The Rise Of Threat Intelligence Sharing

The Target breach prompted retailers to create a formalized process for disseminating threat intelligence information to help incident responders quickly address attacks targeting payment systems and threats to servers containing sensitive customer data.

The National Retail Federation said in April that it would establish a Retail Information Sharing and Analysis Center (ISAC). The information-sharing group, which officially launched in June, includes participants from the Department of Homeland Security and the Secret Service, which investigates large-scale credit and debit card breaches.

Security experts tell CRN that it will take time for the new Retail ISAC to establish trust among its members and be effective at quickly spotting industry-specific threats and disseminating information.

[Related: True Detectives: VARs On The Case As The Need For Incident Response Strategies Gets More Evident Every Day]

Sponsored post

Meanwhile, retailers with established IT teams need to develop more robust incident response plans and regularly test them with people who know how to use threat information, said Amit Yoran, general manager and senior vice president of RSA Security in Bedford, Mass., and a former director of the Department of Homeland Security's National Cyber Security Division.

"For many organizations, their systems might not be tooled accurately to identify what is occurring in their environment and alert on the most important issues that need to be addressed by an incident response team," Yoran said in a recent interview. "There's a realization that even these next-generation technologies are not going to keep you fully protected, and incident response is where the market is heading."

Industry groups designed to provide data about ongoing attacks consist of people in position to take action by addressing targeted systems, said Paul Vixie, an Internet pioneer, domain name system expert and security industry luminary. ISACs help coordinate the dissemination of information, but they rely on trust and share with individuals who "need to know," Vixie said. "If you can't take action on any systems or infrastructure, you will not be part of these groups," said Vixie, who recently founded Farsight Security, which specializes in a subscription service for specialized threat intelligence data. "If there is a certain risk of adding someone inside the security perimeter, why take the risk if there is no possible benefit."

Communicating accurate threat information at a rapid pace has been an ongoing priority for incident responders in the public and private sector, said Derek Manky, a global security strategist at Fortinet and spokesperson for the annual Forum of Incident Response and Security Teams (FIRST) Conference held recently in Boston. Progress is being made on the establishment and adoption of global standards for threat intelligence sharing, but legal and regulatory issues pose hurdles that prevent some organizations from participating, Manky said. "It's clear that every industry has unique resources that need to be protected, their own set of threat actors targeting them and similar avenues of attack," Manky said. "Most organizations want to contribute because there's a major benefit in gaining advance notice about attacks."

MSPs with strong security practices are increasingly becoming part of the process. CRN recently reported that the Department of Homeland Security is establishing stronger ties with trusted managed security service providers (MSSPs). The DHS has established a secure connection to share classified intelligence data with AT&T and CenturyLink through its Enhanced Cybersecurity Services program and said it is expanding the program to MSSPs who seek approval.

NEXT: Improving Communication

Threat intelligence sharing is improving significantly within each established ISAC, but communication isn't well established across verticals, said George Johnson, chief security officer at NC4, a public sector IT solution provider that focuses on threat intelligence sharing for risk and information security management. Speaking at the FIRST conference, Johnson said standards for threat sharing are getting better, but technology alone isn't going to solve trust issues among private and public sector representatives. "There are small groups of sharing that are very effective, but we have a long way to go before we solve trust issues that are there today," Johnson said. "Today's problem is that we log onto portals to exchange information and there's often no human interface to it."

The financial industry, which has one of the most mature and threat-intelligence-sharing initiatives among banks, brokerage houses and other services, regularly shares information with each other and the Department of Homeland Security. Security experts see it as a model for other industry sectors, following its role in successfully addressing a long line of extensive attacks against the industry.

But threat sharing needs automation to eliminate sluggish and outdated mechanisms, such as email lists and portals that can hamper the speed at which actionable data can get in the hands of the responders, said Denise Anderson, vice president of the Financial Services Information Sharing and Analysis Center (FS-ISAC) and chair of the National Council of ISACs. Anderson, who spoke to incident responders during a session at the FIRST Conference with Johnson on automating threat intelligence, was optimistic that threat intelligence delivery improvements could bolster incident response. Signs of improvements, according to Anderson, include advancements in research, such as the work of the MITRE Corporation, a nonprofit that has been working on creating a standardized language to represent structured cyberthreat information.

One such standard created by MITRE is Structured Threat Information eXpression (STIX), which helps get to the root of a cyberattack so security incident characteristics can be formally described in a structured manner. Industry sharing groups aid incident responders by describing threat indicators associated with an attack and the tactics and techniques used by criminals into information that creates a course of action for those receiving the data, Anderson said. The model holds promise in establishing robust repositories of trusted information where researchers can identify commonalities that may not have been previously observable, Anderson said.

"The next phase is building repositories of trust, scoring and analyzing them," Anderson said.