Written by Ryan Olson, VP Threat Intelligence (Unit 42), Palo Alto Networks
When Palo Alto Networks and Fortinet co-founded the Cyber Threat Alliance (CTA) in 2014, which eventually incorporated on January 23, 2017, I would have never guessed years later there would be 30+ members. It’s a significant accomplishment for CTA, as they commemorate their 4th birthday this year.
In the past seven years since the initial idea of CTA, we have seen significant growth in the industry, which is reflected in the diverse membership within CTA. We started out with six members pre-incorporation and have steadily increased membership year-over-year. As of January 2021, CTA now has 31 members from North America, LATAM, EMEA, and APAC. We have traditional cybersecurity vendors and more specialized vendors, including telecommunications, industrial, endpoint, and analytics and data collection.
Our goal when we co-founded CTA was, and remains, simple: promote information sharing within the cybersecurity community for better cross-industry, cross-vendor threat intelligence, better coordination of incident response and better prevention of cyber attacks. From a technical perspective, the evolving platforms that CTA has used over the years have increased our success in automated sharing — through the use of industry standards (e.g., STIX 2.0 and MITRE’s ATT&CK framework) and simply making sharing easier. In 2020 alone, members of CTA shared more than 57,000,000 observables (e.g., IP addresses, URLs, domains, and files/hashes), which other members can incorporate into their own products to protect their customers.
From an individual perspective, human-to-human sharing remains a key component of the value proposition for CTA. For example, having access to a CTA member’s threat research before it’s published gives everyone an opportunity to confirm protections for their customers are in place as quickly as possible. In 2020, CTA members shared threat research in advance of public dissemination almost 200 times. Having an internal network of researchers and analysts readily available for quick discussion, or more focused research efforts, has proven to be an incredible asset to Palo Alto Networks.
Additionally, early sharing has introduced new opportunities for collaboration. CTA provides a built-in mechanism for collaboration for its members with a network that has an existing level of trust established. The Algorithm and Intelligence Committee (A&I) — which engages in information sharing activities and coordinates joint efforts designed to disrupt malicious activity — is the largest committee that the CTA has, and it’s the most active.
Moving forward, for CTA to remain effective against an ever-changing threat landscape, the membership needs different areas of expertise (cloud, IoT, etc.) and different regions represented around the world to bring new perspectives to the table in an effort to keep pace with attackers. For emerging areas that CTA members aren’t as familiar with, it’s important to educate the group to ensure they’re equipped to use the data.
Lastly, it’s important not to be complacent. CTA didn’t happen by accident. Industry leaders like former Palo Alto Networks CEO Mark McLaughin (now Vice Chairman), Fortinet CEO Ken Xie, former Symantec CEO Greg Clark (now CEO of Forescout), and former McAfee CEO Chris Young (now Microsoft EVP of Business Development) put in the time to make it work. We all have to keep pushing to make it successful.
If we assume our efforts are working and we don’t continue to try to improve, we’ll soon find that the attackers have regained their advantage. With continued and improved automated sharing, collaboration, and membership growth, we can build a trusted network of industry experts who work in good faith to mitigate cyber threats around the world.
In 2021 and beyond, I’m hopeful that information sharing within the cybersecurity community will continue to get better. At the end of the day, we’re all on the same team with a common goal: making each day safer and more secure than the one before.