On September 9th, CTA reached a major milestone for our automated sharing program. Since our founding as an independent non-profit in 2017, CTA member companies have shared over 100 million cyber threat observables. Although it may seem banal in some ways, this simple statistic represents an enormous accomplishment in its own right. It is also a useful heuristic for CTA’s various achievements and advancements over the 1,348 days between the first observable submission and the hundred-millionth.
Overcoming Obstacles to Sharing
While the cybersecurity community talked about threat sharing for years, the reality usually fell short. Although many barriers stymied progress, four stood out for cybersecurity providers. One was the free-rider problem – organizations would join sharing groups only to discover that very few members provided any intelligence. Everyone was happy to receive, but few would give. Second, observables by themselves often lack utility. Without context, defenders cannot use them. Third, the anonymity afforded by most broad sharing groups results in a lot of noisy, unvetted data. For organizations that make money based on cyber threat intelligence, these barriers were show-stoppers. Fourth, when vendor groups did overcome these issues, they usually did so based on personal connections and the sharing would often only last for a short time.
From its founding, CTA was designed to overcome these challenges. We built a requirement for members to share into our bylaws – you can’t be a CTA member without providing a minimal level of threat intelligence. In the early days of CTA, we required all observables to come with at least one piece of context (what kill chain phase the submitter assessed that it belonged in). We now require certain additional context, such as first- and last-seen, and at least one more piece of information (e.g., malware name or attack pattern), and incentivize members to share additional context beyond those requirements. CTA emphasizes transparency rather than anonymity; shared intelligence stays tagged to the submitting organizations. We have created an independent, neutral organization whose entire purpose is to enable and sustain threat intelligence sharing over the long-term.
Now You’ve Seen It, Believe It
While some were skeptical that CTA could work, we have amply demonstrated that competitors can share threat intelligence with context in a standardized format, benefiting the entire ecosystem, and still compete and make money. We have shown that the cybersecurity industry can share automated threat intelligence at speed and scale, sustaining that sharing not just for months but for years. In the process, we have built a trusted community that has enabled CTA to expand our membership and our other sharing activities, including our early sharing of member blogs and reports. In turn, CTA’s sharing activities enable our members to better protect their customers and clients, more effectively disrupt our adversaries, and raise the level of cybersecurity across the digital ecosystem.
I have been in the cybersecurity business long enough to know that celebrating this sort of milestone reflects both that real progress has been made and that much work remains to be done. As is to be expected, for a variety of reasons, no vendor shares everything they know and CTA members only constitute a portion of the industry. What has been shared through CTA represents only a fraction of the malicious activity out there. CTA passing the 100 million mark for shared observables helps to put the scale of the problem in perspective. Luckily, it also shows what is possible when cybersecurity providers take the risk to share with each other, investing time and money into the effort.
So, what does 100 million get you? In this case, the foundation for better defenses and a safer ecosystem. I am confident that when we reach 200 million, CTA will be even larger, more effective, and an integral part of the cybersecurity landscape.