Written by Samir Mody, Vice President Threat Research, K7 Computing
Through this series of guest blogs, we hope to shine a light on the day-to-day role that our members play in shaping and supporting the work of CTA. We have invited our member companies to share blog posts exploring how they see CTA and what value a CTA membership conveys. We look forward to sharing more of these posts in the coming weeks.
Have you ever felt that you have something valuable to contribute to an important goal, but been unsure of the form in which that value needs to be forged and delivered to achieve its true potential and be recognized as such?
K7 Labs has had backend telemetry systems in place for years, which contain in-the-wild cyber threat data from millions of our customers. We have automated replication systems and tons of other metadata. This data is extremely valuable in understanding the nature of the specific threats to our customers, both enterprise and consumer. It allows us to provide more robust proactive protection at all supported security layers for prevalent malware and to proactively suppress misdetections. However, we knew we could do more. How could we piece together components of an attack to understand adversaries’ modus operandi, thus increasing protection coverage to an even greater extent? How could we gain visibility into incidents in geolocations to which our telemetry is not exposed? The answer to each was threat intelligence.
WHAT IS THREAT INTELLIGENCE?
Threat intelligence (TI) is more than mere IOCs. Context is vital. It must be Relevant, it must be Actionable and it must be Time-bound. Moreover, in order to be parsable by SIEM and SOC systems, it must be represented and packaged in a standard format, STIX being the primary choice. It is great to read the voluminous documentation and theory surrounding TI but the proof of the pudding is in the eating. We needed to ensure that our “K7 Ecosystem Threat Intelligence” (K7ETI) data was filtered and packaged to industry standard levels. A key question for us was: “Who would be able to provide us independent validation of our value proposition?”
ENTER THE CYBER THREAT ALLIANCE
As if by destiny, there I was listening to Michael Daniel, CEO of the Cyber Threat Alliance (CTA), speak about the organization at the 2018 Virus Bulletin conference. I expressed interest in learning more and we exchanged business cards (yes, these are still relevant in this modern digital world, although perhaps that will change post-COVID-19). I received literature about CTA’s own value proposition and quickly realized that CTA could be a partner in helping us understand what high-quality TI data actually means in practice. CTA was also keen to have us on board; after all, K7 Computing would be the first member from India, providing a new perspective on cyber threats in this important region of the world.
After both sides had done their due legal diligence and completed the necessary administrative tasks via conference calls and email exchanges over multiple time zones, K7 Computing joined over 20 other cybersecurity companies as a member of CTA. We found the CTA staff responsive and accommodating, much to our gratification.
BENEFITS BEYOND STIX
Since joining CTA, in addition to an improved understanding of the current quality of K7ETI data and how it can be augmented, we have realized various other technical and non-technical benefits. CTA members contribute and are privy to contextual early-sharing data, both human and machine-readable, as well as opportunities to share and discuss threat intelligence in a way that expedites protection for our respective customers. In terms of non-technical benefits, CTA provides a forum that facilitates person-to-person interactions between member organizations; between members and government; and between members and law enforcement agencies.
The cybersecurity industry is built on trust, cooperation, collaboration, and sharing, involving multifarious stakeholders. No single entity could possibly have complete visibility across geographies, industry sectors, device platforms, and so on. A collective effort is required, and we see CTA as providing a unique platform to nurture those symbiotic relationships that help fight cybercriminals while we strive for a more cyber-secure world.