Written by Derek Manky, Chief of Security Insights & Global Threat Alliances, Fortinet’s FortiGuard Labs
With the 4th anniversary of the Cyber Threat Alliance (CTA) having just occurred, I got to thinking about how the CTA started. Not with the incorporation of the organization in 2017, but with the actual founding of CTA back in 2014. Looking back, I think it’s fair to say that this was a seismic shift in the Defender/Attacker paradigm. In 2014, individual organizations fought their own individual battles with cyber adversaries. Most defensive measures consisted of purchasing security technologies from different vendors aimed at protecting them from the latest threats. The vendors positioned their internal threat intelligence organizations as the “secret sauce” for keeping their customers safe.
That paradigm started to change with the forming of the Cyber Threat Alliance. Our cyber adversaries were forming their own cyber ecosystems, infrastructures and supply chains to increase their effectiveness, so we as defenders needed to organize in some way so as to keep up. Focused threat groups had started to form to address an industry’s particular cyber threats, but the formation of the CTA aimed to go beyond that.
The CTA wanted to be global in scope, not dominated by a single country, and with a diverse membership with pure-play security vendors, research organizations, technology sectors (e.g., telecommunication carriers, OT) and other viewpoints being represented. Its goal was to enable the sharing of information, context and intelligence amongst members so as to increase our effectiveness. It was asking members to share information with competitors.
Think about how strange that organizational model was. Competitors never share – almost by definition! How could that possibly work?
It worked because each founding member trusted that the other members shared the same commitment to defeating our cyber adversaries as they did. It worked because we set up back-end systems they could trust so that members could securely share information with each other. It worked because each new CTA member has expanded both our global and technology coverage, resulting in the CTA showing record numbers of member-shared observables (~50 million) and early shares (150+) in 2020. And now we see it working because of CTA’s efforts to work with contributing allies across the world. It’s working because we are now taking the fight beyond just analyzing and blocking their attacks, but in taking down their organizations and infrastructure.
CTA’s participation in the World Economic Forum’s Centre for Cybersecurity initiative is a logical next step for CTA and a logical next step in the fight against cybercrime. As a co-founder of the Center for Cybersecurity, Fortinet trusts in their commitment to fighting cyber adversaries so we will do everything we can to help them meet their goals.
Fortinet has always been proud to have been one of the original founders of CTA. With the launch of the Magellan platform to automate information sharing earlier this year we’ve seen many different members provide a diverse set of observables and contextual viewpoints. This year, more members came to the table with early shares than ever before, which shows the growth of the CTA mission. Although we still have work to do, seeing what the CTA has become, and the real-world impact that it is having on the fight against threat actors today, we’re prouder than ever. Happy Anniversary, CTA.