The Path Forward With Threat Intelligence and Sharing
According to Gartner’s Rob McMillan, threat intelligence is defined as “evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”
While this definition is fairly new, the concept of threat intelligence has been around for as long as security professionals have looked for information to help their investigations by detecting and preventing attacks such as compromised systems and data exfiltration.
From this perspective, one source of threat intelligence is the company’s internal networks. Another is the vast amount of information that exists outside that system, such as information collected by honeypots, spam traps, Web crawlers specialized for identifying malware and monitoring hacking forums.
In the past few years, threat intelligence has started to mature from a marketplace and security user perspective in terms of how to best gather, organize, share and identify sources of threat intelligence. Sharing is one of the most exciting aspects of threat intelligence, as companies recognize that collaboration is important, and standards emerge to make it easier and faster to share information. With that, threat intelligence feeds and platforms have emerged as a new market for these products and services.
Threat Intelligence Sharing: The New Normal
Threat sharing isn’t new; cybercriminals have been doing it for decades without legislation. This revelation refers to the recent announcement of a new Cyber Threat Intelligence Integration Center, and unfortunately, it’s true. While this is a significant step for coordinating and sharing cyberthreats in the government space, attackers are quite comfortable sharing and exchanging information, whether on malware techniques or the latest breaches.
Now that the good guys are similarly looking at sharing as an imperative duty, we are faced with the task of identifying the means by which the industry can best enable effective collaboration. People must have access to the right type of threat intelligence for their organization that fits into their existing frameworks for social networking so they can quickly benefit from the exchange of information in ways that help their organization.
The openness in threat intelligence sharing comes from the availability of the information itself and the means by which users can obtain that information.
With threat intelligence, there is both significant breadth and depth of information that is important to users. As an example of the breadth of information, the most common indicators include IP addresses, domain names, URLs, registry settings, email addresses, HTTP user agents, file hashes and file names. There is depth of information associated with each of these, such as the historical context, as well as the pivoting between them to allow for the real understanding of how they relate to each other. This can lead to insights on tactics and techniques.
Given the variety of information and its dynamic nature, as a consumer of threat intelligence, this information should be the most comprehensive, highest-fidelity and most up-to-date content possible. Aside from the information itself, there is also the platform with which users obtain and share that information, enabling collaboration in a social manner.
Social networking first began to appear in 1994, when GeoCities was created. Social media has evolved significantly since then. While that site and some of the others that followed (theGlobe.com and Friendster) were not necessarily commercially successful, they all helped foster a level of comfort when interacting with other users on the Internet. Tools such as forums, user profiles, bookmarking, curation and wikis are now so second nature to us that we’ve forgotten they were once new and innovative.
The sharing of threat intelligence should also build on these tools while still adapting and extending them in new ways that can provide new capabilities, specific to the security use cases. For example, the established concepts of controlling with whom we share which pieces of information is an essential aspect of any collaborative platform. Building specific constructs for the curation and organization of information for security use cases can further extend an existing capability.
The sharing of threat intelligence should ultimately lead to tactical actions that help organizations further protect their users and infrastructure. To reiterate, because the stakes are much higher with security information, it is important to have a seamlessly flowing process.
For example, providing additional context on an indicator that has been brought to a user’s attention, whether from a security tool or another user, helps the user make a decision on how to further use that information. Extending this to action naturally leads to programmatic access and application programming interface integration, which helps organizations make better and quicker decisions.
Threat intelligence has become an essential aspect of any organization’s security program. The sharing of that threat intelligence to further enhance and gain value from it will increasingly become the norm. Today, X-Force is launching a new cloud-based threat intelligence platform, IBM X-Force Exchange, to help encourage and facilitate the sharing of threat intelligence while addressing the principles of open, social and actionable sharing. Learn more by trying it out online or reading the press release.