By Michael Daniel, CTA President & CEO
The start of a new year presents a good opportunity to think strategically. In my case, I have been thinking about how threat intelligence sharing works (or doesn’t) and the role it plays in cybersecurity. We talk a lot about sharing as an industry, and we know it is important, probably even critical, but we also struggle with it. As I have reflected on that dichotomy, our experience with CTA indicates that the difficulty lies in the implicit assumptions we have about threat intelligence sharing. It turns out several of those assumptions are wrong.
The most fundamental incorrect assumption is that intelligence sharing should be easy. We make this assumption because in general sharing information via the internet is easy. You can send pictures, files, and data to lots of people with a few clicks. You can work collaboratively on documents and see the text change in real-time. You can find facts and retrieve information much more swiftly than when you physically had to go to a library. However, if we approach threat intelligence sharing that way, it does not generate useful insights. Simply sharing whatever is at hand without thinking about it whenever you have the chance doesn’t work. In fact, it produces the opposite effect, creating noise that makes it more difficult to find the true “signal.”
Thus, effective threat intelligence sharing is not easy. It requires several ingredients: commitment, expertise, and prioritization. Sharing only produces useful results if you sustain it over time (commitment), exchange the right information at the right time with the right context (expertise), and dedicate the resources needed to support the first two ingredients (prioritization). Absent those factors, cyber threat information becomes noise.
A second challenge relates to consistency and scale. It’s relatively easy to share one piece of data with one partner at one time. Yet, such sharing is not overly helpful, or at least rarely has a broad impact – it’s simply too small relative to the problem. To be useful, sharing needs to occur on a regular basis at a significant scale. As in many disciplines, achieving consistency and scale in sharing activities turns out to be a hard problem, and it requires formats, processes, and dedicated technology. We have those things now, but not everyone knows how to use them correctly or follows them consistently.
However, even if we manage to consistently share information at scale using agreed upon formats, we face a third problem: data formats and standards only get us so far. Even relatively strict formats have flexibility built in, which leads to variation in shared information. Further, there are inherent uncertainties in information about people and organizations that are trying to hide their activities. Finally, the cybersecurity industry itself adds to the confusion, with different naming conventions for collective behaviors (Acme Cybersecurity Company calls the behavior set Grumpy Walrus, while BFG Inc refers to a [probably] similar behavior set as Banana Custard.) As a result, even supposedly standardized data takes a lot of cleaning, correlation, and transformation to be usable.
Finally, we typically talk about information sharing as if only one type of information exists. Yet, that’s an incorrect assumption too. Technical intelligence sharing of indicators of compromise, like what CTA does, is one type of sharing. However, sharing best practices about defensive measures or providing early warning about new threats is also intelligence sharing. Without a rigorous taxonomy for cyber threat intelligence, organizations often end up talking past one another when they discuss threat intelligence sharing.
These four conclusions provide a guide for how to improve the utility of threat intelligence sharing. First, if sharing is not easy, then we have to acknowledge that it has a cost, in both time and money. In turn, that acknowledgement means we need to ensure that sharing is worth it to the participants. Second, we need to invest that time and money to facilitate consistency and scale, so that we can manage the sharing process efficiently over time. We must factor in the need to clean, standardize, and transform shared intelligence, or organizations will not be able to act upon the shared information. Finally, we need greater precision about the kind of threat intelligence sharing in which we want to engage, clearly articulating its purpose and outcomes. This analysis will enable organizations to produce and consume the intelligence that is most useful to them.
If we take these lessons to heart and change our behavior, we can fulfill the vision for what cyber threat intelligence sharing could be — a force multiplier in cyber defense. It can enable defenders to gain the upper hand and reduce the profitability of cybercrime. It can make espionage operations more difficult to maintain. It can help ensure the integrity and resilience of our critical infrastructure. Cyber threat intelligence sharing does matter. We just have to stop pretending that it’s easy.