The cybersecurity press has lately given a lot of attention to something called threat intelligence exchange. In fact, intelligence sharing has commanded such attention that the White House sponsored a Summit on Cybersecurity and Consumer Protection to talk about it back in February. Many companies have their eyes on threat intelligence sharing, as well. Facebook, for example, announced its own ThreatExchange program around the same time as the White House Summit.
The idea of sharing threat intelligence is not new, even in the cybersecurity industry. President Bill Clinton issued Presidential Decision Directive/NSC-63, “Protecting America’s Critical Infrastructures,” in May 1998. Among other things, this directive established the National Infrastructure Protection Center “to warn of and respond to attacks.” It also sought “the voluntary participation of private industry” through Information Sharing and Analysis Centers (ISACs), which operate to this day. More recently, in 2007, a group of the bigger players in the IT industry formed the Industry Consortium for the Advancement of Security on the Internet (ICASI). In addition, numerous cybersecurity conferences occur each year across many industries. Organizations in the private sector have shown a willingness to come together with each other and their customers to share threat intelligence for their mutual benefit.
Why the sudden renewal of attention? The title of the White House conference says it all: consumer protection. The number and scope of leaks of consumer personally identifiable information (PII) raise grave concerns. They cost businesses a lot of money, both to deal with the problem and to protect consumers. The government spends another pile of money to protect its systems. Security failures often produce consequences for the customers or citizens as well as for the organization.
Each of the last few years set a record for the number and scope of data breaches and the scale of PII leaked. The IBM X-Force Threat Intelligence Quarterly for Q1 2015 estimates that about 1 billion records of PII were leaked in 2014. That total represents an impact on potentially hundreds of millions of individuals, and that’s without a huge trove researchers discovered during 2014 but have not yet vetted.
We all face substantial threats to our systems. Consistent and open sharing of threat information promises to be a way to improve our awareness and hopefully our defenses. It also allows us to spread the costs around more than if each organization provided its own expertise.
Stakeholders and Participants
Active threat intelligence sharing involves three primary groups, with another group setting some of the rules of the road. The active participants are:
- Law enforcement and national security;
- Cybersecurity industry bodies and companies;
- Civilian industry bodies and companies.
Government and industry regulatory bodies represent the fourth group. The rules and regulations those bodies create, such as PCI in the retail industry and HIPAA in health care, can restrict intelligence sharing either through their provisions or perceptions of them. In addition, legislation restricts the types of participation available to law enforcement and national security organizations, and to the private sector.
But the point of the exercise for all parties is to protect end users and consumers, their transactions and PII both directly and indirectly.
Even before the White House Summit, various organizations began efforts to foster threat information sharing. As mentioned above, ICASI and the ISACs have been operational for quite some time. Some industry exchanges lifted off early, too, such as the Health Information Trust (HITRUST) Alliance Cyber Threat XChange (CTX). More broadly based exchanges are also kicking off, including Facebook’s ThreatExchange, with participants such as Twitter, Yahoo, Tumblr, Pinterest, Box and Bitly, among others. The Cyber Threat Alliance exchange focuses on companies in the cybersecurity industry.
In fact, there are quite a few threat intelligence exchanges already up and running and others announced as in progress. Over time, expect more to develop, each founded around some unifying community, as existing exchanges have; some will focus on an industry, others on a nation, region or other geography. Having a link to other exchanges provides views of wider scope and even information fusion capabilities, so you can bet governments around the world will be trying to connect all the exchanges to help their local industries get a more comprehensive view of the threats.
The universe of exchanges will probably always seem somewhat balkanized. This fragmentation occurs in part due to human tendencies regarding trust. People tend to trust others more when they know them better, but they can only maintain a limited number of relationships. As the “trust circles” get larger, the shared trust wanes, and the sharing diminishes in quantity, quality or both.
Before any technology or intelligence can help, you and your organization must be ready. You must already have smoothly functioning infrastructure with appropriate visibility and recording; you must have processes in place to assess, triage and prioritize the intelligence; and you must have the tools necessary to take appropriate action based on the intelligence.
Before trying to automate the processes, there must be ground rules for the conversations. That currently falls to the STIX, TAXII and CybOX specifications, which are under development. For our purposes, simply know that they attempt to standardize the vocabulary, expression and conveyance of threat intelligence. Having the specifications allows automation of the sharing processes, even with disparate tools. These standards are likely to change fairly quickly, however. Over time, experience will show what’s important and what isn’t, and the specifications will adapt.
Software development efforts founded on those standards are likewise fairly young, but previous efforts have led to quite a few solutions on the market. Some efforts integrate threat intelligence sharing operations as an adjunct to systems you may already use, such as security information and event management (SIEM) tools. That means that practical, widespread, automated sharing may be nearer to reality than many people suspect.
In addition to developing specifications and software, though, we must also develop best practices for threat intelligence sharing. As participation in the exchanges grows, we must be able to bring new members up to speed quickly. This burden initially falls on the individual exchanges but should evolve into broader-based sets of practices over time.
Impacts and Implications
The “bad guys” in cyberspace have learned to move quickly to avoid defensive systems. To thwart their goals, our systems need to move just as quickly. The exchanges can improve our response time by making threat intelligence more widely available to more players. Automating the sharing processes can further quicken response times.
As the exchanges, automation and sharing processes progress, they reduce the friction of threat intelligence sharing, which in turn increases the amount of sharing. That creates a set of problems most of us have never previously had to deal with: too many intelligence reports. Hopefully that glut will ebb as the sharing helps improve our defenses.
Early problems include variability in the detail and accuracy of submitted reports. Existing exchanges have experience dealing with these issues, and all exchanges will likely have their share of growing pains. Precision and accuracy are paramount to useful notices. Vague and incorrect reports serve to distract attention, dilute resources and increase the difficulty of isolating the real threats.
What to Do?
As a consumer of threat intelligence, you will sometimes have to make a judgment call on whether a piece of intelligence is worth pursuing for your organization. You will always have to identify whether the threat pertains to assets in your systems, so update your inventories of hardware, software, operating systems, plugins, add-ons and everything else. You will also have to direct deployment of remedies, patches, workarounds and whatever else, and have appropriate policies and processes in place. None of this is new, but without it, threat intelligence won’t help you a bit beyond showing up in security updates to the products you buy.
Growth of threat intelligence sharing will likely increase the number of alerts that your organization will have to digest, triage and action. The growth will drive automation of both the generation and consumption of threat intelligence. Expect new technologies to be developed and old ones to be applied in novel ways to help us productively consume and act on threat intelligence. In addition to assisting with the sheer volume of information, automation will help keep up with the quickly moving targets that the bad guys present. But automation and faster response also increase the need for accuracy in the shared notices.
As an example, in a malware campaign, the domain names used to connect with the command-and-control (C&C) server can change every couple of days or even more frequently. The defenders must identify the threat, isolate the domain name (the indicator), disseminate the indicator and integrate the indicator into their defenses. To be effective, blocking the C&C domain name requires the defense to do all of that as quickly as the attacker makes changes. Every hour of delay means more attacks that get through.
Reducing that cycle time eventually requires automation in almost every phase: threat detection, isolation of indicators, dissemination of indicators and integration of indicators into defenses, not to mention patching and deployment. And all that automation requires accurate and timely intelligence to work effectively.
If sharing becomes widespread and egalitarian enough, it has the potential to change the cybersecurity market dynamic. For example, it could level the playing field in terms of what threats the various products can detect and thwart. Threat coverage could end up nearly equal across products, with techniques and services providing differentiation.
Widespread sharing will certainly open new niches — or even entire markets — for services. Higher-level exchanges that participate in many other exchanges and aggregate the shared information, for example, already exist. Their unique view provides opportunities to identify larger-scale trends and offer broader ranges of intelligence. Expect new tools that can “slice, dice and make julienne fries” out of the threat intelligence from the exchanges. Cloud services are also likely to provide analysis on sets of threat intelligence too large for typical companies to process themselves.
IBM’s decision to open the X-Force Vulnerability Database in the form of IBM X-Force Exchange should offer enough evidence to convince you of the change that these sharing efforts can create. The folks at Internet Security Systems and later IBM Security spent untold hours accumulating that data, sussing it out from a huge variety of sources, including original research. That data has historically been considered a competitive advantage.
Target on Your Back
Increased attention to intelligence sharing makes threat intelligence exchanges and their communications targets for attackers. Malicious actors want to modify or delete exchange data, insert disinformation into exchanges and obstruct the communication between participants and the exchange, at the very least. Some even want to insert true information about their rivals to gain an advantage. Others game the system to try to stay below the radar or push their rivals above it. Proper vetting of exchange participants is a crucial consideration, given this environment.
Exchange operators’ credentials and access methods become high-value targets. In a world where a few records of threat intelligence data can thwart a malicious actor, even the individual exchange staff members might be targeted for subversion. The exchanges certainly have need of the threat intelligence they convey.
Experience threat intelligence: Visit the IBM X-Force Exchange
Is This a Game?
Some information that ends up in threat intelligence exchange systems pertains to nation-state operations, including both law enforcement and intelligence service operations. As the platforms develop, nations will likely pass legislation and implement regulations that affect exchange operations. For one thing, the current patchwork of legislation covering PII probably requires some clarification. For another, countries may pass legislation requiring that home country agencies can prevent sharing of threat information that would compromise ongoing investigations or national security. One of the trickier bits of policymaking will be dealing effectively with the intersection between security concerns and legitimate systems defense, law enforcement and national intelligence. We will have to find ways to balance privacy with threat detection and remedy, as in any conflict.
These efforts will bring the most gains if the sharing is truly global and uncensored and if they attract wide participation, which has been a problem in the past. In the U.S., the FBI and Secret Service have both committed to participating in the sharing programs. In fact, they have long participated in existing threat intelligence sharing programs, as described above. Other national police forces also participate in existing systems and will also do so in the future. They can probably teach us a thing or two about best practices since they have shared intelligence for years.
Widespread and effective threat intelligence sharing can provide defenders a better chance to detect, divert and avoid threats. Those defensive improvements push attackers to come up with new technologies. As sharing improves defense, it forces the offense to adapt.
And when the sharing participation grows, it also may raise intriguing tensions within the cybersecurity industry. Some of the resulting changes will likely surprise us as the entire scenario plays out.
A few critics say that the sort of threat information covered in these discussions really isn’t threat “intelligence.” Well, maybe it’s not. The indicators usually discussed are often little more than tactical intelligence at this time. But having at least tactical intelligence is better than having no intelligence at all. Customers and consumers don’t really care who protects them; they care about who fails to protect them. And since everyone is in everyone else’s supply chain, we are the customers and the consumers, too.
Research Technologist, IBM Security X-Force
Doug Franklin is a Research Technologist at IBM Security Systems X-Force. Doug looks at the broad spectrum of threats, exploitation, and defense techniques. ...