Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/25/2013
04:12 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Hacking The Threat Intelligence-Sharing Model

A new report shines light on what's holding back more widespread, efficient sharing of attack intelligence among organizations

Threat intelligence-sharing among businesses, government agencies, and organizations is considered crucial for getting a jump on potential or active cyberattacks, and while the number of these exchanges is growing, much of the process remains mostly ad hoc, manual, and fraught with legal hurdles.

Most intel-sharing today occurs one-on-one between companies, using mainly old-school communications. "The bulk of sharing is using 1900s technology, email, and phone," says Lars Harvey, CEO of IID, which today published a new report on the state of intel-sharing. They share via email lists, server lists, spreadsheets, text files, and PDFs, he says.

"Certain exchanges are going on machine-to-machine-sharing at some level -- but very little," Harvey says.

So when a company hit by an attack shares information on malware or other indicators of the attack with another company, it often does so via a phone call or an email. The recipient then has to manually convert the intelligence into a format that can be fed into its computer systems and security tools to automate any protections against the attack. But it's that gap between the receipt and the application of threat data that can make all the difference in thwarting an attack.

More advanced exchanges, such as that of the financial services FS-ISAC as well as Microsoft, which recently announced its own threat intel-sharing platform, are adopting emerging industry protocols -- such as Structured Threat Information eXpression (STIX) for a machine-readable language for threat intel, and the Trusted Automated eXchange of Indicator Information (TAXII) protocol for transporting that information -- to automate the exchange and use of that intel.

The manual process remains one of the biggest hurdles to effective intel-sharing today, according to the IID report, as are the trust, legal, and manpower challenges. According to the white paper -- which is based on interviews with Microsoft, Georgetown University, the City of Seattle, the Forum for Incident Response and Security Teams, a major U.S. bank, and others involved in intel-sharing -- many organizations are hesitant to share threat intel with their competitors and government regulators.

One of the most mature intel-sharing exchanges is that of the City of Seattle, now in the sixth year of a program that includes the city, seven surrounding municipalities, universities, the FBI, six maritime ports on Puget Sound, a hospital, and two energy utilities.

The so-called Public Regional Information Security Event Management (PRISEM) serves as a real-time analysis center of intel submitted by the participants, and alerts them of possible attacks or botnet activity. (Of the PRISEM acronym, City of Seattle CISO Michael Hamilton says: "It was an unfortunate branding coincidence. Thank goodness we bought an extra vowel." There are plans to ultimately change the name to avoid any further confusion with the NSA's recently revealed PRISM spying program, he adds.)

PRISEM uses a custom security and information event management (SIEM) for analyzing and alerting its members of attacks and threats; log and event information is gathered from members' local networks and aggregated by PRISEM. The exchange has an arrangement with the federal government's local Fusion Center that keeps a watch on potential terrorist plots or concerns.

When Hamilton earlier this year passed intelligence from the FBI on the Chinese APT1 military hacker group to the Fusion center, the analyst there scanned for devices communicating with the rogue Chinese IP addresses. He found that some universities and corporations were compromised, as were maritime ports, which made up about half of the "hits" communicating with the APT1 addresses. "It was very interesting that half of the positive hits were maritime ports. I don't know what to make of that," however, Hamilton says.

PRISEM is also about to link up with the US-CERT, he says, using STIX.

"By virtue of being local governments, we don't have a competition problem, so we can share information like private sector organizations can't," he says. "We are using events that occur on our networks and providing those to the Fusion Center analyst, who searches PRISEM for similar IOCs ... and monitors the jurisdiction and ports and notifies them if they have compromises. So we are integrating ... homeland security into this."

[An emerging standard is aimed at eliminating manual process of converting intelligence into useful defense. See Attack Intelligence-Sharing Goes 'Wire-Speed' .]

Trust and legal implications are tricky for the private sector, however. The FS-ISAC has been successful in establishing trust among its members, according to the IID report. Said one head of threat intelligence at a major national bank interviewed for the report: Ultimately, "you have to have the trust that what's said or heard will be used for the purposes that it's needed to be used for, and nothing else."

Then there's the legal department. "Lawyers hate the unknown," IID's Harvey says. "There is uncertainty [associated with intel-sharing], and uncertainty scares lawyers. So they clamp down and say, 'You can't share.'"

The education sector, like financial services and the Defense industrial base, has been on the forefront of intel-sharing. Eric Burger, professor of computer science at Georgetown University, says even the leading-edge industries are struggling with effective intel-sharing.

"We've been working on this for 10 years and right now it's still kind of abysmal," Burger said in the report. "Most companies don't even know that they could share information. Others know about it don't want to. The ones that do, they find that it takes a few weeks to figure out who they want to share with and then it takes many, many months to get the lawyers to agree."

Organizations also struggle with how much to share or worries about sharing the wrong information, thus exposing too much about the attack they experienced or sensitive company information, for example.

Then there's the increasingly common problem of information overload. "They need to be able to organize it and deliver [to them] only the information they need," Harvey says. "Data that hasn't been analyzed or organized and put into packages can consume and not help me so much. So if I can say, 'I'm part of this community, and I can pull out parts [of intel] that are useful to me,' that's the ideal."

The full whitepaper, "Sharing the Wealth, and the Burdens, of Threat Intelligence; Why Security Experts Must Unite Against Cyberattacks, and What's Stopping Them from Collaborating More Effectively" is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He's too shy to invite me out face to face!"
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16680
PUBLISHED: 2019-09-21
An issue was discovered in GNOME file-roller before 3.29.91. It allows a single ./../ path traversal via a filename contained in a TAR archive, possibly overwriting a file during extraction.
CVE-2019-16681
PUBLISHED: 2019-09-21
The Traveloka application 3.14.0 for Android exports com.traveloka.android.activity.common.WebViewActivity, leading to file disclosure and XSS.
CVE-2019-16677
PUBLISHED: 2019-09-21
An issue was discovered in idreamsoft iCMS V7.0. admincp.php?app=members&do=del allows CSRF.
CVE-2019-16678
PUBLISHED: 2019-09-21
admin/urlrule/add.html in YzmCMS 5.3 allows CSRF with a resultant denial of service by adding a superseding route.
CVE-2019-16679
PUBLISHED: 2019-09-21
Gila CMS before 1.11.1 allows admin/fm/?f=../ directory traversal, leading to Local File Inclusion.