Can Cyber Threat Information be Shared in a Trusted Manner?

Suppose you work for an Internet service provider and an email just arrived in your in-box from a government agency. The contents of the message include a list of thirty IP addresses with a grave warning that these “security signatures” are suspicious. The email footer includes boilerplate legal disclaimers discounting the validity of the information. You scratch your head.

Now suppose you work for a bank and you just received a text from a number you don’t recognize. The message says it was nice seeing you at such-and-such meeting or conference, and points you to your personal Gmail account for an email that requires urgent review. You check, and sure enough, there is a warning that several UDP ports are experiencing odd behavior. You scratch your head.

I could continue with these familiar scenarios, but you get the idea. These and similar threat sharing challenges have driven most of the discussions I’ve had over the past couple of years with my longtime friend Paul Kurtz, CEO of TruSTAR. Paul has been at the forefront of this topic since his days at the White House, and I think he knows as much about threat sharing as anyone I know.

If I had to boil down what I’ve learned from Paul, it would be this: The quality of your perspective on cyber threats improves dramatically when you expand your horizons. This requires, of course, that you have a trusted means for interacting with other enterprise and cyber security teams. “We think that contextual awareness is essential to determining what to do with threat information finding its way to your desk,” Paul said.

Here’s an example: Let’s say that your SIEM dashboard ingests and processes network metadata from your enterprise, and that your analysts happen to notice that something odd is occurring with Internet Control Message Protocol (ICMP) packets on your network. They are spiking across the entire network and beginning to cause congestion at your gateways and chokepoints. So, what exactly would you do?

I’ve seen exactly this packet scenario result in local managers Googling to see if an ICMP event was occurring on the Internet. I’ve seen them turn on CNN to see if a worm was brewing. I’ve even seen them email a cousin who works in the IT department of some bank to ask if she is seeing anything. None of these cases – obviously – should be viewed as acceptable. All involve poor threat management planning, and all are to be avoided.

Instead, as Paul’s team is happy to explain, you can and should participate in a trusted exchange, and this involves different levels of nesting. For instance, a private enclave can be created within a company so that rapid information sharing can be enabled between different business units and groups. Investigation of the ICMP example above, for example, might start with notification across the corporate private enclave for information.

Users also should extend sharing beyond the corporate walls into trusted exchange enclaves with participants from other organizations. This can be coordinated with industry collectives such as Information Sharing and Analysis Organizations (ISAOs). “We’ve helped groups such as the Cloud Security Alliance’s Cyber Incident Sharing Center and Sports ISAO maintain better situational awareness of cyber threats,” Paul explained.

Implementing shared information infrastructure turned out to be more gear-head than I’d expected. For example, the underlying data structure for TruSTAR involves graph databases. I went off and researched this topic and found some great YouTube videos on the Neo4j graph database that powers TruSTAR. This structure looks like an excellent match for the types of interwoven semantic queries you’d expect in multiple enclaves.

I think it stands to reason that if you are not either a founder or participating member of a trust enclave, then you should act today to rectify that situation. And if you then happen to get a weird email from the government, or see a protocol like ICMP going nuts later today, then you can resist the temptation to search for information on CNN. You won’t find anything there.

Let me know your experiences.