Hacking The Threat Intelligence-Sharing Model

Threat intelligence-sharing among businesses, government agencies, and organizations is considered crucial for getting a jump on potential or active cyberattacks, and while the number of these exchanges is growing, much of the process remains mostly ad hoc, manual, and fraught with legal hurdles.

Most intel-sharing today occurs one-on-one between companies, using mainly old-school communications. "The bulk of sharing is using 1900s technology, email, and phone," says Lars Harvey, CEO of IID, which today published a new report on the state of intel-sharing. They share via email lists, server lists, spreadsheets, text files, and PDFs, he says.

"Certain exchanges are going on machine-to-machine-sharing at some level -- but very little," Harvey says.

So when a company hit by an attack shares information on malware or other indicators of the attack with another company, it often does so via a phone call or an email. The recipient then has to manually convert the intelligence into a format that can be fed into its computer systems and security tools to automate any protections against the attack. But it's that gap between the receipt and the application of threat data that can make all the difference in thwarting an attack.

More advanced exchanges, such as that of the financial services FS-ISAC as well as Microsoft, which recently announced its own threat intel-sharing platform, are adopting emerging industry protocols -- such as Structured Threat Information eXpression (STIX) for a machine-readable language for threat intel, and the Trusted Automated eXchange of Indicator Information (TAXII) protocol for transporting that information -- to automate the exchange and use of that intel.

The manual process remains one of the biggest hurdles to effective intel-sharing today, according to the IID report, as are the trust, legal, and manpower challenges. According to the white paper -- which is based on interviews with Microsoft, Georgetown University, the City of Seattle, the Forum for Incident Response and Security Teams, a major U.S. bank, and others involved in intel-sharing -- many organizations are hesitant to share threat intel with their competitors and government regulators.

One of the most mature intel-sharing exchanges is that of the City of Seattle, now in the sixth year of a program that includes the city, seven surrounding municipalities, universities, the FBI, six maritime ports on Puget Sound, a hospital, and two energy utilities.

The so-called Public Regional Information Security Event Management (PRISEM) serves as a real-time analysis center of intel submitted by the participants, and alerts them of possible attacks or botnet activity. (Of the PRISEM acronym, City of Seattle CISO Michael Hamilton says: "It was an unfortunate branding coincidence. Thank goodness we bought an extra vowel." There are plans to ultimately change the name to avoid any further confusion with the NSA's recently revealed PRISM spying program, he adds.)

PRISEM uses a custom security and information event management (SIEM) for analyzing and alerting its members of attacks and threats; log and event information is gathered from members' local networks and aggregated by PRISEM. The exchange has an arrangement with the federal government's local Fusion Center that keeps a watch on potential terrorist plots or concerns.

When Hamilton earlier this year passed intelligence from the FBI on the Chinese APT1 military hacker group to the Fusion center, the analyst there scanned for devices communicating with the rogue Chinese IP addresses. He found that some universities and corporations were compromised, as were maritime ports, which made up about half of the "hits" communicating with the APT1 addresses. "It was very interesting that half of the positive hits were maritime ports. I don't know what to make of that," however, Hamilton says.

PRISEM is also about to link up with the US-CERT, he says, using STIX.

"By virtue of being local governments, we don't have a competition problem, so we can share information like private sector organizations can't," he says. "We are using events that occur on our networks and providing those to the Fusion Center analyst, who searches PRISEM for similar IOCs ... and monitors the jurisdiction and ports and notifies them if they have compromises. So we are integrating ... homeland security into this."

[An emerging standard is aimed at eliminating manual process of converting intelligence into useful defense. See Attack Intelligence-Sharing Goes 'Wire-Speed' .]

Trust and legal implications are tricky for the private sector, however. The FS-ISAC has been successful in establishing trust among its members, according to the IID report. Said one head of threat intelligence at a major national bank interviewed for the report: Ultimately, "you have to have the trust that what's said or heard will be used for the purposes that it's needed to be used for, and nothing else."

Then there's the legal department. "Lawyers hate the unknown," IID's Harvey says. "There is uncertainty [associated with intel-sharing], and uncertainty scares lawyers. So they clamp down and say, 'You can't share.'"

The education sector, like financial services and the Defense industrial base, has been on the forefront of intel-sharing. Eric Burger, professor of computer science at Georgetown University, says even the leading-edge industries are struggling with effective intel-sharing.

"We've been working on this for 10 years and right now it's still kind of abysmal," Burger said in the report. "Most companies don't even know that they could share information. Others know about it don't want to. The ones that do, they find that it takes a few weeks to figure out who they want to share with and then it takes many, many months to get the lawyers to agree."

Organizations also struggle with how much to share or worries about sharing the wrong information, thus exposing too much about the attack they experienced or sensitive company information, for example.

Then there's the increasingly common problem of information overload. "They need to be able to organize it and deliver [to them] only the information they need," Harvey says. "Data that hasn't been analyzed or organized and put into packages can consume and not help me so much. So if I can say, 'I'm part of this community, and I can pull out parts [of intel] that are useful to me,' that's the ideal."

The full whitepaper, "Sharing the Wealth, and the Burdens, of Threat Intelligence; Why Security Experts Must Unite Against Cyberattacks, and What's Stopping Them from Collaborating More Effectively" is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.