CISA won’t do much to turn threat intelligence into action
And deciding what data to share, what threat intelligence feeds to subscribe to and what tools are needed to turn potentially valuable information into action takes sizeable resources, experts say.
“They really have to put some bodies on it,” says Scott Crawford, information security research director for 451 Research, and that can be expensive, putting in-house analysis beyond the reach of many organizations. But some of the sorting and aggregation can be automated with threat intelligence platforms, he says, from vendors such as BrightPoint Security, ThreatConnect and ThreatStream.
They aggregate feeds and provide intelligence about external threats as well as make sense of the in-house threat intelligence an organization’s security infrastructure is already collecting. While less expensive than sifting through intelligence feeds manually, it still carries a significant price tag. “Deals run into the six figures so even automating is costly,” he says.
That’s resulting in a situation where only the businesses with the most resources can take advantage of comprehensive threat intelligence. Crawford calls them the security 1%.
There are plenty of threat feeds out there, both open source and commercial but not all threat intelligence feeds are created equal. For example, a statistical analysis of open source feeds found a wide variance in how well maintained they are, according to researchers Alex Pinto and AlexandreSieira, both of the open source Machine Learning Security Project (MLSec), who presented their results at Black Hat.
They ran a novelty test to gauge how many new indicators arrive and disappear each day in the feeds and found some have new incidents added but none removed once they no longer represent a threat. That means end users have to figure out what’s still useful. “They’re not doing the work for you,” Pinto says. A healthy feed reviews itself to keep up with a changing landscape, he says.
The researchers looked at how often the feeds update themselves, how long an indicator sits on a feed before being removed and how much their content overlaps with the data end-user organizations gather themselves.
They say the number of indicators that are found in one feed only is more than 95% among those they analyzed. “It’s staggering the amount of uniqueness,” Pinto says, so it’s a tough task to acquire enough feeds, sort for all the indicators and act on them.
Yet more feeds is what many security experts recommend. For example, Bit9+Carbon Black has just joined Facebook’s ThreatExchange, an aggregate of threat feeds supplied by more than 100 contributing firms including Dropbox, Pinterest, PayPal and Microsoft.
That provides more feeds – a good thing - but customers still have to monitor them and evaluate their effectiveness to decide whether they want to keep using them, says Ben Johnson, chief security strategist for Bit9 + Carbon Black, whose Threat Indicator Service uses multiple feeds to identify attacks found in the data gathered from customer endpoints.
Businesses need to ask three things. How much of the feed is new every day How much expires every day How much of the feed is created directly by the provider and how much is aggregating other feeds
Threat information within Facebook’s ThreatExchange are ranked for importance by the entities that submit them, but it’s still up to businesses using the exchange to decide whether those rankings are useful, he says. That process can be helped along with automated platforms that analyze the data based on policies. “More is not better if it’s manual, but it’s better with automation,” he says.
Joining industry groups that share threat intelligence among their memberships is also a good strategy, he says, but is not without complications of its own.
Legal considerations come into play, says Charlie Benway, executive director of Advanced Cyber Security Center (ACSC), a consortium that focuses on sharing cyber-threat information, among other things.
Joining the sharing group requires signing a legal agreement that says participants have C-level approval to join the group and to share information. Typically members who attend meetings are engineers and security analysts – people in the trenches. They’re looking for what tools are being used by attackers, what they are after and how to remediate attacks. They share the threat indicators they have discovered, which gives others a leg up finding the needles.
The members are already getting threat intelligence from other sources, but find it overwhelming. “They’re getting the hay stack and finding it difficult to identify the needles relevant to them and a way to work it into their day-to-day operations,” Benway says.
Surveys of the group indicate that nine of 10 members gather information at ACSC that they don’t get anywhere else. It’s not the same quantity of data but it has a specific quality, he says.
They also want technology to support virtual sharing that would be timelier and based on standards such as STX for formatting and TAXI for transmitting the data. A goal is to standardize and make them easier to use.
The organization meets every other Tuesday to share cyber threat information in “very trusted relationships”. Their Cyber Tuesdays typically gather about 30 people in one room and another dozen or so via videoconference. It includes people outside the region and all are nuts-and-bolts practitioners – no CISOs or other executives. The groups’ effectiveness is based on trust, and executives would put a damper on that, he says.
Participants range from startups (which tend to be cybersecurity vendors) to major banks, insurance companies and even the Federal Reserve. Other participants include representatives from defense, pharmacy, health care and law firms. Most of them are medium to large enterprises that have the resources to be able to spend the time at the meetings.
Industry groups called Information Sharing and Analysis Centers (ISAC) may charge fees for participating, but there are other costs, says Gavin Reid, director of threat intelligence at LANcope. All the options cost something either in money and time to attend or to purchase intelligence feeds.
The feeds need to be enriched by other data that takes time and effort to gather. For example a WhoIs check on a domain flagged as suspicious can help analysts put threats in context. “That’s not insignificant to do,” he says.
A help is automatic sorting of threat intelligence from the outside and blending it with intelligence gathered by in-house security gear, he says.
Staffing is also a money problem because there are more positions than there are people to fill them, meaning qualified people command high salaries, Benway says. Businesses can train employees to the positions but that costs money, takes time and results in having to pay higher salaries once they are trained in order to keep them. School curriculums need to address the issue but that will take even more time.
A major concern with sharing is the risk of becoming legally liable if shared data somehow reveals personally identifiable information that was supposed to be kept confidential. Corporate legal offices are also concerned that sharing data about, say, actual breaches could open them up to lawsuits claiming they were negligent.
“People don’t trust each other and fear information will leak publicly,” says Kobi Freedman, CEO of Comilion, which makes a sharing platform that gives users control over how their information is accessed, who can access it and how long it’s available.
He says businesses see sharing as valuable enough that some set up small, informal groups of very trusted colleagues that might also run afoul of data protection and privacy regulations or even anti-trust laws if they don’t share with certain competitors. It’s a fine line to walk. “So you need to keep your job but also do good work,” he says.
Despite the hurdles, businesses need to tap into shared threat intelligence, says 451 Research’s Crawford. “You have to have some insight into how you’re targeted and your vulnerabilities. “You need intelligence from external resources about how you’re approached by the adversary.”
What’s needed is more pre-aggregated, automated threat intelligence that’s affordable for more businesses because that kind of information is extremely valuable. “Whether the market will respond to these trends with more affordable offerings of high-quality intelligence remains to be seen,” he says in a written analysis of the situation, “but few other developments in the security market would do more to help the many rather than just the few, for the good of all.”