Hacking The Threat Intelligence-Sharing Model

A new report shines light on whats holding back more widespread, efficient sharing of attack intelligence among organizations

Threat intelligence-sharing among businesses, government agencies, and organizations is considered crucial for getting a jump on potential or active cyberattacks, and while the number of these exchanges is growing, much of the process remains mostly ad hoc, manual, and fraught with legal hurdles.
Most intel-sharing today occurs one-on-one between companies, using mainly old-school communications. The bulk of sharing is using 1900s technology, email, and phone, says Lars Harvey, CEO of IID, which today published a new report on the state of intel-sharing. They share via email lists, server lists, spreadsheets, text files, and PDFs, he says.
Certain exchanges are going on machine-to-machine-sharing at some level -- but very little, Harvey says.
So when a company hit by an attack shares information on malware or other indicators of the attack with another company, it often does so via a phone call or an email. The recipient then has to manually convert the intelligence into a format that can be fed into its computer systems and security tools to automate any protections against the attack. But its that gap between the receipt and the application of threat data that can make all the difference in thwarting an attack.
More advanced exchanges, such as that of the financial services FS-ISAC as well as Microsoft, which
recently announced its own threat intel-sharing platform
, are adopting emerging industry protocols -- such as Structured Threat Information eXpression (STIX) for a machine-readable language for threat intel, and the Trusted Automated eXchange of Indicator Information (TAXII) protocol for transporting that information -- to automate the exchange and use of that intel.
The manual process remains one of the biggest hurdles to effective intel-sharing today, according to the IID report, as are the trust, legal, and manpower challenges. According to the white paper -- which is based on interviews with Microsoft, Georgetown University, the City of Seattle, the Forum for Incident Response and Security Teams, a major U.S. bank, and others involved in intel-sharing -- many organizations are hesitant to share threat intel with their competitors and government regulators.
One of the most mature intel-sharing exchanges is that of the City of Seattle, now in the sixth year of a program that includes the city, seven surrounding municipalities, universities, the FBI, six maritime ports on Puget Sound, a hospital, and two energy utilities.
The so-called Public Regional Information Security Event Management (PRISEM) serves as a real-time analysis center of intel submitted by the participants, and alerts them of possible attacks or botnet activity. (Of the PRISEM acronym, City of Seattle CISO Michael Hamilton says: It was an unfortunate branding coincidence. Thank goodness we bought an extra vowel. There are plans to ultimately change the name to avoid any further confusion with the NSAs recently revealed PRISM spying program, he adds.)
PRISEM uses a custom security and information event management (SIEM) for analyzing and alerting its members of attacks and threats; log and event information is gathered from members local networks and aggregated by PRISEM. The exchange has an arrangement with the federal governments local Fusion Center that keeps a watch on potential terrorist plots or concerns.
When Hamilton earlier this year passed intelligence from the FBI on the Chinese APT1 military hacker group to the Fusion center, the analyst there scanned for devices communicating with the rogue Chinese IP addresses. He found that some universities and corporations were compromised, as were maritime ports, which made up about half of the hits communicating with the APT1 addresses. It was very interesting that half of the positive hits were maritime ports. I dont know what to make of that, however, Hamilton says.
PRISEM is also about to link up with the US-CERT, he says, using STIX.
By virtue of being local governments, we dont have a competition problem, so we can share information like private sector organizations cant, he says. We are using events that occur on our networks and providing those to the Fusion Center analyst, who searches PRISEM for similar IOCs ... and monitors the jurisdiction and ports and notifies them if they have compromises. So we are integrating ... homeland security into this.
[An emerging standard is aimed at eliminating manual process of converting intelligence into useful defense. See
Attack Intelligence-Sharing Goes Wire-Speed
.]
Trust and legal implications are tricky for the private sector, however. The FS-ISAC has been successful in establishing trust among its members, according to the IID report. Said one head of threat intelligence at a major national bank interviewed for the report: Ultimately, you have to have the trust that whats said or heard will be used for the purposes that its needed to be used for, and nothing else.
Then theres the legal department. Lawyers hate the unknown, IIDs Harvey says. There is uncertainty [associated with intel-sharing], and uncertainty scares lawyers. So they clamp down and say, You cant share.
The education sector, like financial services and the Defense industrial base, has been on the forefront of intel-sharing. Eric Burger, professor of computer science at Georgetown University, says even the leading-edge industries are struggling with effective intel-sharing.
Weve been working on this for 10 years and right now its still kind of abysmal, Burger said in the report. Most companies dont even know that they could share information. Others know about it dont want to. The ones that do, they find that it takes a few weeks to figure out who they want to share with and then it takes many, many months to get the lawyers to agree.
Organizations also struggle with how much to share or worries about sharing the wrong information, thus exposing too much about the attack they experienced or sensitive company information, for example.
Then theres the increasingly common problem of information overload. They need to be able to organize it and deliver [to them] only the information they need, Harvey says. Data that hasnt been analyzed or organized and put into packages can consume and not help me so much. So if I can say, Im part of this community, and I can pull out parts [of intel] that are useful to me, thats the ideal.
The full whitepaper, Sharing the Wealth, and the Burdens, of Threat Intelligence; Why Security Experts Must Unite Against Cyberattacks, and Whats Stopping Them from Collaborating More Effectively is available
here
for download.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Hacking The Threat Intelligence-Sharing Model