paper -- which is based on interviews with Microsoft, Georgetown University, the City of Seattle, the Forum for Incident Response and Security Teams, a major U.S. bank, and others involved in intel-sharing -- many organizations are hesitant to share threat intel with their competitors and government regulators.

One of the most mature intel-sharing exchanges is that of the City of Seattle, now in the sixth year of a program that includes the city, seven surrounding municipalities, universities, the FBI, six maritime ports on Puget Sound, a hospital, and two energy utilities.

The so-called Public Regional Information Security Event Management (PRISEM) serves as a real-time analysis center of intel submitted by the participants, and alerts them of possible attacks or botnet activity. (Of the PRISEM acronym, City of Seattle CISO Michael Hamilton says: "It was an unfortunate branding coincidence. Thank goodness we bought an extra vowel." There are plans to ultimately change the name to avoid any further confusion with the NSA's recently revealed PRISM spying program, he adds.)

PRISEM uses a custom security and information event management (SIEM) for analyzing and alerting its members of attacks and threats; log and event information is gathered from members' local networks and aggregated by PRISEM. The exchange has an arrangement with the federal government's local Fusion Center that keeps a watch on potential terrorist plots or concerns.

When Hamilton earlier this year passed intelligence from the FBI on the Chinese APT1 military hacker group to the Fusion center, the analyst there scanned for devices communicating with the rogue Chinese IP addresses. He found that some universities and corporations were compromised, as were maritime ports, which made up about half of the "hits" communicating with the APT1 addresses. "It was very interesting that half of the positive hits were maritime ports. I don't know what to make of that," however, Hamilton says.

PRISEM is also about to link up with the US-CERT, he says, using STIX.

"By virtue of being local governments, we don't have a competition problem, so we can share information like private sector organizations can't," he says. "We are using events that occur on our networks and providing those to the Fusion Center analyst, who searches PRISEM for similar IOCs ... and monitors the jurisdiction and ports and notifies them if they have compromises. So we are integrating ... homeland security into this."

[An emerging standard is aimed at eliminating manual process of converting intelligence into useful defense. See Attack Intelligence-Sharing Goes 'Wire-Speed' .]

Trust and legal implications are tricky for the private sector, however. The FS-ISAC has been successful in establishing trust among its members, according to the IID report. Said one head of threat intelligence at a major national bank interviewed for the report: Ultimately, "you have to have the trust that what's said or heard will be used for the purposes that it's needed to be used for, and nothing else."

Then there's the legal department. "Lawyers hate the unknown," IID's Harvey says. "There is uncertainty [associated with intel-sharing], and uncertainty scares lawyers. So they clamp down and say, 'You can't share.'"

The education sector, like financial services and the Defense industrial base, has been on the forefront of intel-sharing. Eric Burger, professor of computer science at Georgetown University, says even the leading-edge industries are struggling with effective intel-sharing.

"We've been working on this for 10 years and right now it's still kind of abysmal," Burger said in the report. "Most companies don't even know that they could share information. Others know about it don't want to. The ones that do, they find that it takes a few weeks to figure out who they want to share with and then it takes many, many months to get the lawyers to agree."

Organizations also struggle with how much to share or worries about sharing the wrong information, thus exposing too much about the attack they experienced or sensitive company information, for example.

Then there's the increasingly common problem of information overload. "They need to be able to organize it and deliver [to them] only the information they need," Harvey says. "Data that hasn't been analyzed or organized and put into packages can consume and not help me so much. So if I can say, 'I'm part of this community, and I can pull out parts [of intel] that are useful to me,' that's the ideal."

The full whitepaper, "Sharing the Wealth, and the Burdens, of Threat Intelligence; Why Security Experts Must Unite Against Cyberattacks, and What's Stopping Them from Collaborating More Effectively" is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...