Cybersecurity threat sharing faces challenges, warns MITRE's security officer

November 13, 2013

Fred Donovan

BOSTON--There a number of key areas where cybersecurity threat sharing is not working, Gary Gagnon, chief security officer for The MITRE Corp., told an audience at the Advanced Cyber Security Center's annual conference held Tuesday at the Federal Reserve Bank of Boston.

Gagnon, who is an ACSC board member, explained that, first of all, firms are currently trying to share information about the wrong things--vulnerabilities and compromises.

Second, the "hub and spoke" model for threat information sharing is not working. "I'm a company and I submit information to a third party. At some later date, they are going to tell me what's important to me. I question the timeliness of that information and the third party's ability to understand my needs," Gagnon related.

Third, companies want to get access to classified threat information, yet even when they get access, they can't do anything with that information. "A more robust sharing environment doesn't rely on classified information. That gives companies a lot more freedom to take action," Gagnon explained.

Fourth, firms want to be anonymous with their sharing partners, but that limits collaboration. "When you are anonymous with your sharing partner, you break down the ability to pick up the phone and have a dialog about the contextual information around the threat data you just received. The desire to be anonymous makes it harder for us to raise the bar on security," he opined.

Fifth, lawyers and managers inhibit sharing of threat information. "Our experience with ACSC when we first got started was that [lawyers and managers] slowed down the process because of concern about what we were going to share. As things evolved and we talked about what we wanted to share, we realized a lot of the issues they had would be going away. So the lawyers and the managers slowed things down," he related.

Sixth, sharing cybersecurity events without contextual information does not work, particularly at the national level. "Does it really make sense at the national level to share the fact that server A was compromised. There is no contextual information. What does this mean to the nation?" he asked.

At the same time, Gagnon admitted that there are some things about threat information sharing that are working. One thing that is working is "crowdsourcing--the horizontal pushing of threat indicator information to all of the parties at the same time, allowing them to digest that information and decide what they want to do with that information, adding value to that information, and putting it back into the community," he said.

Another thing that is working is the sharing of unclassified threat indicators, rather than information on vulnerabilities and compromises. "The success or failure of the indicator doesn't have to be shared by an enterprise in order to help the broader community, but the fact that this event happened is value added."

Threat indicators include any artifact that came out of a network intrusion attempt, such as an email header or the "from" address of the attacker. Those indicators can be collected over time to understand the adversary's "playbook."

Using the threat information from the larger community, enterprises can take a threat-based approach that balances mitigation with detection and response as the best way to combat cyberattacks, Gagnon concluded.