Why is Cyber Threat Intelligence Sharing Important?

The ever-accelerating flood of software vulnerabilities and innovative attack techniques leaves increasingly few organizations capable of defending themselves and safeguarding sensitive data in their care.

Information-sharing is a critical tool for network defenders because it allows them to avoid the missteps of their peers within the infosecurity community and to deploy proven defensive measures. Proactive information-sharing about attacks and defensive mitigations builds resilience across organizations participating within a given trust community, evolving herd immunity against attacks that others have seen within their own networks.

How we got here
Data breaches on the current scale are an emergent menace which organizations are still figuring out how to cope with. Breached organizations are constantly enhancing their cybersecurity posture, and alongside that, their Cyber Threat Intelligence (CTI) capabilities. Within this context, information-sharing forms one of the main pillars that will allow those organizations to better respond to the general cyber threat.

Over the last ten years, information-sharing has changed in a number of ways. For years, an incident response team, having detected an attack from, for example, a particular IP address, would share that information with other teams, allowing them to take the necessary actions to limit their own exposure. This sharing was done in an ad-hoc fashion, involving significant manual human intervention.

Over time it became obvious that such manual, error-prone processes were unsustainable. This awareness lead to the development of new tools for consuming CTI in the form of open standards such as STIX/TAXII 2 and automating threat mitigation workflows to facilitate greater resilience.

Current challenges for the community
In spite of the significant benefits of information-sharing, challenges remain. Legally, for instance, information-sharing is a problematic topic. Lawyers balk at the notion of their organization actively communicating that they have witnessed an attack or (even more problematic to general counsel) that they have been successfully breached.

The primary debates at present pertain to what is being shared, how, and with whom. The “what” question arises out of concerns around striking the right balance between effective network defense (including facilitating law enforcement actions against attackers), and respecting the confidentiality of dual-use PII that might be abused in certain contexts, but which is invaluable when used benevolently for the purpose of thwarting network attackers.

The “how” question reflects a diverse spectrum of expert opinion. Some in the community argue for a looser approach to defining de facto information exchange formats based on specific software tools. Others contend that more formalized interchange formats based on open standards will result in wider adoption, as well as more interoperability between various commercial and open-source network defense tools.

Finally, the “with whom” question centers on the ephemeral question of human trust. As information-sharing communities grow, we are transitioning from an older trust model based on direct personal relationships to one that is somewhat looser. When it’s no longer possible to have personal relationships with everyone in a sharing community, a certain amount of trust must be devolved to a central authority (for example, an ISAC that performs strong vetting of all new entrants), or to cryptographic trust chains which function similarly to how letters of introduction have traditionally served as a trust proxy.

The path forward
Current practice largely consists of sharing indicators of compromise (IOCs). As we mature as a community, next steps are sharing more context to inform better decision-making along with guidance on defensive courses of action. The end-game is automation of cybersecurity processes wherever feasible, freeing up the limited pool of human infosecurity talent for more creative tasks than, for example, setting firewall blocking rules.

Achieving this goal will require that products and tools be adapted to define standardized interfaces for triggering automated defensive measures based on incoming CTI.

A core part of FIRST’s mission as the global Forum of Incident Response and Security Teams is to provide a trusted community platform for sharing information. Toward this end, we are engaged in numerous standards-development efforts such as the Information Exchange Policy Framework (IEPF), Traffic Light Protocol (TLP), and the ongoing evolution of STIX/TAXII 2 (through our partnership with OASIS). These technical efforts, while necessary, are by themselves insufficient to advance the state of the art in information-sharing.

In order to achieve the promise of CTI, organizations must confront and overcome their hesitancy to share information by expanding and maturing their trust circles. We at FIRST are convinced that through these community efforts we can fundamentally alter the balance of power vis-à-vis malicious attackers and significantly reduce both the frequency and impact of data breaches.