Over the past 18 months, I’ve had the pleasure of working on a platform that allows companies access to Threat Intelligence in a way they’ve never had before. Instead of using a tool like Soltra Edge to just download intelligence, now, customers can use the Perch solution to also detect and triage any sort of alerts that come from their intelligence communities. Intelligence communities appear in many different forms. From the ‘informal’ e-mail or IRC channel groups that you’ll never know about, to the hyper formal ISACs (Information Sharing and Analysis Center) that are mandated by the US federal government. I’ve written previously about community threat intelligence.
Yet I haven’t touched on a topic that plagues a lot of companies and industries.
What if their industry doesn’t have a sharing center?
What if the companies don’t know about their industry sharing center?
What if the company doesn’t know how to use the intel?
Worst of all, What if the community doesn’t have any intel!?!?!
To help work through some thoughts here, I wanted to invite my first ever guest write on my blog. Curtis Davis. I first met Curtis when he was investigating the Perch security solution. Over time, we got to work together, including co-presenting a talk on Security Automation and Detection at the LegalSec2017 conference. I found it fitting to continue our co-creation of thought provoking (hopefully) content around cybersecurity, with a topic related to this question.
(logistics, Chris is on the left)
(Curtis is on the right, italics )
Where’s my industry’s threat intel?
When it comes to threat intelligence, no organization is an island. A threat to one financial services provider is a threat to the entire financial industry. Surprisingly, we still find that many industries haven’t established a formal threat intelligence sharing organization or consider their intelligence to be a competitive advantage. Let’s be clear — collectively, every industry produces valuable threat intelligence — but not every company feels comfortable sharing it with their peers.
You cannot buy institutional knowledge. Vendor-driven threat intelligence feeds are hit-or-miss when it comes to identifying an organization’s unique threat landscape (industry-specific attack vectors, threat actors, etc.), and these vendor agreements often prohibit outside distribution. If we can’t (or aren’t willing to) share information, everyone is at a disadvantage. To answer the question — it’s difficult to identify where an industry’s threat intel lives if communication channels have not been established.
You’re absolutely right in describing the mindset of companies that don’t share. They earned their intelligence, probably the hard way. Why would they share it? The problem as I see it is a simple matter of spent effort. It’s obviously way more efficient to share the research load across an industry. If I’m at Company A, and you’re at Company B, I can discover an exploit, and share it with you. The next time you find an exploit, you share it with me. That’s one area. Almost a global bug bounty program within an industry. The prize is a safer industry. The other side of that is a little more touchy. If my company gets exploited, attacked or infiltrated in some cyber way, for me to share indicators of compromise (IOC) or Techniques, Tactics and Procedures (TTP) , then that’s “admitting” that I was either vulnerable, infiltrated or at least probed. There’s a very real concern for groups around confidence in the market place, for folks that don’t realize it happens to everyone. The average investor doesn’t know the difference between an attack and a breach. You admit to either, and you’ll be strung up! Currently, ISACs get their information from member companies or someone like the FBI. That information can be disseminated throughout other organizations, potentially with a layer of obfuscation to hide the original source.
Sharing IOCs from an attempted or successful breach certainly requires a degree of trust in your community. As you mentioned, ISACs will scrub and anonymize the data to limit the risk to the organization. Now that we’ve covered the “sharing” issues, I’d like to discuss a recent challenge I faced as a senior security practitioner for a global law firm. With the volume of information we were receiving from our vendor-driven feeds and industry ISAO, it was extremely difficult to filter through all of the noise. What’s important, and what can I safely ignore? And why can’t everyone agree on a standardized data format?
Many sharing organizations claim to disseminate information in “real time”, but offer nothing more than a listserv for member organizations to receive indicators via email. The more advanced ISACs are sharing information via open-source formats such as Structured Threat Information Expression (STIX), Trusted Automated Exchange of Indicator Information (TAXII), and Cyber Observable Expression (CybOX). The combination of STIX and TAXII allows threat information to be standardized and shared (in most cases, automatically) amongst industry peers. Mature organizations are digesting STIX and TAXII feeds to automate and orchestrate their security operation centers (SOCs) — increasing efficiency in response to security threats. If Company A discovers a new exploit and shares IOCs with me via a standardized format, my intrusion detection/prevention systems can automatically digest signatures and protect my organization in real time. Why are some industries slow to adopt a standardized format for sharing, and how can we help them along?
Exactly! STIX and TAXII are the industry standards we have now. There are vendors out there that are building tools that ingest and export data via STIX and TAXII. That’s the start. Having built a product around the standards, I can tell you from experience that one of the biggest challenge is ingesting the data format. Sure, there are libraries and whatnot to help from a coding standpoint, but, it’s not a walk in the park. STIX 2 is supposed to make it easier, but there will still be the challenge of noise, that you mentioned. Noise is a challenge. There are two sides of it, noise on the intelligence, and then noise on the alerts that may come from sighting the intelligence in the real world. As a technologist, it’s my opinion that fixing that problem will take a pretty standard 3-legged stool approach: Vendors, Practitioners, Technology.
I’d like to thank Curtis Davis for joining me in this paper. For now, it’s a blog post that we co-authored, but we will continue to discuss the topic going forward, as it’s a challenge in the security industry that we all need to figure out how to fix.
Curtis Davis is a Senior Security Engineer with data protection startup CryptoMove Inc. Prior to joining, Curtis led security operations for an AmLaw100 global law firm and previously served as a federal contractor for NASA’s security operation center.
Chris Fauerbach is a technologist. He’s served in executive positions at multiple Cybersecurity startups. He actively consults and advises security and technology companies.