Defenders Still Chasing Adequate Threat Intelligence Sharing
November 13, 2013
BOSTON – If you’re looking for tangible information sharing success stories around attack intelligence, some might point to the prompt publishing of indicators of compromise (IOC) as an example. Security and forensics companies will publish MD5 hashes of malware, IP addresses involved in attacks, malware signatures and more artifacts relevant to a breach or malware outbreak. Problem is, all of the artifacts are made available post-attack, and don’t satisfy the need for real-time data on intrusions, in particular for sensitive industries such as financial services or utilities.
“I want to hear about this stuff as, or before, it impacts me,” said James Caulfield, advanced threat protection program manager for the Federal Reserve Bank in Boston. “[IOCs] just isn’t fast enough.”
Among Caulfield’s responsibilities at the Fed is the coordination of threat information among other regional Federal Reserve banks. He hopes the development of standards for the collection and dissemination of threat intelligence such as CRITs (Collaborative Research Into Threats) and STIX (Structured Threat Information Expression) will eventually pave the way for automated information sharing between machines.
“We need to set standards and fill this stuff out, but in agnostic ways, not in ways that say you need to buy this stuff from Vendor X. That way lies madness,” Caulfield said. “We want this to be as close to open source as feasible. So we’re not tying people to vendors or to products. We’re not looking to sell anything; we’re looking to claw back some of the space we lost.”
Caulfield was speaking about the Advanced Cyber Security Center (ACSC) which hosted its annual conference at the Fed here Tuesday. The ACSC is a cross-sector group of more than 30 public and private sector security officers who meet monthly to facilitate information sharing. Standards such as CRITs and STIX define how attack intelligence is analyzed and transmitted, respectively, and while some industry groups such as the Financial Services Information Sharing and Analysis Center (FS-ISAC) have succeeded in collaborating and sharing sanitized information, ACSC hopes to see that kind of sharing not only between the government and private sector, but horizontally across private companies, even competitors.
“Threat sharing gives us that lead time to get in front of threats,” Caulfield said, referring in particular to targeted attacks and APT-style intrusions where well-funded attackers use commodity malware and custom Trojans to access networks and steal data. “When we get indicators like domains or emails to give us some insight into what we’re looking for, we can begin to not only scour through our instrumentation and logs to see how that happened here, but we can also begin to alert toward those types of things and put in a much stronger net to catch this stuff as it comes at us.”
The challenges to success, however, aren’t necessarily in a desire to share information, but legal hurdles put in place by lawyers or executives afraid to share too much information with a competitor in the same industry.
Phyllis Schneck, Deputy Undersecretary Cyber Security National Protection and Programs Directorate, U.S. Department of Homeland Security and keynote speaker today, pointed out the obvious truth that attackers often times do a better job sharing information than do defenders.
“We face adversaries with no lawyers, no rules, most of them met in prison and they have plenty of money,” Schneck said. “We have to fight that by taking our infrastructure back. When machines talk, there isn’t any reason they can’t tell each other something bad is coming. Global situational awareness is the dream and we plan to live that dream by engaging people to get their trust and incentivize companies to build in something into their networks that talks to these protocols”
CRITs, for example, is essentially a threat depository developed by MITRE Corp., where indicators of compromise are studied and enumerated. STIX, meanwhile, is the language by which this information can be transmitted to those who need it in a sanitized fashion that is still useful to others.
MITRE chief security officer Gary Gagnon likened this kind of sharing to crowdsourcing where threat indicators, rather than vulnerabilities or compromises are shared. Gagnon believes those are the wrong types of information to be shared and don’t help organizations under attack understand their adversaries or tactics.
“That kind of threat information can drive many things inside the enterprise,” Gagnon said. “Things like patch prioritization, training for staff and employees, and technology investments.
In the meantime, groups such as ACSC and others continue to chase the elusive answer to information sharing where organizations are comfortable sharing with one another in a competitive environment.
“The challenges are messy. The ACSC is cross sector, and the way we’ve structured it, we’ve eliminated that and hammered it out,” Caulfield said. “We’ve structured things in such a way through a very carefully crafted NDA that we don’t use this stuff for recrimination on each other and we don’t use this stuff for a competitive advantage either. The type of stuff we’re sharing—and we do sanitize some of it just because we’re protecting the names of the innocent—it’s not a problem to us. That’s a testament to the people involved.”