Written by Ryan Olson, Vice President Threat Intelligence (Unit 42), Palo Alto Networks
Through this new series of guest blogs, we hope to shine a light on the day-to-day role that our members play in shaping and supporting the work of CTA. We have invited our member companies to share blog posts exploring how they see CTA and what value a CTA membership conveys. We look forward to sharing more of these posts in the coming weeks.
In the six years I’ve spent leading the Palo Alto Networks Threat Intelligence team, Unit 42, collaboration has been at the core of our daily work. Collaboration with our customers, other researchers, governments, and law enforcement have all been crucial to pursuing our goal to make the world a safer place. Our participation in the founding of the Cyber Threat Alliance (CTA) and continued engagement with this group is the clearest example of our commitment to that goal through collaboration.
I was involved with CTA before there was a CTA, back in 2014. We started talking about creating an organization, similar to an ISAC, that would facilitate sharing intelligence about the latest threats. This wasn’t the first initiative of its kind, but with the combined experience of the founding members we set some guidelines to help get us started off on the right path.
1. Everyone Must Share
Many ISACs and other types of sharing groups suffer from a “free rider” problem. Where the majority of incoming information is shared by a subset (often small) of the overall membership. In the design of CTA, we knew that the members would be security vendors who had valuable data to share so we could require them to do so if they wanted to join. We developed a simple scoring system to ensure they shared valuable information and “enough” of it.
2. You Don’t Have to Share Everything, but What You Share Must Be Unencumbered
In information security, not everything is appropriate to share with people outside your organization. However, if someone shares information but labels it in a way that excludes taking action (building protection mechanisms in our products) it becomes much less valuable. When someone shares with CTA, the understanding is that everyone can and will use it to make their products better for their customers.
3. Share in a Structured Format That Includes Enough Context to Enable Action
Much of the threat intelligence shared today comes in two forms, neither of which are especially effective.
- Lists of indicators (like domain names, or file hashes) without any context other than that they are bad. These function as “blacklists” that are easy for machines to consume, but hard for people to use. Not knowing “why” an indicator is bad, or how one would see it in their network means many organizations can’t trust or verify the data and do something useful with it.
- Long form reports that require a person to read before they can take action. These reports have lots of context, but dealing with these quickly and at scale is impractical.
We wanted CTA members to share richer data, with context, but in a machine-readable form that could be automatically actioned. This led us to combining the STIX interchange format, with MITRE’s ATT&CK framework so we could share indicators (or observables) with enough context to enable action at machine speed.
Although these three principles are still core to CTA’s function, the relationships I and my team have built with the people in other member’s intelligence teams was an unexpected benefit. CTA has enabled us to collaborate in the trusted environment and build independent relationships that make that collaboration even more effective.