In some circles it is more blessed to give than to receive. Not among infosec pros, a survey suggests.
Almost 60 per cent of information security pros whose organizations are members of a cyber threat intelligence exchange agree what they get is very valuable, according to a just released Intel survey. Another 38 per cent said it was at least somewhat valuable.
But the passion cooled when asked if they were willing to give information to the community. Only 24 per cent said their organization would be very likely to pass on indicators of compromise and other intelligence, with another 39 per cent saying it was somewhat likely. Thirty-one per cent were neutral or couldn’t tell what their IT department would say.
The survey results were included in the McAfee Labs Threats Report March 2016, issued Tuesday morning. Just under 500 security professionals from around the world answered questions.
Few doubt that threat intelligence sharing is an important tool in the arsenal of CISOs.
Intelligence sharing groups such as sector-based information sharing action centres (ISACs) are common in the U.S.
In Canada the government, financial and energy sectors have threat sharing arrangements with other sectors slowly considering them. CISO-to-CISO sharing is much more common. There are also commercial threat sharing vendors, some independent and others offered by well-known security suppliers including Intel, IBM, Cisco Systems and others.
It is hoped the fledgling Canadian Cyber Threat Exchange (CCTX) will expand formal threat sharing here across industries, but it isn’t expected to be operational until late in the year.
Doug Cooke, director of sales engineering at Intel Security in Canada, noted in an interview that threat sharing exchanges here don’t have much attention from medium and small sized sized companies. Small companies in particular, “where the security guy is also the desktop and email administrator may not have the time to do all the research in the environment to understand what’s going on” in threat sharing, he added.
No matter which type of threat sharing group a CISO signs up for they have to be careful, says Cooke.
“They need to understand and trust the organization they’re getting (information) from because if you don’t know what you’re getting and where its coming from it may be another way of hackers using social engineering to get into your organization.”
By using cyber threat intelligence, security teams look to not only stop each attack as it happens, but to also get a better sense of who is attacking, what methods they are using, and what their targets are, notes the McAfee report.
That doesn’t mean sharing everything. Understandably, organizations are leery of sharing news of a breach: Competitors may leak that information. Similarly, for legal reasons they are uneasy at sharing personally identifiable information on a possible threat actor — although in the U.S. recent federal legislation, the Cybersecurity Act, supposedly shields this kind of data.
According to the McAfee survey, most respondents said their organizations are willing to share information such as behavior of malware, URL, IP address and certificate reputations.
They are least likely (just under 40 per cent) to share file reputations.
The report defines cyber threat intelligence as is evidence-based knowledge of an emerging (or existing) threat — including indicators of attack/compromise — that can be used to make informed decisions about how to respond.
It also provides context around how the attack takes place, and potentially even the identity and motivation of the attacker (although some security pros say it is so easy for attackers to disguise themselves identity isn’t that important).
Increasingly threat intelligence sharing is becoming automated through standards such as TAXII and STIX.
The McAfee report also includes a section on dealing with the Adwind remote administration tool (RAT), a Java-based backdoor Trojan that targets platforms supporting Java files. Through 2015 the number of Adwind.jar file submissions to McAfee Labs has dramatically increased.
Infections usually occur by a user clicking on an infected email or Word attachment. Then the malware connects to a remote server.
After infection Adwind can do anything from log keystrokes, modify and delete files, download and execute further malware, take screenshots, access the system’s camera, and take control of the mouse and keyboard.
To defend against it McAfee says employee phishing awareness campaigns and software patching are key.