The cyberthreat landscape is becoming increasingly complex. Threats, attacks, zero-days, exploit kits and all the cyberattack whatnot are multiplying and expanding at a worrying rate, and fact of the matter is the tech community and security vendors are indeed hard pressed to detect and react to new threats in an organized and timely manner. As a consequence, sophisticated attackers can conduct a breach, hide for months, and silently continue to siphon data from their victims.
What is the secret behind the increasing success of the evil forces? Very simple, they’re sharing among each other. Advanced Persistent Threats (APTs) and cybercriminals are becoming more organized and are cooperating in a cross-country fashion, constantly exchanging new experience, sharing tools and exploit kits and helping each other become more efficient in their attacks.
What about the cybersecurity community? Not enough teamwork there, at least not until lately. Too many industry leaders and government agencies are avoiding team play and information sharing, whether in order to avoid privacy issues or to maintain the competitive edge in their industry. And the general public is incurring the damage as a result.
But that is slowly changing as threat information sharing is slowly gaining traction and is establishing its importance in helping improve cybersecurity in general and in preventing the occurrence of critical security incidents.
In general terms, threat intelligence is “evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”
This is not a new concept and is practically as old as cybersecurity itself. It’s been around in the form of email lists and e-zines for a long time. But it’s a discipline that is riddled with challenges and caveats, and usually leads to more headaches than benefits, especially as the threat landscape shifts and changes at a very fast pace. There are literally thousands and millions of malicious IPs, URLs, domains, files, emails… popping up on a daily basis, and sharing them in an efficient and timely manner is a real challenge. In many cases, when a security incident takes place, the gleaned information can immediately be put to use to prevent similar attacks from taking place. However, in other cases, threats and attacks are niche-oriented and are targeted at specific industries, geographical locations or organizations, and wouldn’t benefit the entire community. So how do you manage all these moving parts?
With intelligence threat sharing rising in prominence, recent advances in the field have enabled organizations, security vendors, researchers and practically every person and company that is either a provider or consumer of threat intelligence to cooperate and share information in a more efficient manner.
Last year’s Cybersecurity Information Sharing Act (CISA), which was passed as the cybersecurity act of 2015, enabled firms and agencies to more actively become involved in threat intelligence sharing by removing some of the legal barricades that would have otherwise prevented them from sharing their intel, specifically where user privacy was concerned. Government-led efforts, mainly spearheaded by the Department of Homeland Security (DHS), have established fundamental processes, and creation of bodies such as Information Sharing and Analysis Centers (ISACs) which facilitate the process of setting up threat intelligence sharing programs.
Also, the development of standards such as the Trusted Automated eXchange of Indicator Information (TAXII) and the Structured Threat Information eXpression (STIX) helped streamline the process of sharing Indicators of Compromise (IoC) data without giving away personally identifiable information (PII). These standards are now being widely used by tech firms in order to join platforms and consolidate threat information.
Other initiatives include the foundation of the Cyber Threat Alliance (CTA), a group of leading cybersecurity solution providers such as Fortinet, Intel (McAfee), Palo Alto Networks and Symantec, which have put away their rivalries and joined forces in order to protect their collective customers through threat intelligence sharing. Their joint efforts are enabling members and organizations worldwide to use the latest threat intelligence information to improve defenses against advanced adversaries. The CTA is also assisting law enforcement agencies in spotting, blocking and apprehending cybercriminals.
Finally, I’d also like to point out to platforms developed by individual companies that enable threat intelligence sharing between tech companies and individuals. In the past year, many companies have developed their own threat intelligence sharing platforms, which are mostly based on STIX and TAXII, to enable their customers to share information about new attacks as they happen and help others in the community become aware of new threats in a near-real-time fashion and be able to react quickly and prevent attacks before they happen.
Some vendors have brought forth totally new products while some of the older and more established players have integrated threat intelligence sharing into their previous endpoint and enterprise security solutions. This trend is helping companies transition to the threat intelligence sharing movement smoothly and without breaking their previous IT security systems and processes. It is also helping peers in industries to connect and form their own specialized threat intelligence sharing platforms, which helps better respond to targeted attacks.
Threat intelligence sharing is providing the chance to fundamentally change the way we protect ourselves against cyberthreats. Our adversaries are making abundant use of it, and it is perhaps time to learn a lesson from the enemy. As we continue to share information between public and private companies and organizations across the world, our collective efforts will enable us to take considerable strides toward fighting cybercrime and creating a safer world.