We have often joked that after 20 years of talking about information sharing, we finally decided to start doing it. And now that we’re actually trying to do it, we realize why we spent 20 years talking about it. It’s much easier to talk about it!
In our first “Smarter Cybersecurity Thinking” blog post, we outlined CTA’s belief that when cybersecurity companies share threat intelligence at speed and scale, they gain an advantage over their competition and provide an added value to their customers. The reason: No single company can combat all the cyber threats that exist today, because no single company can detect, identify and protect against every possible type of malicious activity. Individual companies play different roles in the cybersecurity ecosystem, which is exactly why we need to combine their different insights, perspectives and data to strengthen all of our defensive capabilities.
In turn, this shifts the focus of competition from “who has the most data” to “who makes the best use of the data.” From an ecosystem-wide point of view, information sharing will actually make a company more competitive, as it drives them to focus on improving products and outcomes. However, joining an information sharing organization isn’t enough to get the job done. Companies need to set up a framework that incentivizes participants to share information that is:
- Complete: provides enough detail for a proper response, is in sufficient quantity to permit valid analysis and confidence that conclusions based on it are actionable
- Accurate: high-quality, with a low false positive rate, to ensure that the right actions are taken
- Relevant: addresses threats of importance to organizations and is useful for network defenders in adjusting their behavior
- Timely: produced and delivered quickly to be actionable
From the perspective of CTA, here’s what that looks like:
- You must give to receive: In many other information sharing models, members are not required to share information. However, these individuals likely see something that might be useful to the community, and by withholding it, they are putting others at risk. Unlike these models, CTA members are required to share information so there are no “free-riders.” As the saying goes, “a rising tide lifts all boats.” We just ensure everyone adds their fair share of water.
- Time is of the essence: Fortinet’s CEO Ken Xie noted in a previous blog post, “In today’s digital economy, speed and efficiency are essential. So is the ability to access data from anywhere and from any device.” The faster that cybersecurity companies share information with each other, the faster they can deploy protections to their customers. This type of rapid-fire information sharing is what allows CTA to disrupt malicious activity on a larger – and faster – scale.
- Context rules: While we need to share data in a timely manner, we must also share data that is enriched with context. In many circumstances, a simple observable, such as an IP address with no context, is often useless. When was the IP address used for malicious activity? What sector did the IP address target? Is the IP address the source of the malicious activity, a command and control node, or simply an IP address used by malware to check for connectivity? A lack of context can render data useless, which is why the CTA incentivizes members to share observables with the right information, thereby enabling threat intelligence analysts to make assessments and protect customers.
- Diverse data makes a difference: While CTA has unique insight into the cybersecurity threat, we are always looking for gaps in coverage that can be filled in by new members. We’re committed to working with companies all over the world to gain that unique regional insight. This data diversity comes in many forms, including threats to various information and communications technology systems, such as endpoint devices, network infrastructure, mobile devices, ICS/SCADA systems or threats that vary geographically.
- Maximize shared data’s impact: When possible, we must also share the types of information and context that have a higher probability of disrupting the adversary systemically. As outlined in David Bianco’s “Pyramid of Pain” sharing information higher on the pyramid–such as adversary tactics, techniques, and procedures (TTPs)–is much more disruptive to malicious cyber actors than identifying IP addresses and domain names. These things take more resources to change and rebuild. It’s easy to move your C2 to a new IP address, but it’s much harder to redesign your procedures for exfiltrating data.
CTA’s structure is designed to encourage members to meet these principles. As of today, our members have shared over 18 million STIX packages since CTA’s incorporation in February 2017, and 11 million of these packages have included the context that helps network defenders take action. But CTA is a work in progress. The CTA is constantly looking for new ways to incentivize members to share more quality information and we are constantly looking for ways to improve.
In the fall of 2017, the New York Cyber Task Force released a report titled “Building a Defensible Cyberspace.” The report notes that, while difficult, it is possible to establish a more defensible cyberspace where defenders have the advantage over the attackers. The report identifies multiple innovations in cybersecurity across the areas of technology, operations, and policy and found that the most successful of these innovations were leveraged. They operated on an internet-wide scale and imposed more costs in dollars and effort on the adversary than on the defender.
CTA believes that our information sharing model is one way to provide leverage for network defenders and improve our global cybersecurity. CTA’s ability to share quality, diversified information at speed and scale provides improved protection to all of our end-users, who include critical infrastructure owners and operators across the world, private sector businesses from small to large, and Federal, state, and local governments. CTA’s collaboration and sharing lead to enhanced protection across an enormous percentage of the internet.
CTA is committed to this vision of a more defensible cyberspace through leverage. Our information sharing, even though it’s not as easy, is having an outsized impact in the protection of those that use our products. The conversation around information sharing doesn’t end here. In our next blog post, we dive into our own analytic and operational collaboration that is disrupting today’s malicious cyber actors.