There’s no shortage of cybersecurity experts urging infosec pros to share more threat information with colleagues, competitors and governments.
But the head of a threat-sharing platform told the annual RSA Conference this week that the right information has to be collected, shared and applied or the effort will be wasted.
“We have made some faulty assumptions about information sharing,” said Michael Daniel, CEO of the Cyber Threat Alliance.
“As a result the foundation for most of our information sharing efforts is flawed. Since the foundation is flawed the resulting activity suffers from some fundamental weaknesses,” he said.
Arguably the biggest assumption is that the information needed to be shared is technical, such as indicators of compromise and malware hashes. This data is usually shared through the STIX (Structured Threat Information Expression) language. But, Daniel said, cybersecurity relies on more than technical data. For example, the fact that an application needs to be patched isn’t technical.
A second assumption is all organizations should sharing the technical data they collect. But, Daniel said, most IT departments can’t produce or consume technical data. In fact, many organizations – such as not-for-profits – are bad at it.
And third, information sharing isn’t easy. The fact that the Cyber Threat Alliance had to be created is proof, he argued. “If you want to share at speed, at scale and high quality over a period at time, connecting the pipes isn’t sufficient.”
In Canada, one of the most well-known threat sharing platforms is the Canadian Cyber Threat Exchange. Others include national computer incident response centres and for-profit threat centres. Some industries offer them, such as the North American Electricity Information Sharing and Analysis Center, one of a number of ISACs in the U.S.
Daniel, who used to be the White House cybersecurity coordinator on the U.S. National Security Council during the Obama administration, argued there are four types of threat information:
- Technical (malware hashes, IP addresses etc).
- Tactical (information about specific instances of malicious activity, such as a threat actor is targeting a specific organization or sector. This information is used to make adjustments to a netwok configuration, or devices on the network).
- Operational (helps senior personnel make system-wide decisions such as how often to patch. It would include reports of vulnerabilities and security flaws in software, attribution of an attacker, defensive measures to take to mitigate exploits).
- Strategic (the rise of ransomware, or data a nation-state is after. It would also include best practices. This type of information is aimed at the most senior personnel).
Within those categories, Daniel identified 11 types of threat information. But, he stressed, not all organizations can handle all of them.
In fact, he argued, most organizations only need to make a few cybersecurity decisions. As a result, they should ask two questions about the threat information they collect and use: Is it relevant to their business model? And can it be used to create a comparative advantage with competitors?
“If you can’t directly drive the value of the sharing to the business needs of the organization it’s not going to work,” he said.
Creators of threat information also have to think about what they are good at and leave the rest to other suppliers. Governments, for example, are good at leveraging their intelligence-gathering information. They shouldn’t be distributing technical information like indicators of compromise, which can be done better by security vendors.
If the threat information you get now isn’t helping defend your organization it’s probably not the right kind for your needs, Daniel said. Find new sources.
“New sources might make you aware of threats sooner, or might make it easier for you to figure out there’s a threat out there that might affect you,” he explained.
And more isn’t better, he added. Maybe the best move is to reduce the number of threat information sources. That might free up resources, make it easier to connect threat information to business operations more effectively.
Infosec leaders should make a plan that gets the most useful threat information for the least burden, he said.
Cyber threat information (CTI) suppliers need to find ways to include non-technical information like best practices.
“Information sharing is an important and even critical element in effective cybersecurity,” Daniel said, which has been impaired by bad assumptions.
“However, if we shift our assumptions and operate on the basis that CTI consists of many different types of complex information, that relevance and comparative advantage should drive sharing and that sharing requires long-term investment, then we’ll be able to make sharing live up to its promise.
“Of course we’re not going to solve cybersecurity with information sharing. But improved CTI that lives up to its promise will definitely make life much tougher for the bad guys.”