Sharing Threat Data - What’s Worth Sharing and What are the Benefits?
Network defense is a challenging undertaking. In today’s environment where the landscape is so open to global cyber threats, it is difficult for any firm, company, or organization to rely solely on itself to provide protection. But that hasn’t stopped most from trying. Point source security solutions have flooded the marketplace for almost a decade and recent proactive advances in cyber security are still in their infancy. The cost of securing information continues to grow and many organizations are spending upwards of 10% of their overall IT budgets on security. Yet they still are very limited and at the mercy of the technology they implement and the skill set of their security staff.
What’s Driving the Need to Share Threat Data?
From organization to organization, the menu of data sources they collect and security tool sets they implement differ. These variances exist either because of the specific mission they are carrying out, the experience and expertise of those weighing in on the procurement process, and/or the environment in which they operate. As a result, there are both strengths and weaknesses to each organization’s security profile and capabilities. And while everyone has security intelligence to offer, noone has the complete picture. Wouldn’t it be nice to leverage each other’s strengths and pool resources since everyone faces similar challenges?
Global cyber threats are more persistent and penetrate deeper as they go unnoticed. The reason for this is two-fold: (1) in some cases there are new and unique attacks that go undetected; and (2) in other cases known threats fly under the radar due to limited awareness. Similar threats and often the same actors impact multiple organizations. In fact the majority of malicious actors or bad IPs are repeat offenders and have already been detected and flagged as such. But like the Terrorist Screening Center’s “No-Fly List”, this data is not effective unless shared with the appropriate agencies and authorities.
Most financial organizations have done a respectable job identifying and documenting IP addresses involved in fraud attempts, identity theft, and phishing schemes. They maintain these lists and often times program the IPs to be blocked by their perimeter security devices. The next step is to share this information so others can benefit from their analysis. The financial industry is certainly a competitive environment; however, they have expressed an interest in banning together to work towards information sharing to secure their business environment. This will allow them to compete on a level playing field where their services and offerings distinguish their brand rather than allowing the loss of confidence due to being the victim of the latest cyber attack drive their position.
What’s Worth Sharing?
Bits and pieces of attack data and malicious activity exist throughout the Internet. There is NO one data source that serves all. Pooling assets to amass a comprehensive view is a logical way forward. Details characterizing specific threats would serve as the basis for cyber security information sharing. Elements worth collecting and sharing include:
• Threat Type - phish, DNS or BGP hi-jack, malware, etc
• Threat Source - URL, nameserver, DNSserver, hostname, IP address, etc
• Assets Targeted – websites, systems (DNS, mail, etc), infrastructure, etc
• Impact and/or Severity of Threat – scenarios, likely effects, things to look for
• Recovery/Remediation Steps – procedures, patches, call lists, etc
• Prevention Tips – buying/configuration guides, recommendations, etc.
How to Enable Sharing and Notifications/Alerts?
Sharing works best when a broad spectrum of participants are involved in a win-win engagement. Industry partners, Information Sharing and Analysis Centers, (ISACs), and the federal government are all major players that have lots to offer. Cross-sector sharing is a concept requiring the complete support and participation of the federal government, the various industry ISACs, and the effected community. In an ideal situation, the government would alert the various sectors, not via email, but through a common web-based sharing platform. Consequently, commercial industry players would provide input to the platform to be shared with industry partners, the federal government, and the community at large. Obviously, to achieve optimal efficiency for ALL involved, this has to be a two-way street!
A cyber situational awareness platform is at the core of threat sharing. To ensure we are not left with the ineffective report and alert systems that exist today, a platform providing context to each notification should be employed. One that accepts and fuses data from global, sector, and private data sources; provides adequate visualization and analysis capabilities; and delivers actionable information in a timely fashion through existing and well adopted wired and wireless devices. While automation is critical, the human element must also be introduced to develop and deliver course of action information and to evaluate the severity of the attack.
Realizing the Benefit
Response time, data access, coverage, flexibility, participation, and accuracy are the criteria that will determine the success or failure of a solution supporting threat sharing. But if effective the following benefits may be realized:
• Reduced Incidents
• Reduced Costs – leveraging cross-industry assets, resources, tools, and data
• Extended Awareness
• Community Trust
• Successful Prosecution of Bad Actors
Just as firefighters, police officers, and federal authorities have had to learn to communicate and work better together, so too do cyber first responders in order to provide a safe environment to conduct business over the Internet.