It’s no surprise to anyone practicing security today that the threat landscape has grown increasingly complex. Modern attacks weave together exploits, malware, applications and evasions into long, ongoing attacks that can last days, months or even years. To respond, security teams have begun to take a more integrated overall approach to threat prevention in which multiple technologies work together and are evaluated in context of the user and application.
For example, a modern IPS looking for exploits needs to know the application and protocols of the traffic it analyzes in order to see and stop the appropriate threats. Similarly, malware and advanced attacks are often found by correlating anomalous behaviors in the network such as the presence of unknown or customized traffic, unusual download behavior, and the use of common evasive tactics, such as using dynamic DNS. This intuitively makes sense because if we are combating a more coordinated, multi-vectored attack, then it stands to reason that we will need coordinated, multi-disciplined defenses.
Collaboration Through Sharing of Threat Data
However, even this perspective is limited to the information that we can observe on our own individual networks. As the threat landscape continues to grow more daunting, it will become increasingly important that security teams find a safe way to share data concerning threats across organizational boundaries. In much the same way that we can benefit from correlating across information in our own security silos, we can also benefit from what other security teams are seeing in the wild. Of course, a certain level of this sharing already happens in the industry in specific areas such as sharing of virus information at services such as Virus Total.
A good step in the right direction, but this will provide insight into just a single piece of an attack. We gain a different perspective entirely if we can begin to understand the process of the attack. For example, was there a phishing component? How was the user targeted and over what applications? What systems or applications were targeted or exploited? What sorts of malware were used and where had it been seen before? How was the attack ultimately detected? Of course, all of this information is not always known, but even when examined in an incomplete form, it can provide a much more realistic view into real attack strategies that we all will likely face.
Challenges, Not Road Blocks
Of course there are challenges to be addressed. Anonymity will be required to ensure that organizations can share information safely. A trusted third party will likely need to be established where information can be safely shared and normalized. This will likely need to include both government and industry resources, which will not be without its challenges. However, even with these obstacles the long-term value to all industries is hard to overlook.
Collaboration as a Competitive Advantage
I would also argue that collaboration is one of the fundamental advantages that white-hats enjoy over the black-hats. It’s important to remember that attackers are largely competitive with one another. While obviously attackers learn techniques by observing what works in successful attacks, the concept of sharing and collaboration is very rare. Sharing of information between attackers is typically limited to hacktivism groups. On the other hand, organized crime and nation-state attackers are heavily incented to keep their techniques secret. Almost by definition these criminal “for profit” organizations are prevented from sharing information in order to maintain their advantage. As enterprise security teams, we are obviously in a much better position to collaborate. Even in the case where two companies compete with one another, their security teams share the same goal and face the same threat landscape.
If security teams, both industry and government, can commit to improved collaboration it will give these teams the ability to better track emerging infections and stay ahead of new malware techniques.