When you read superhero comics, you know something exciting is going to happen when you get an issue with a milestone number, like 100, 250, or 500. Those anniversary issues are always giant-sized and start or end a huge storyline (like Amazing Spider-Man #300, when Venom first appears and Spidey gets the blue and red suit back), introduce a whole new team (like any number of Avengers or Justice League milestones), or feature a collection of anniversary stories that remind you why these characters are special in the first place.
Well, I’m happy to note that the Cyber Threat Alliance has reached our own GIANT-SIZED ANNIVERSARY issue: our members recently shared their 500th early report with each other.
Of course, every successful comic book series starts with a good origin story…
Way back in May 2018, Cisco’s Talos Intelligence Group took a leap of faith and shared research on a global threat they were tracking called VPNFilter with their fellow members of the Cyber Threat Alliance. CTA was established formally in 2017 to bring cybersecurity vendors together to share information and work together for the greater good. Members share indicators of compromise with context through our automated platform. They also conduct their own independent analysis of the shared information and incorporate it into their security products.
As CTA matured, we began hosting regular engagements with threat researchers to talk about what they were seeing and working on. Members briefed recent research and had the opportunity to ask each other questions in a trusted space. They began to build a rapport and trust one another through these regular engagements. We began to supplement our machine-speed sharing with human-speed sharing.
Cisco saw an opportunity with VPNFilter to leverage the trust that CTA members had built. They shared their research on VPNFilter in advance of public release and encouraged members to look for indicators of VPNFilter activity in their own telemetry. Most importantly, Cisco encouraged CTA members to organize a defensive response timed with law enforcement action to dismantle the infrastructure that the malicious actors had built. This coordinated action between industry and government led to the actor completely abandoning the VPNFilter infrastructure.
More members began to feel comfortable sharing their finished analysis and reports with CTA members in advance of publication as time went on. Members immediately saw the value in the sharing and receiving of early reports. They were better prepared to respond to their customers needs. They adjusted their protections appropriately. They provided additional information to the original sharer to improve their analysis. They identified opportunities to work together on analysis around the same topic. Sometimes members shared reports and analysis that have never been made public because of the sensitivities around the topics.
Fast forward to today. Several members have built early sharing with CTA into their own business processes, ensuring CTA members see nearly everything they release in advance. Members regularly share 3-4 reports with each other on a weekly basis, cultivating recently in our 500th early share!* CTA members new and old routinely tell us about the value they get from our early sharing program, which is now an invaluable addition to our regular, automated sharing.
I always enjoy it when someone likens CTA to the Avengers or the Justice League (your analogy of choice depends on your comics’ allegiances). On their own, each individual hero is strong and capable of dealing with a threat. However, every so often, CyberThanos** shows up and it’s best to have the team ready to assemble.
CTA’s members assemble every day to be ready for our worst days. We hope you’ll join us and be a part of the team!
* CTA’s public early sharing database does not show 500 early shares as of the publication of this blog because it does not include early shares that were never released to the public.
**Thanks, New York Times style guide!