In 2015, I published a blog post about the completion of a 90-day proof-of-concept experiment, called Project Redstone. The experiment, conducted by the Cyber Threat Alliance (CTA), tested the theory that, if cybersecurity vendors collaborated in their efforts to combat cyberattacks, they’d be more effective as a group than as individual companies.
In that post, I listed four capability gaps that the CTA needed to address to be successful. They included:
- How do we convert large volumes of indicators of compromise into prevention controls?
- How do we measure alliance member contributions with more granularity?
- What is the common set of success metrics for deployed security controls across Alliance membership?
- What is the right sharing architecture that works at scale?
We knew that, if the CTA were to be successful, these four gaps had to be closed. Frankly, there are numerous threat intelligence sharing platforms, and other cybersecurity groups are actively promoting industry collaboration on cybersecurity issues. What makes the CTA different?
It’s a fair question. The tech landscape is littered with industry groups promoting one standard over another or advocating for industry collaboration, and many cybersecurity veterans are quick to dismiss yet another one as a marketing program that’s long on promises, short on results.
I believe those same veterans will be pleasantly surprised to learn about the fantastic progress the Cyber Threat Alliance has made. While that progress was detailed in a press release the CTA issued yesterday, and a blog post from our CEO Mark McLaughlin, I’d like to spend a moment focusing on three characteristics of the CTA that address the capability gaps mentioned above to demonstrate that the CTA’s approach to threat intelligence sharing works.
1. Everyone Contributes
The ability of a threat intel platform to successfully identify and stop new threats is directly related to the quality and quantity of its intel. This is problematic for many threat intel sharing agreements as the larger companies end up contributing the majority of the intel, because they have the resources to gather it, while the smaller members consume more intel than they provide. It’s a lopsided arrangement that can lead to resentment between members and a less robust intel sharing platform. The CTA requires all members to actively contribute to the threat intel pool on a daily basis and holds each member accountable. If a company doesn’t contribute, they can’t remain in the CTA. This ensures the CTA will collectively have access to the best intel available at the time.
2. Exchanges Adversary Playbooks, not one-off Indicators of Compromise
The problem with many threat intel exchanges today is context. While these exchanges can push hundreds of thousands of newly discovered cyberthreats out to members every week, if the threats aren’t put in the proper context (Who is attacking? What is their motivation? Are they targeting specific types of organizations? etc.), it’s difficult for security teams to determine which present the most risk to their network. Without that context, they have to assume all threats are a significant risk, and very few teams can scale to address the thousands of cyberthreats to which their threat intel platforms alert them every day.
This is why the CTA focuses on adversary playbooks. Adversary playbooks speed up analysis and enable defenders to focus more easily on the real goal: protecting against attackers and the various tools and tactics they use. Adversary playbooks integrate individual indicators of compromise (IoCs) in the cyberattack lifecycle into discrete, actionable threat intelligence that CTA members use to build detection and prevention controls for each of our own products. The end result: no matter which cyberattackers are trying to get onto the network or which CTA member’s technology is protecting the network, if they’re accessing the target network using methods already identified in the adversary playbooks, they can be stopped at any point in the attack lifecycle.
Let me use a sports analogy to explain. In football, when two teams prepare for a game, the coaches prepare both defensive and offensive playbooks. It is the same in cyberspace. Network defenders prepare the defensive playbook – how to respond to an ongoing incident for example – and the cyber adversaries prepare an offensive playbook – how to navigate through each phase of the cyberattack lifecycle. We know that cyber adversaries do not invent new attack sequences on the fly for every new victim. They reuse attack sequences that have been successful in the past in the attack lifecycle until the network defenders figure out how to defeat them. Those attack sequences are the cyber adversary’s playbook.
The idea behind sharing adversary playbooks with Alliance members then is that the act exponentially increases the odds that a network defender can actually stop an attack. Instead of sharing one-off IoCs with little or no context, as most sharing organizations do, we share the entire adversary playbook. If the cyber adversaries manage to find a way around one of the network defender’s prevention controls, they will immediately run into the next prevention control in-line in the attack lifecycle. The Alliance aims not to simply prevent a piece of the adversary’s attack sequence – it aims to defeat the entire playbook.
3. Automates the Last Mile for Threat Intel
Realizing that the volume of threats inundating organizations can be hard to keep up with, the CTA is the only sharing organization that can automate the delivery and configuration of prevention controls to its members’ products and platforms. It’s a tremendous help to the CTA members’ customers as it relieves them of the burden of analyzing every new threat and installing the appropriate fix on the network or endpoint. The CTA threat intel platform does this automatically, freeing security teams from the tedium of doing it themselves and letting them focus on their real purpose: identifying and preventing more advanced threats that are likely to go undetected.
Even in well-run sharing organizations, like many of the ISACs, members still have to receive the intelligence, decide that it applies to their network, decide what to do about it, and then do it. For many organizations, this takes days to weeks to accomplish, if it happens at all. I call that crossing the last mile with intelligence.
Because Alliance members are security vendors and already have automated mechanisms to install new prevention and detection controls to their products deployed in the field, the Alliance is perhaps the only organization that has the ability to automatically cross the last mile for its collective customer base without the network defender having to do anything. Already, we’ve seen the CTA Platform succeed in this. In one example, a single shared sample allowed a member to build protections before its customers were targeted, preventing successful attacks against 29 organizations. In another example, shared data allowed a member to identify a targeted attack against its customer and release additional indicators to defend that organization. Further, many of the members find that 40-50 percent of shared data is brand-new to them, and most of that is directly actionable. These are early successes, but it’s clear that things will only get better as the CTA grows.
Like Mark said in his own post, I also believe that, as we continue to expand the CTA, we are stronger together, and I look forward to updating you in the future on the Alliance’s continued progress and successes in helping to protect customers.
[Palo Alto Networks Research Center]