In an age where information is power, crowdsourcing threat data is a powerful tool to inhibit the attackers’ opportunity. The quicker we uncover and understand attacks and how they work, the faster we can prevent them.
Yet, at present, much broader privacy concerns can be an inhibitor that could keep us behind the pace of the attacker. All too often, I see people start to look at their feet as privacy in the EU overrides thought processes. Ironic that, by not collaborating, potentially we leave ourselves more exposed to attackers, who all too often aim to steal private information. When we get into “the why, the what, and the how” of threat information gathering and collaboration, perceptions typically change. My challenge to each of you is to understand the details and not let broader privacy debates unduly influence your perspective on the value of cyberthreat information collaboration.
To want to share, we need to recognize the value sharing brings, which is to identify new attacks faster and be better enabled to prevent impact to users’ systems and personal information. It’s important to remember that cybersecurity is developed to protect you and your information.
So, what data is required to discover threats? When I started in the industry, customers would send threat samples to us via courier. With the increasing speed and volume of attacks, we have been driven to automate the process. The Internet provided the mechanism to shorten submission times and leverages CPU scale to reduce the time to analyze, thereby increasing the volume of samples that can be processed.
As attacks have become increasingly unique and complex, what’s needed to analyze an attack now is often more than just a singular file; it often requires knowledge of environmental specifics and commonly may need to maintain communication with the attack source to function. What we should recognize is that, typically, attacks are external connections into the business.
Today, good security vendors provide choices as to whether you do the initial threat analysis on your own premises or leverage the CPU capacity of the cloud. Ideally, either way, the intelligence gathered on the attack needs to be passed back to allow other customers to be able to detect the attack as well. How would you feel knowing that a breach could have been stopped, but those who knew about it chose not to share their insight? The more attack intelligence we build, the more we can quickly and accurately detect the next iteration that we know will come down the road.
Now, imagine the insights available if all of the key vendors were to collaborate at a technology level. This is exactly what responsible cyberthreat information sharing does today – between customers and security vendors, among security vendors. Take, for example, the Cyber Threat Alliance (CTA), instigated between key security vendors at a technology level. This group was formed with the aim of sharing threat intelligence for the purpose of improving defenses against advanced cyber adversaries across member organizations and their customers. Its goal is to gain broader insight into attacks more rapidly, so prevention controls can be applied faster. Effectively, we can outpower the attackers, making the cost of success much harder. No longer would a quick recompile of the attack binary or new phishing subject line succeed. The entire lifecycle of the attack would need to be genuinely unique for the attributes (Indicators of Compromise) not to be recognized. We would effectively be crowdsourcing at a technology level the ability to discover and, therefore, prevent attacks.
In Europe, data privacy is a contentious topic. We are in danger of becoming nations of skeptics that see it as easier not to share than to trust. Yet the EU Network Information Security directive includes a requirement for national cooperation plans around threat intelligence, so there is a clear recognition at a nation level to collaborate to better prevent cyberattacks. Both are important topics for society, yet we are in danger of the emotional aspects of the privacy debate overshadowing our need to collaborate.
Here are three of the questions I am frequently asked and my perspective on them (and I challenge you to reflect on these and build your own views):
1. Do you understand what threat information your security solutions are capturing in order to understand and qualify if there is a privacy concern?
Take as the example the attack binary – its external code – so there shouldn’t be privacy concerns there. The cynical retort, however, would be that the attacker may embed this in an internal document to increase the likelihood of users opening it. I would challenge that, if the attacker can do this, the data in question is no longer private.
Session information is also extremely valuable for identifying and understanding the attack. Considering the attacker is typically external, this data is typically being passed over the Internet, as the attack communicates with the victim, and, as such, is not private data. The key point here is to challenge your vendor to share exactly what data is passed back to the cloud. Most are increasingly giving very granular policy control on just what you choose to share. In my experience, all are open to disclosing this and have technical documentation to validate it.
2. Where does threat information and the intelligence go?
Typically, many want to ensure cloud data resides in the EU to reduce regulatory complications. As such, security companies are now building on-premises filter points to complete the initial localized analysis and clouds in the EU to help with this requirement. However we should recognize that most attackers do not work within limitations of geographic boundaries, so, to be effective, even though the raw information is gathered and analyzed within the EU, the intelligence from it (the detection capabilities generated from the analysis) must be shared globally to succeed. How frustrated would you be if the response was “we knew about that attack but couldn’t share the data, as we didn’t trust your country”?
3. How can I trust my security company?
It seems people want to be skeptical about security providers. The topic used to be whether vendors write the attacks; now, it’s whether they are spying on their customers. You could ask the same of your postal or courier service – how do you know that they don’t open all of your parcels and letters? The short answer is that we must have some level of trust in their ability to deliver on the services they each provide. The same goes for the security industry. Being transparent with each other on what, how and why threat information is gathered, but also allowing each customer flexibility in how they contribute, is a core component in maintaining that trust.
In a world where new threats appear every second but the rudimentary techniques used change very slowly, attackers succeed by making their attacks chameleon-like. If we simply look for the color of the skin, we fail. Yet, if we can go beneath the skin, the characteristics are more detailed and consistent.
To beat the attacker, we have to get under the skin of the attack, and through crowdsourced cloud collaboration, we have the CPU power to achieve this and outperform them. The UK Cyber Information Sharing Partnership (CISP.org), which I’m proud to be a part of, has shown clear value in sharing threat information between like organizations.
To collaborate, we need to ensure we understand the specific requirements and the value we receive from being part of the security threat intelligence community. We need to be pragmatic and not let the current emotional responses around broader privacy concerns unduly influence our decision to beat the attacker and so assure our information.
[Palo Alto Networks Blog]