Threat Intelligence Sharing: A Public Good

Scott Simkin
Senior Threat Intelligence Manager, Palo Alto Networks

Threat intelligence sharing has a complex history within the security industry. The premise is simple: cybercriminals will often launch attacks with similar components, using the same tactics, or even re-use the same malware or exploits over and over again. If every organization was sharing intelligence on the attacks being launched against them, we could develop protections that essentially de-fang the adversary, taking away their ability to do harm on a very large scale. Now, they would be required to craft custom attack tools for each operation, increasing the time and cost it takes them to breach organizations. This is a shared, common good, which benefits both public and private entities. For instance, we have seen many examples of malware originally developed to compromise nation-state targets trickle down to other adversaries.  Their victims could have benefited from advanced knowledge of these threats.

The benefits can be immense, but there have been challenges to embracing threat intelligence sharing on a wide scale:

  • Security vendors have been loath to share the intelligence they collect from their customer base in a wide manner, believing that it could harm their business, as it is one of their competitive advantages.
  • Private companies have been wary of sharing data, fearing they will expose sensitive customer information, or give their competitors an advantage.
  • Government agencies have strict controls on the information they can share, and the process for accessing classified information is often arduous.

In the face of increasing cyberattacks, we must remember that we exist as a community. The more we work together, the faster we can identify and prevent threats from causing harm. Threat intelligence sharing does not need to put sensitive information at risk, which is the common thread running through the objections. Instead, we should focus our efforts on sharing Indicators of Compromise (IOCs) and adversary profiles. This means we would be sharing items such as malicious IP addresses used for command-and-control activities and weaponized files used to deliver malware, not business plans or personally identifiable information (PII).

In order to support this goal, the United States government has put more focus than ever on promoting the sharing of threat intelligence within the private sector, and between the private sector and the government. Beginning in early 2015, President Barack Obama signed Executive Order 13691, which directed the Department of Homeland Security (DHS) to help shepherd this process and put sharing into practice. The order establishes a few fundamental processes that will be critical going forward:

  • Creation of Information Sharing and Analysis Organizations (ISAOs), which will allow private companies to more easily join together and share threat information. Currently, the University of Texas at San Antonio is working to define the standards of ISAOs, a critical step in scaling the program.
  • Collaboration between ISAOs and the National Cybersecurity and Communications Integration Center (NCCIC) to centralize and coordinate the sharing of intelligence across the government and private organizations, including classified information.
  • Establish strong privacy and civil liberties protection.
  • Sets the stage for liability protection, ensuring information sharing is protected and incentivized.

The final piece of the puzzle is how to turn this intelligence into actionable protections. By itself, information is not valuable, but the positive change it can affect in your security posture is. First, you must receive and process intelligence in an automated way, as no human could manually analyze the volume of information produced by these types of efforts. As part of the ISAOs, members will receive “practical cybersecurity risk, threat indicator, and incident information via automated, real-time mechanisms.” Once you receive the information, the last mile is creating automated protections that can re-program your security infrastructure in real time. Your security solutions must possess the capability to ingest, process, and create new protections based on this type sharing going forward.

Now is the time to consider what your organization’s policy towards intelligence sharing will be. This may not appear to be a groundbreaking innovation, but it has the chance to fundamentally change the way we protect ourselves as a whole. It is also the time when you can influence the path the ISAOs will take, as the standards are still being developed. Get engaged early, in order to ensure they are as valuable as possible. When information is being freely shared between public and private companies, especially as it spreads to a global exchange, we will have taken a large step in protecting the Internet at large from adversaries.

The Author is Scott Simkin

Scott Simkin is a ‎Sr. Threat Intelligence Manager at Palo Alto Networks. He has broad experience across threat research, cloud-based security solutions, and advanced anti-malware products.  Prior to joining Palo Alto Networks, Scott spent 5 years at Cisco where he led the creation of the 2013 Annual Security Report amongst other activities in network security and enterprise mobility.

Learn more about The Cipher's Network here