As worldwide cyber threats keep growing, cyber criminals are constantly adapting their methods to attack organizations and evade detection. Standing on our own against such malicious attackers, most organizations don’t have a chance without effective threat communication between the public and private sectors.
To keep ahead of the cyber crooks, we must also understand the challenges facing intelligence sharing to get better at it.
Why talk about threat intelligence sharing now?
According to a recent McAfee Threat report, organizations face the growing complexity of technology (e.g., apps, devices, cloud) that can be deployed quickly and without being securely configured or inadequate IT/security review. Attacks also can come from anywhere, anytime and often rapidly adapt to changing circumstances. In just a week, hackers used the leaked NSA spying tools from the Equation Group to quickly exploit Windows systems with unpatched SMB file-sharing services vulnerabilities.
Attackers are also increasing in sophistication. Some call them “legions of orcs” — an entire industry built to support attackers, subcontractors, malware suppliers, “as-a-service” providers and target list vendors.
Since the volume and frequency of attacks are so high, organizations must quickly share intelligence that can easily be read by machines in order to contain the attacks.
The McAfee report further describes the background on the challenges and drivers for threat intelligence sharing.
Types of Information Sharing Models
Information sharing and analysis centers (ISACs) are nonprofit organizations that function as a “clearing house” for cyber intelligence between federal, state, local and industry verticals and critical infrastructure sectors. For example, there are ISACs in the auto, aviation, electricity, retail, financial services, nuclear and water industries.
Similarly, information sharing and analysis organizations (ISAOs) are more broadly defined than ISACs and can be private or nonprofit and can focus on a specific threat or region.
There are also hundreds of computer emergency response teams (CERTs) and incident response teams (IRTs) around globe. One of the better known CERTs is at the Carnegie Mellon University’s Software Engineering Institute(SEI) CERT division.
The Threat Report further describes five critical challenges pertaining to threat intelligence sharing and guidance to overcome them.
5 cyber threat intelligence challenges
1) Volume – Enhanced security sensors result in high volume of data fed into threat intelligence tools. Even with threat analytics tools, there is a massive “signal to noise” problem. Although systems are getting better at detection, we still need human analysts to triage and act on the threat intelligence. Further automation and process orchestration will be needed.
2) Validation – Be aware of fake threat reports that could distract you from stealthier threats. Use outside validation to help ensure the threat intelligence is being sent by trusted sources and hasn’t been tampered with. Examples include methods of encryption, hashing and digitally signing content.
3) Quality – Know the difference between definitive indicators of compromise (IoC) versus the entire feed of intelligence data that may have little or no value. There are more threat exchanges coming online, but vendors will need to re-architect security sensors to ensure data includes more details related to persistent attacks and make it more actionable. Look for more to come in 2017 from the Cyber Threat Alliance(CTA).Founding members of the CTA include Check Point, Cisco, Fortinet, Intel Security, Palo Alto Networks and Symantec.
4) Speed – The time between a threat detection and reception of intelligence is critical. Getting the information too late can be valuable but is often just used for cleanup. We need open and standardized communication protocols. Propagation of attacks between systems that have been compromised can happen in minutes. Thus, communications between sensors and systems need to operate in near real time. Advanced Persistent Threats (APTs) often go after multiple companies in the same vertical. So communication from one to others (via intermediary or exchange) have to take place within hours of the first IoC.
5) Correlation – Look for patterns and key data relevant to your organization. Organizations need to validate data in near real time, correlate it across many systems/devices and use the information to triage and turn into higher quality events. Prioritize incidents to focus on higher risk events.
It is important to note that just throwing more technology and resources will not solve the problem. We need a solid security and data protection strategy. Understand where your most critical data is and secure it versus a “broad brush” approach to protect everything.
Read more on our previous article “Report: Cybersecurity Sharing More Valuable Say Security Pros.”