Threat Intelligence Sharing

In the modern threat landscape, enterprises find themselves facing off with well-funded, organized hacking groups. Having the right tools and countermeasures in place is important, but perhaps just as important is what is done with the volumes of threat data these tools collect. After a successful breach, forensics investigators often find indicators that could have forewarned security staff and perhaps thwarted the attack. The problem is that the pieces of the puzzle were looked at individually and dismissed, when together they would have painted the reality of a pending attack. Threat intelligence sharing is all about putting together the pieces of the puzzle before an event can do harm.

There are three strata of threat intelligence sharing going on today in cybersecurity:

1)      Intra-product sharing: integrated security platforms with feedback loops and internal correlation capabilities.

2)      Intra-environment sharing: aggregation of threat intelligence across multiple platforms within the same organization.

3)      External sharing: threat intelligence being shared outside of an organization.

Cloud-based reputation services, file sandboxing functions, automated signature generators and network/endpoint event correlation are all instances of intra-product threat intelligence sharing. Some security vendors are taking steps to aggregate threat intelligence found at their customer sites and distribute derived countermeasures to their install base. This sort of integration can be seen in Palo Alto Networks WildFire, where signatures for new malware ,command and control, malicious domains and DNS requests are automatically aggregated and shared with all customers worldwide.

Integrating security products within an organization, typically using Security Information and Event Management (SIEM) tools, would be an example of intra-environment sharing. Mature security infrastructures typically have a security staff that can perform personal analysis on the data received from their network and endpoint security products. The idea is to prioritize the volume of data down to a manageable amount using SIEM or other analytic tools. For the mid-sized enterprise, where security is a shared function among network and systems teams, there is rarely time, resources or manpower to do personal analysis. These organizations tend to rely on the automated use of threat intelligence embedded in their security products. However, regardless of size, most organizations are in constant struggle to parse significant amounts of data to protect the network.

Outside of these integrations, very little sharing of actual threat intelligence occurs between companies, government agencies and academia. Some point to the legal ramifications of exposing information surrounding a hack and others to the competitive business landscape or lack of trust between peer organizations. Organizations experiencing a data breach not only fear loss of reputation and intellectual property, but also must face regulatory investigations and potential fines. The added complexities of choosing what to share and who to share with, as well as deciding how to package the data and then ultimately delivering it, keeps threat intelligence sharing very low on the priority list of many organizations.

Meaningful conversations have begun in the industry to expand on the concept of threat intelligence sharing as a means to unite against the rising tide of sophisticated custom attacks. Darkreading.com published an article that showcases a few of the most successful efforts in the West. The article cites the City of Seattle’s Public Regional Information Security Event Management system which, over the past seven months, has served as a real-time analysis center for threat intelligence submitted from participating local members.

Information Sharing and Analysis Centers (ISACs) have been forming across various industry groups. The Financial Services Information Sharing and Analysis Center (FS-ISAC) and the Industrial Control Systems Information Sharing and Analysis Center (ICS-ISAC) are two examples of leading ISACs.  Sharing within specific industries is a good start, but to be effective against centralized governments with nationalized internet resources, respective de-centralized countries must do much more sharing.

The Federal Bureau of Investigation sponsors a national-level program called InfraGard. InfraGard is a public-private partnership between the FBI and members of the private sector who are focused on intrusions and vulnerabilities effecting critical infrastructure. This group brings federal law enforcement, business and academics together in a trust-based information sharing relationship concerning various terrorism, intelligence, criminal and security matters, as they relate to National Critical Infrastructure. 83 local chapters of InfraGard exist across the United States today. The FBI has been attracting over 7,000 new applicants each year.

One of the barriers to threat intelligence sharing has been a lack of standards for communicating threat intelligence across organizations. MITRE has been working on a DHS lead effort to standardize the technical mechanisms required to enable broad sharing of cyber-threat intelligence across industries and organizational types. STIX, Structured Threat Information eXpression, is a community-driven solution to provide an expressive, flexible, extensible and readable language to allow for automation and communication. STIX is being designed to unify a diverse set of threat information from observed behaviors, indicators of compromise and exploit tactics to exploit targets, cyber-attack campaigns, and threat actors. The name STIX has an interesting connotation to it- no, not the musical group Styx. The river Styx, in Greek mythology, forms the boundary between Earth and the underworld, as would the standard STIX form a river of information that would hopefully put more distance between enterprise networks and attackers. TAXII, Trusted, Automated eXchange of Indicator Information, is a related effort that defines mechanisms used to exchange cyber threat information including STIX formatted data.

If standards like STIX and TAXII take hold in the commercial space, it could help enable organizations under attack to inform outside organizations of what new threats they may face next. Hubs would be created to act as clearinghouses for the information and allow operators to determine the operational value and motives for participation. Jon Baker with MITRE commented, “Broad federated information sharing is an essential component to establish a collective situational awareness and allow organizations to focus resources on the most important defensive measures for the current threat.”

What would motivate organizations to join such a federation? The simplest answer is to get a multiplier of threat data back beyond what they contribute. The challenge of what to do with that data once obtained is the next step. “Increasingly organizations are recognizing the need for this sort of federated sharing. There is a broad set of participants including security vendors, government agencies, user organizations, ISACs, and others working closely to define and implement TAXII and STIX as the mechanisms to enable this sort of federated sharing,” says Baker.

Having automated sharing capabilities built into tomorrow’s security products could be one answer to the complexities of sharing, making the strategy feasible for organizations of all sizes. Threat intelligence could be fed into a tree of participating hubs that then share among themselves and their members. Automated response would extend this capability, helping to correlate indicators and preliminary events and enabling individual security teams to best prepare.

With all of this threat intelligence moving faster and farther than ever before, another issue arises: would this effort be just as valuable for attackers? As an attacker, it might be all too easy to gain membership to one of these hubs and monitor the progress and effectiveness of their attack. While the targeted attack is being perpetrated on one screen, a second screen could be watching the threat intelligence feed to determine if the target organization has detected the intrusion. This would be akin to criminals monitoring the police radio band while committing a crime and listening for units being dispatched. To try and deter this from occurring, certain sharing groups, such as the FBI’s InfraGard, require background checks on members wishing to join and non-disclosure agreements to maintain a modicum of control over the potentially sensitive information discussed.

In this day and age where we seem to be losing the war against cybercrime and cyber-espionage, threat intelligence sharing may pave the way for greater security. Like all good ideas it will require pioneers willing to blaze a trail through the complications and missteps to prove the worth and efficacy of threat intelligence sharing.