In the ever-shifting landscape of cyberthreats and attacks, having access to timely information and intelligence is vital and can make a big difference in protecting organizations and firms against data breaches and security incidents.
Malicious actors are getting organized, growing smarter and becoming more sophisticated, which effectively makes traditional defense methods and tools significantly less effective in dealing with new threats constantly appearing on the horizon.
One solution to this seemingly unsolvable problem is the sharing of threat intelligence in order to raise awareness and sound the alarm about new attacks and data breaches as they happen. This way we can avoid major security incidents from recurring and prevent emerging threats from claiming more victims.
Threat intelligence sharing has risen in prominence, giving birth to initiatives such as the Cyber Threat Alliance, a conglomeration of security solution vendors and researchers that have joined forces to collectively share information and protect their customers. We’ve also seen government-led efforts, such as the Cybersecurity Information Sharing Act (CISA), which is meant to ease the way for businesses to join the threat information sharing movement.
The evolution of cyberthreat intelligence sharing is culminating in the development of platforms and standards that help organizations gather, organize, share and identify sources of threat intelligence. Cyberthreat intelligence is also shortening the useful lives of attacks and is putting a heavier burden on attackers who want to stay in business.
There’s still a long way to go, but the inroads made are already showing promising signs.
Dealing with constant changes in the threat landscape
Information gleaned from internal networks and virus definition repositories can serve as sources of threat intelligence, but much more needs to be done to deal with the constant stream of malicious IPs and domains, hacked and hijacked websites, infected files and phishing campaigns that are being spotted on the Internet.
“Today’s cyber threat landscape is polymorphic in nature — constantly changing and making it nearly impossible to detect with traditional security approaches,” says Grayson Milbourne, Security Intelligence Director at cybersecurity firm Webroot. The company’s 2016 Threat Brief has found that 97 percent of 2015’s malware have been seen on a single endpoint, and more than 100,000 new malicious IP addresses are launched every day.
“Given the evolution of malicious code and constantly changing environments, it’s critical that security controls adapt quickly and dependably,” Milbourne says, and he underlines the need to stay ahead of current threats and be able to predict future attacks, which can be achieved through the use of a collective threat intelligence ecosystem.
Many tech firms are now offering security solutions founded on the cyberthreat intelligence sharing concept. Webroot’s own proprietary intelligence sharing platform, BrightCloud, gleans threat intelligence from endpoints and combines it with input from security vendors to provide valuable real-time insights into threats and greater visibility into the behavior of an attack.
Threat intelligence sharing should become an essential aspect of any organization’s security program.
The threat intelligence sharing trend has led other leaders in the tech industry to adopt similar initiatives. Last year, IBM declared its own threat intelligence sharing initiative, X-Force Exchange, a cloud-based platform that extends the tech giant’s decades-old security efforts and allows the clients to share their own intelligence in order to accelerate the formation of the networks and relationships needed to fight hackers.
“This community-based approach enables security teams to associate and uniquely protect one another from threats in real-time,” Milbourne explains. “As soon as a threat is detected on one endpoint, all other endpoints using the platform are immediately protected through this collective approach to threat intelligence.”
Overcoming the challenges of threat intelligence sharing
Threat intelligence sharing comes with its own caveats and presents a few challenges. “In many cases,” says Jens Monrad, Consulting System Engineer at cybersecurity firm FireEye, “organizations end up with a lot of data, sometimes just raw, unevaluated data, which end up adding an extra burden to their security team, increasing the number of events and alerts rather than decreasing it.”
Collaboration between industry peers can help improve the relevance and quality of the shared intelligence, because threats and attacks are often targeted at specific sectors such as finance, banking or retail. This way, industry leaders can better understand the threat landscape and gain insights into practices deployed by others in the industry to better safeguard their own organizations.
Instances of industry-level threat sharing efforts include the recent launch of a portal for ICS/SCADA threat sharing among nations, which took place in the aftermath of the unprecedented cyberattack against Ukraine’s power grid.
FireEye has implemented this model with its Advanced Threat Intelligence Plus platform, which enables clients to develop threat sharing communities with trusted partners. The cybersecurity firm recently partnered with Visa to develop a joint threat intelligence initiative for Visa’s customers, which focuses on cyberthreats toward Visa and its customers.
Business, privacy and legal concerns are also proving to be barricades in efforts to share threat information. As Scott Simkin, Senior Threat Intelligence Manager at Palo Alto Networks points out in an op-ed, security vendors have been previously loath to share information to avoid losing the competitive edge, private companies fear inadvertently sharing sensitive customer information and government agencies have strict controls on the information they share.
Some of these issues can be dealt with through the use of standards, such as STIX, TAXII and CyBox, a set of free, available specifications that have standardized threat information and help with the automated exchange of indicators of compromise (IOC) and other relevant data without leaking personally identifiable information (PII).
The CISA legislation has also helped overcome challenges by lifting some of the liabilities firms and organizations would otherwise be exposed to if they shared data about security incidents.
As for the business side of things, the sheer number of new threats that are being identified on a daily basis is slowly convincing vendors that sharing threat intelligence may prove to be the only way they can protect their interests.
Beyond threat intelligence sharing
The evolution of the cyberthreat landscape has reached a point where it is beyond any individual or organization to defend themselves and their interests against the ever-shifting array of threats. “It is only a matter of when they will become victims of cyber attacks — not if,” says Chris Doggett, SVP of Global Sales at Carbonite.
This issue can only be addressed through a pooling of efforts that expands beyond the disciplines involved in dealing with cyberthreats, Doggett suggests, which should include “sharing cyber threat intelligence, collaborating to minimize vulnerabilities, gaining consensus on global standards for acceptable conduct in cyberspace, and international cooperation to enforce local laws and international standards.”
This is an approach that has been recently put to test in fighting the rising threat of ransomware, which has been growing at an explosive rate and is causing millions of dollars in damage to victims. A collective effort is being led between government agencies, cybersecurity firms and law enforcement to provide effective protection from ransomware, offer recovery solutions and disarm and apprehend the criminals behind the attacks.
On the protection level, tech companies are constantly sharing information about ransomware attacks to better understand how to avoid it and improve the efficacy of security and anti-malware tools. In tandem, efforts are being led to improve data protection and recovery solutions, such as cloud backups and data integrity tools, and security firms are working on solutions to crack the encryption algorithms of specific types of ransomware and disarm them for good.
Security researchers are also collaborating with regional and national law enforcement agencies to track and arrest the cybercriminals involved. An example of such efforts is Kaspersky Lab’s cooperation with the Netherlands Tech Crime Unit to apprehend the individuals behind the CoinVault and BitCryptor campaigns.
Carbonite is working to develop its own proprietary tools to help track malware attacks and respond to them faster and more effectively. “Based on the data we have gleaned, research, and the information sharing with others in this space,” says Doggett “we are now in a position to participate actively from a thought leadership perspective and do our part to arm all users and organizations with knowledge and tools which we believe will allow them to avoid becoming victims of ransomware attacks in the future.”
Sharing is caring
Cybercriminals have been sharing knowledge, tools and experience for a long time, which has lent to their success in staging major data breaches over the past months and years. It’s long past time that the tech community follows suit and teams up to improve general security and mitigate threats to individuals and organizations.
Threat intelligence sharing is already helping detect threats in real time and protect users from malicious encounters. It should become an essential aspect of any organization’s security program if we are to deal with the threats of the future.