Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
3/31/2016
01:12 PM
Vincent Weafer
Vincent Weafer
Partner Perspectives
50%
50%

When It Comes To Cyberthreat Intelligence, Sharing Is Caring

Shared cyberthreat intelligence will soon be a critical component of security operations, enabling organizations to better protect their digital assets and respond more quickly to emerging threats.

On March 17, the US Department of Homeland Security announced the deployment of the Automated Indicator Sharing (AIS) system, which allows the exchange of cyberthreat intelligence among private and public organizations. Increasing the breadth and speed of information sharing will reduce the number of security compromises, enabling all types of organizations to better defend themselves against emerging threats.

There is almost unanimous agreement among security professionals that cyberthreat information is valuable to their organizations. However, as we dig deeper into the attitudes and implementation barriers to sharing that information, we find myths and significant reticence.

First, let’s define cyberthreat intelligence and dispel a significant myth. Cyberthreat intelligence comprises details and metadata about suspicious and malicious activity, including attack vectors, weaknesses that are being exploited, and mitigation or containment actions. It does not contain any personally identifiable information, even when sharing a file reputation.

Next, let’s look at which threat and reputation data people are willing -- and unwilling -- to share. Intel Security recently surveyed almost 500 security professionals globally and found that about three-quarters of those involved with and knowledgeable about cyberthreat intelligence sharing are willing to pass on information about the behavior of observed malware. Malware details have been shared for a long time, typically with an incumbent vendor or nonaligned security organization. What is surprising is that this figure is not closer to 100%. 

Around half of the security professionals surveyed are also willing to share reputation info on URLs, external IP addresses, and security certificates. This increased reluctance to share is typically attributed to company policy or industry regulations and often comes from concerns about legal repercussions from the entities that are identified as being potentially malicious.

Finally, only about one-third are willing to share file reputations, probably due to concerns about accidentally releasing some sensitive or confidential information in the file. Yet cyberthreat intelligence-sharing systems calculate a unique one-way hash to represent the file that is being convicted -- this is the only data that leaves the corporate system -- and the file cannot be recreated in any way using this value.

Sharing More Valuable Than Secrecy

Increasing support for cyberthreat-intelligence technical standards will help people understand exactly what is and is not included in a threat record and will broaden industry implementations. Although some organizations believe they stand a better chance of identifying and catching bad guys by themselves if they keep the attack details private, more and more realize that the changing nature of attacks makes sharing more valuable than secrecy. Standardization will also make it easier to combine and correlate multiple discrete observations into a larger and more accurate picture of a particular threat.

Catching modern, adaptive attacks is difficult for traditional endpoint and firewall defenses working in isolation because the attacks often mutate every few hours or days, faster than signature updates and scanning tools can keep up. The trend toward targeted attacks is also increasing interest in industry-specific cyberthreat intelligence. Although there are still barriers to overcome before cyberthreat intelligence sharing is widespread, those barriers are falling as successes are publicized and regulations are enacted to provide liability protection. Within a couple of years, shared cyberthreat intelligence will be a critical component of security operations, enabling organizations to better protect their digital assets and respond more quickly to emerging threats. 

Vincent Weafer is Senior Vice President of Intel Security, managing more than 350 researchers across 30 countries. He's also responsible for managing millions of sensors across the globe, all dedicated to protecting our customers from the latest cyber threats. Vincent's team ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
nathanwburke
50%
50%
nathanwburke,
User Rank: Author
4/12/2016 | 6:08:44 AM
Maybe not WHAT but HOW
In theory, the idea of sharing threat intel makes all the sense in the world. As you touched on, the problem in cybersecurity is that you're talking about anonymous adversaries that are constantly changing. While it is important to know file hashes, IPs and some email addresses to block, that system is based on limited data and not exact. Additionally, threats are constantly morphing and changing, so by the time you've identified one, it has already changed. Furthermore, if the bad guys are getting the same threat feed as everyone else, they'll be able to change their attacks in real-time and will see whether they're getting caught -- it's like giving them a real-time tool to check whether their attacks are able to bypass detection systems.

Perhaps the issue isn't WHAT companies are willing to share, but HOW they're willing to share it. For example:


  • What if threat feeds were only machine-to-machine accessible? For instance, if the threat intel was shared in a machine readable format to a SIEM, then only those companies that have detection systems could use that information. It's unlikely that a scammer is going to buy an expensive system to check their work. And if we're talking about systems instead of people, the question then becomes: how do these systems share the information back?
  • What if we could de-couple the organization from the threat, and there was no way to associate the two? Maybe then companies wouldn't have an issue with a system reporting findings back to the mother ship.
  • What if opt-in isn't the right way to go about information sharing? When companies need to opt in to share data, overabundance of caution may get the best of them. On the other hand, if they're already sharing information (albeit anonymously), would that change their mindset?

 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15037
PUBLISHED: 2020-07-07
NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Reports-Devices.php page st[] parameter.
CVE-2019-4323
PUBLISHED: 2020-07-07
"HCL AppScan Enterprise advisory API documentation is susceptible to clickjacking, which could allow an attacker to embed the contents of untrusted web pages in a frame."
CVE-2019-4324
PUBLISHED: 2020-07-07
"HCL AppScan Enterprise is susceptible to Cross-Site Scripting while importing a specially crafted test policy."
CVE-2020-15036
PUBLISHED: 2020-07-07
NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Topology-Linked.php dv parameter.
CVE-2020-15577
PUBLISHED: 2020-07-07
An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software. Cameralyzer allows attackers to write files to the SD card. The Samsung ID is SVE-2020-16830 (July 2020).