Late last year, the text of the Cybersecurity Information Sharing Act (CISA) found its way into a consolidated spending bill and was signed into law by President Barack Obama on December 18, 2015. CISA is designed to "improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes." The law allows for the sharing of various types of digital information between U.S. government agencies and private sector organizations.
What's so great about threat intelligence sharing? The basic assumption is that organizations like federal intelligence (i.e. CIA, NSA, DoD, etc.) and law enforcement agencies (i.e. FBI, Secret Service, etc.) regularly collect threat intelligence about the tactics, techniques, and procedures (TTPs) used by cyber-adversaries that is classified and unique. Alternatively, private organizations face a constant barrage of targeted cyber-attacks that the Feds don’t see. By regularly sharing threat intelligence, public and private sector organizations can gain additional insight that may help them mitigate risk, detect an attack, or remediate ongoing problems.
There are a few examples where threat intelligence sharing actually worked well in the past. One of the most successful efforts came after hackers penetrated a military contractor's network in 2007 and exfiltrated classified data about the next-generation F-22 fighter jet. After this event, the Feds took the unusual step of sharing classified cyber threat intelligence with an array of strategic government suppliers. This ultimately evolved into the Defense Industrial Base Cybersecurity Information Sharing Program (DIB CS). Since its inception, DIB CS has grown bigger, more extensive, and more structured.
While the DIB CS is generally regarded as successful, it is important to note that it is a rather unique program. DIB CS actually began as a Department of Defense (DoD) mandate where defense companies either participated or placed their government contracts in jeopardy. Furthermore, DIB CS was based on a hub-and-spoke model where DoD acted as threat intelligence aggregator, manager, and distributor. In other words, the U.S. military controlled the whole process from end-to-end.
Unfortunately, private sector threat intelligence sharing tends to be more informal and ad-hoc than the highly-structured DIB CS. Lacking a central controlling organization, many private sector organizations encounter numerous problems across a lifecycle of threat intelligence collection, analysis, management, and sharing. What types of problems? In 2015, the Enterprise Strategy Group (ESG) surveyed 304 IT and information security professionals representing enterprise-class (1,000 employees or more) organizations in North America to assess the state of their threat intelligence program operations and future strategies. In analyzing the data derived from this survey, ESG uncovered a multitude of issues including:
- Threat intelligence program immaturity. Threat intelligence sharing must be based upon well-established policies, processes, and operations. These tasks are actually a work-in-progress at many organizations, as 40 percent of enterprises have only had a formal threat intelligence program in place for two years or less. As a result of this immaturity, cybersecurity professionals often complain that it is difficult to “operationalize” threat intelligence today. In other words, organizations find it difficult to collect, process, analyze, and act upon threat intelligence in a timely manner. These internal problems certainly impact threat intelligence sharing efficacy and will continue to be a challenge in the foreseeable future.
- Limited threat intelligence skills. Threat intelligence analysis and sharing requires advanced technical expertise and hands-on experience. Unfortunately, many organizations don’t have these in-house skills. For example, 19 percent rate their organizations’ threat intelligence skills as fair or poor with regard to their ability to correlate different types of threat intelligence and/or act upon threat intelligence in a timely manner.
- Today’s threat intelligence sharing tends to be informal and personal. While 37 percent of enterprises regularly share internally-derived threat intelligence with other organizations and industry ISACs, they admit to doing so through interpersonal communications like phone calls and emails. These one-to-one conversations are antithetical to what’s needed for real-time threat intelligence sharing amongst hundreds or thousands of organizations.
- Threat intelligence sharing is burdened by legal, technical, and operational issues. Threat intelligence sharing must be anchored by business and technical processes to gather all relevant information, anonymize data, and package it in a common format that others can understand and consume. Most enterprises have yet to create best practices in any of these areas.
From a theoretical perspective, threat intelligence sharing is the ultimate crowdsourcing application. If organizations share data about hackers, they can create a network-based neighborhood watch where everyone knows what to look for and thus everyone benefits. In reality however, threat intelligence sharing depends on participant’s ability to collect, process, normalize, anonymize, and share human- and machine-readable data constantly and in real-time. Given the relative state of market immaturity, it may be years before we can achieve measurable benefits – let alone threat intelligence sharing nirvana.
