With cyber attackers finding a multitude of ways of evading defences, threat intelligence sharing is taking on increasing importance. Whether the sharing is done formally through a commercial service CISOs subscribe to, through industry associations or independent computer emergency response teams (CERTS), quickly passing on indicators of compromise and related information is vital for bolstering defences.
But in a report issued Thursday McAfee Labs says the security industry “still fails at sharing high-level, contextually rich intelligence, such as advanced campaigns, at a meaningful level and with other industry participants.”
To move threat intelligence sharing to the next level of efficiency and effectiveness — including automation — the industry needs to simplify event triage and provide a better environment for security practitioners to investigate high-priority threats, and do a better job establishing relationships between indicators of compromise so infosec pros can understand their connections to attack campaigns, says the report.
In addition, McAfee admits, vendors need to find a better way to share threat intelligence between their own products and with other vendors.
This last is an interesting admission from a company that is part of the Cyber Threat Alliance, a threat sharing platform for vendors including Check Point Software, Cisco Systems, Fortinet, Palo Alto Networks and Symantec. The Alliance, formed in 2014, had been an informal sharing entity until February when founders announced it had become a formal threat intelligence sharing platform.
McAfee identified five problems facing organizations that want to generate and consume threat information:
Volume. A massive signal-to-noise problem continues to plague defenders trying to triage, process, and act on the highest-priority security incidents;
Validation. Attackers may file false threat reports to mislead or overwhelm threat intelligence systems, and data from legitimate sources can be tampered with if poorly handled;
Quality. If vendors focus just on gathering and sharing more threat data, there is a risk that much of it will be duplicative, wasting valuable time and effort. Sensors must capture richer data to help identify key structural elements of persistent attacks;
Speed. Intelligence received too late to prevent an attack is still valuable, but only for the cleanup process. Security sensors and systems must share threat intelligence in near real time to match attack speeds;
Correlation. The failure to identify relevant patterns and key data points in threat data makes it impossible to turn data into intelligence and then into knowledge that can inform and direct security operations teams.
In an earlier report McAfee defined threat intelligence as “evidence-based knowledge of an emerging (or existing) threat that can be used to make informed decisions about how to respond.” It provides more than just the specific bits and bytes of the threat; it also provides context around how the attack takes place. It identifies indicators of attack (IoA) and indicators of compromise (IoC) and potentially even the identity and motivation of the attacker.
However, in addition to some technological problems with threat sharing, such as dissimilar platforms, there are a number of other obstacles such as corporate policies forbidding sharing of data that might include personally identifiable information. Some governments may also fear disclosing certain information may compromise a criminal investigation. Best practices and standards are still being hammered out.
Robert Gordon, executive director of the Canadian Cyber Threat Exchange, agrees with much of the paper, including the argument that threat exchanges should be cross-sector. That’s the CCTX’s mandate, he said. “The critical challenges they identify — volume, validation, speed, quality and correlation — do need to be addressed. Some of that will be done with new automated technology, some comes down to validating sources of information centrally, which is hard for an individual company to do. So there’s a need for some kind of centre to do the validation of where the information is coming from and whether there is similar data from other places.”
He also acknowledged that some Canadian organizations are shy about contributing to a threat exchange out of fear the information may harm their reputation [if it divulges there’s been a breach]. Anonymizing the data will mitigate that, Gordon said. But boards are increasingly asking company officials if threat sharing is useful, he added.
“There will always be something that so critical to them they may not share a specific piece of information or incident, but by and large the general threat information they see they’re willing to sit down and talk about it … But if you’re willing to share the bulk of it that’s so much better than not sharing anything. It’s worth the effort.”
It is critical to collect, triage, and validate data from many sources in near real time and use it to prioritize and scope events,” says McAfee. “Sharing threat intelligence significantly reduces attackers’ advantages, making their efforts less profitable and shortening the effective lifecycle of campaigns.