- Everyone Knows What "Cybersecurity" Means
- We Can Measure How Secure Our Systems Are
- The Primary Goal of Cybersecurity Is Security
- Cybersecurity Is About Obvious Risks
- Sharing More Cyber Threat Intel Will Make Things Better
- What Matters to You Matters to Everyone Else
- Product X Will Make You Secure
- Macs Are Safer Than PCs, Linux Is Safer Than Windows
- Open Source Software Is More Secure Than Closed Source Software
- Technology X Will Make You Secure
- Process X Will Make You Secure
- Faerie Dust Can Make Old Ideas Magically Revolutionary
- Passwords Should Be Changed Often
- Believe and Fear Every Hacking Demo You See
- Cyber Offense Is Easier Than Defense
- Operational Technology (OT) Is Not Vulnerable
- Breaking Systems Is the Best Way to Establish Yourself
- Because You Can, You Should
- Better Security Means Worse Privacy
- Further Reading
This chapter is from the book
This chapter is from the book
This chapter is from the book
Sharing More Cyber Threat Intel Will Make Things Better
Imagine an attacker sending a malicious PDF disguised as a fake invoice to Terry, the CISO at GoodLife Bank. Terry and Terry’s staff are a talented group. After recognizing the potential phishing attempt, they analyze the file and create a signature to block it from the other bank employees. Their company is better protected, but what are the odds that the attacker used this malicious PDF against only one user at only one bank? How might GoodLife share this knowledge with other financial institutions or even everyone on the planet?
Cyber Threat Intelligence (CTI) is “evidence-based knowledge, including context, mechanisms, indicators, implications, and action-oriented advice about an existing or emerging menace or hazard to assets. This intelligence can inform decisions regarding the subject’s response to that menace or hazard.”30 There are dozens and dozens of research papers and commercial products focused on sharing CTI. We have services, mailing lists, and organizations to share threat information. The common refrain is that “more sharing is better.” After all, how could more information not help cybersecurity?
CTI is knowledge, and knowing about a threat is different from using that knowledge to prevent or mitigate a threat. CTI has value when it is put into action. Knowing how to speak Greek, play chess, or that bad.exe is malware is not the end goal. Putting that knowledge into practice is how knowledge has value.
More sharing is not the answer. Better sharing is better. Threat intelligence takes many forms. On one end is a list of IP addressees, domains, or email addresses that one entity believes are malicious. This alone is generally unhelpful because the receiver does not know the time frame or any relevant details to put the CTI to use. Sometimes there is added context about the associated intrusion set or campaign that can help prioritize if this threat is relevant to us. Better, more sophisticated CTI describes malicious behavior. For instance, APT29, a known threat group, commonly uses legitimate credentials and PSExec to move around a network. That is specific knowledge to help a defender know which attacker behavior to look for and the so what if it is discovered.
Information sharing is not free. It takes time and people to produce and distribute useful threat information, even if they do not charge money for a subscription to their CTI. CTI also takes human and machine resources to ingest, deploy, and monitor the information. More sharing costs more. A company might be worse off with more CTI if the costs outweigh the benefits. As a result, better security comes from using only high-quality CTI that is timely, accurate, and actionable. Finding the gold is difficult if one has to deal with the overload of lots and lots of garbage. Security teams should start by tracking how CTI contributes today to business and security goals.
Blocklists are an example of CTI. People either sell them or provide them for free, and it’s an easy way to block known-bad IP addresses, domains, or malware hashes. There are dozens of such lists. The problem is that research has shown that these lists are mostly distinct.31 To use blocklists effectively, we need to collect all the lists. Yes, like Pokémon, gotta catch ’em all. That requires time, space, and processing.
Finally, information sharing requires trust among participants. There is a common refrain that organizations do not share threat information because they fear revealing their system weaknesses and the sources and methods of how they learned the information. One positive and growing avenue for trusted sharing is nonprofit, sector-based Information Sharing and Analysis Centers (ISACs). For example, in the Financial Services ISAC, more than 7,000 members in 70-plus countries collaborate and share confidential threat intelligence.32
Focus on quality CTI that produces effective security outcomes for your environment. In 2022, Mandiant released a CTI Analyst Core Competencies Framework. Among the competencies was that “CTI analysts should be able to understand and evaluate outcomes for threat intelligence in terms of demonstrable value to the business.”33 This skill will help temper the temptation to share for its own sake. If used effectively, CTI can help security teams avoid the pitfall of not defending against known threats. Still, we should be cautious about continually adding threat feeds and CTI tools without a thoughtful strategy. In Chapter 10, “Tool Myths and Misconceptions,” we will discuss the pitfalls of applying too many tools. The volume of sharing should never be the end goal or measure of success. Continue to prioritize quality that leads to better outcomes.