Internal opportunities for information sharing might seem obvious, but are easily overlooked.
Information sharing is essential if we want to get ahead of the escalating cyberthreats today’s organizations are facing. We are just beginning to learn that we can no longer afford to build network security solutions based on isolated devices that cannot share threat intelligence or coordinate a response. As networks becomes more complex and distributed, the ability to consistently secure a workload as it moves across the network from an endpoint device to the cloud is more critical than ever.
The same is true for sharing critical information between related organizations. While there is understandably a natural resistance to sharing sensitive security-related information with another organization, the interconnectedness of our infrastructures, and the critical role they play in both our public and private lives makes this issue too important to ignore or delay. Of course, the problem is as much in the how as in the why.
Until recently, attempts to exchange information between disparate entities have been complicated by the ad-hoc methods being used. Fortunately, a number of reasonably well-defined methods for exchanging information have finally been established. These include STIX (Structured Threat Information eXpression), TAXII (Trusted Automated eXchange of Indicator Information), and more recently, CybOX (a standardized language for representing cyber observables). As more feeds begin to support these standards, the effort required for an organization to support multiple feeds will be simplified.
Eventually all of this starts looking like a big data analytics problem, given the massive variability inherent in the data. Even IP Addresses are only meaningful for decreasingly shorter periods of time. Technologies like de-duplication and data correlation need to be incorporated into the overall solution to keep the volume of data down to a reasonable amount. Additionally, making data more easily consumable will require new data visualization techniques.
This data volume challenge is being further complicated by the recent increase in the number of platforms being targeted. Smart devices are everywhere, and are powerful, well connected, and frequently under-protected. Even if you are relatively competent at tracking attacks against one or two platforms or operating systems, it is becoming increasingly unlikely that you can track everything that is accessing your network – particularly as the IoT invasion into corporate networks starts to escalate.
One of the most efficient ways to reduce the number of feeds you need to consume is to discover what feeds your security partners and vendors provide. While there will most likely be a charge, if they already consolidate a lot of feeds into a single stream then much of the complicated work has already been completed, thereby actually reducing your implementation costs. And you will have moved the cost for this from a resource-based expense to one that is purely an operating expense.
There are also a few public domain open-source feed consolidations, like hailataxii, that are a starting point towards consolidating feeds, and a good way to start to get an understanding of the complexity involved.
Consuming the data provided by these feeds becomes significantly more complicated as the number of feeds increases. And once you have the data, the bigger challenge is how to take that data and make informed and actionable decisions. Simply making this data another thing to monitor doesn’t provide a lot of value, other than perhaps being able to say you consume external threat information.
While consuming, consolidating, and correlating information provides obvious benefits, always keep in mind how you and your organization can also contribute back to these information feeds. There are tangible benefits to your organization for doing so – particularly with the evolution from broad-based attacks focused on specific platforms to highly complicated, multi-vector targeted attacks. So the wider the scope of visibility (i.e. by sharing threat information) the more able we will be to detect and mitigate these attacks.
A number of information sharing groups have been created, known as ISACs, to assist in this process. There are almost as many as there are industries: financial services (FS-ISAC), power generation (E-ISAC), oil and gas (ONG-ISAC), health (NH-ISAC), industrial control systems (ICS-ISAC), and even information technology (IT-ISAC).
Assuming you choose to share, consider sharing more than just the malicious payload. The most useful information also includes the behavior and activities observed, suspect connection attempts to Command and Control (C2C) servers, etc.
Once you decide to collect and consume threat information, how do you prioritize your efforts?
• Evaluate logging and analytics platforms to see if you can incorporate their data with that from external sources. You need to find out if your current system provides actionable information, or if a lot of manual intervention is required.
• Start slow in order to understand the scale of the problem. Focus on consuming data from organizations that already consolidate data from multiple sources
• Consume feeds from organizations that actually perform their own threat research, particularly in the area of zero day attacks and threats against emerging platforms like IoT.
• Join an applicable ISAC or similar threat information sharing community. You should be able to leverage this community experience back into managing your own operations.
• Consider how you will contribute back to the larger community, and what data you are willing to contribute.