Cyber Threat Intelligence Sharing as a Force Multiplier
Force Multiplication: Past and Present
For millennia, military leaders have looked for new tactical and technological means of magnifying their existing strategic resources. Stronger armor, higher walls, and more reliable means of communication and navigation are all examples of innovation as ‘force multiplication.’ The historic consequences of these technologies have shaped empires, economies, and civilizations through the ages.
Today, the battlefield has moved online and, in cyberspace, traditional distinctions between military, criminal, and civilian arenas have become increasingly blurred. Digital defenders need to leverage every means at their disposal to maximize protections for the networks and infrastructure of businesses, governments, and citizens.
Disrupting malicious cyber activity across a more complex attack surface requires numerous force-multiplying technologies and approaches. Cyber threat intelligence (CTI), as one such tool, has the potential to be truly transformative in this ongoing battle to secure our digital ecosystem.
Getting Ahead of the Curve
Although we tend to think in terms of keeping adversaries “out” — of our networks, systems, or files — cybersecurity is not a binary state. Whereas the “boom” is the goal of a missile attack or a terrorist plot, the hack is rarely the goal of malicious actors. They have some other purpose in mind and the hack is just one step of many towards that end. As a result, network defenders get multiple opportunities to prevent the bad guys from achieving their ultimate objectives both prior (prevention, protection, mitigation) and subsequent (response, recovery) to the hack.
For example, while a malicious actor may get into your network, they could still be prevented from moving laterally. Or they may get into the network and move laterally, but still be prevented from escalating access privileges and reaching their target data. They may even access the information that they’re seeking, and still be prevented from exfiltrating that data.
All these examples are defensive successes. The adversary has failed to achieve their goal, despite successfully ‘hacking’ into the victim’s infrastructure. The question therefore becomes, “How can we shift our thinking about cybersecurity toward this more holistic defensive approach?” Depending on the adversary’s tactics, disruption may be more desirable or viable at different points in the kill chain. Understanding where defensive efforts will be most effective therefore requires us to understand adversaries’ preferred tactics and techniques.
This is where CTI comes into play, enabling defenders to get ahead of the curve:
“Cyber intelligence seeks to understand and characterize things like: what sort of attack actions have occurred and are likely to occur; how can these actions be detected and recognized; how can they be mitigated; who are the relevant threat actors; what are they trying to achieve; what are their capabilities, in the form of tactics, techniques, and procedures (TTP) they have leveraged over time and are likely to leverage in the future; what sort of vulnerabilities, misconfigurations, or weaknesses they are likely to target; what actions have they taken in the past; etc.” — Sean Barnum, Software Assurance Principal, MITRE
Achieving this kind of strategic awareness on a sustained basis requires two criteria to be met:
- Broad intelligence visibility into the cyber threat landscape
- Standardized analytic approaches for that information
CTI via CTA as a Force Multiplier
The first criterion hinges on organizations with partial visibility being willing to pool their threat intelligence data, as modelled by the Cyber Threat Alliance (CTA). No one actor or cybersecurity provider has sufficient spread across industry verticals and geographies to see the full picture of adversarial activity in all its contexts. Corporate siloing of threat intelligence data is counterproductive to the broader security of the global digital ecosystem, while sharing can be a net positive — even for individual companies — over the long-run.
Every vendor has its unique comparative advantage in terms of visibility into industry niches. By combining this visibility through CTA membership, sharing via our automated platform, and distribution of pre-publication analysis and research findings across our membership, we can get closer to an unimpeded vantage point over the threat landscape while ensuring that the benefits of this improved visibility are equitably distributed.
Intelligence sharing at speed and scale is the principal motivation of the second criterion. CTI as expressed through MITRE’s STIX framework with context, including malware analysis, targeted industry sector, and information about adversary tactics, techniques, and procedures organized around the MITRE ATT&CK framework, can deliver on this requirement. This is why CTA mandates that our members make use of these frameworks, which allow data points to be cross-referenced, validated, and interpreted within a consistent frame. Our pooled data is more reliable and, crucially, more readily actionable as a result.
CTA has grown steadily since our founding, with sustained improvements to our technical and organizational infrastructure to meet the needs of our members as they evolve with the threat landscape. Our model of force multiplication through sharing and operational collaboration rests on a combination of individual value for our members and their interest in acting collectively for the common good.
As our membership continues to grow in size and diversity, the threat data shared by our members increases along those same dimensions. Each of our members therefore has access to a larger volume of more nuanced CTI data than they would otherwise have. This empowers them to make smarter decisions in deploying their existing resources, which in turn amplifies the efficacy of their defensive and analytic efforts, meaning stronger and more reliable protections for all.