Expert Advice on Cyber Threat Information Sharing

Few safeguards for the protection of infrastructure enjoy as much universal appeal across the cyber security community as threat information sharing. Accurate exploit indicators, attack methods, malware signatures, address sources, and other real-time intelligence data are all generally regarded as essential components of any cyber defensive program. I am not aware of a single cyber security professional who would dispute that fact. And yet, here we are in early 2017, and any expert would also confidently state that most CISO teams are not properly supporting real-time threat sharing to reduce their cyber risk. So many different explanations (excuses) are offered to explain this slow progress: Hard-to-use platforms, uneven federal laws, tepid senior management support, lack of trained staff, and on and on. Because this is such an important protection issue, especially in critical infrastructure settings, I decided to go directly to one of the recognized experts in this area, my longtime friend Paul Kurtz, CEO of TruSTAR. Paul’s time at the White House, his experience with the National Security Council, and his leadership in industry make him uniquely qualified to help us all understand the state-of-the-art, as well as the state-of-the-possible, in threat information sharing for cyber security.

EA: Paul, everyone agrees that information sharing is important. Why do you think it has received such relatively slow adoption?

PK: To answer that question, we need to first remember that the gold standard of information sharing involves active incidents being shared broadly, and including timely details about the context, indicators, logical connections, and discovery origins of a given incident. This type of sharing creates an actionable exchange for security operations teams, which is why there is such agreement that the process is valuable. But over the years, we’ve also noticed an increase in the perceived risk of exposure that comes from threat information sharing. That is, while companies are willing and excited to consume incident data, they are often reticent to share into these communities due to concerns about the market and reputation risk of sharing with the wrong person or group. In addition, security operators need to receive clear, tangible benefits from sharing. Historically, sharing groups and structures have relied on altruism as an incentive, but that is no longer enough. So, improved mechanisms are clearly needed to address these concerns, and that’s something my team and I have been focused on solving.

EA: How important is it that threat information sharing include an option for anonymity?

PK: Anonymity, coupled with a well-vetted community, is critical. Historically, when a CISO faces a problem, they shy away from sharing with anyone beyond their closest friend group because they are wary of exposure. The problem with such limited sharing is that the likelihood that one of their buddies is experiencing something similar and can offer additional insight is slim. There may be a willingness to share some data after-the-fact, but by then it is too late. The company experiencing pain remains in the dark of what others may have experienced, hindering investigation and response. Others remain unaware and become prey to the same attacks. With anonymity, a company can quickly begin collaborating with a much broader set of known good guys, which may include the competition, investors, or suppliers, all without fear of being connected to the incident. Anonymity enables incidents to flow far earlier in the incident response cycle and protects against the market or reputation risk of sharing. However, anonymity is not a panacea. It addresses risk of exposure, but companies participating in an exchange must also receive an immediate benefit, such as correlation, from their participation.

EA: When information is collected by an organization, how easy is it for correlation to occur from different sources? And can this be done centrally by a third-party?

PK: The problem to date has been that we are all trying to correlate sensor-based and open-source data streams with each other to gain actionable insight. While such correlation might be easy, the resulting analysis is often not actionable. That is, it might lack context or explanation of what is happening and what steps to take. When you start with real incident data or an anomalous event, it is easier to bring in context by correlating with similar events at other companies, with threat service feeds like VirusTotal or Farsight, as well as open source reports. Without a doubt this can be done by a third party, and I would argue that it needs to be done by a third party to be effective. Otherwise, you are only working with one part of the puzzle.

EA: True collaboration between security operations teams has been thin the past few years. Do you think the necessary incentives can be provided to improve this situation?

PK: SOC teams are far more likely to collaborate if they gain something from the interaction. Since the likelihood of identifying correlations related to a given incident increases as the contribution-base increases, I see this boiling down to a question of how to establish comfort with sharing at a large scale. At TruSTAR, we believe that protections such as anonymity, vetting, and redaction are enough to establish that comfort, and thus build out an active exchange that brings value to those that contribute. Equally important is the value back to the operators who need to see correlated results immediately and to be notified of relevant changes or new developments immediately. With these capabilities in place, operators also need a means to collaborate. Being able to engage others over common data sets is important. These conversations, which enrich reporting with additional context and expertise, allow operators to later return to a conversation and build narratives around events. Alerting also allows operators to continue to engage with each other as conversations develop without having to have eyes on the screen all the time.

EA: What is the current state of automated ingest of threat information? Are there good standards in the industry?

PK: There are a lot of platforms that provide sensor-based data, however, these often lack the broader context needed for security operations teams to understand and act upon the information. We need to move towards incident data as a primary source and there is not a gold standard yet for automated ingest of incidents. But, there are supporting mechanisms in place, like STIX and TAXII that will help guide this effort going forward.

EA: Do you think global cyber security coordination and cooperation is going to be possible? It seems inconceivable to imagine America, China, and Russia sharing threat information in a friendly, cooperative manner.

PK: We live in a world with multinational companies that support customers around the globe. If we could coordinate more effectively with each other, the risk associated with most cyber attacks would be reduced significantly. But, we need to be realistic. Ensuring that you are coordinating and collaborating with trusted and vetted partners is paramount. An exchange mechanism must have the means of continuously vetting companies, while also being able to discharge those parties that are not trustworthy.