You know what’s worse than trying to share cybersecurity information? Writing about it.
Everyone has read over and over again about how important information sharing is for cybersecurity. The idea is certainly not new. It’s definitely not cool. It’s also hard. No one has completely nailed it even after talking about it for decades.
Why is information sharing so hard and why are we still working on it? We’ve identified plenty of barriers and worked to address them. In many cases, we’ve addressed them quite well. For example, information sharing is tough from a technical perspective because the volume and speed of data continues to increase. So the community developed standards like STIX (Structured Threat Information eXchange) as a common language to share indicators and context at machine speed, TAXII (Trusted Automated eXchange of Intelligence Information) to provide a protocol for the transfer of information, and MITRE’s ATT&CK framework for analysts to discuss adversary tactics and techniques using the same baseline. From a legal perspective, organizations were worried about sharing potentially embarrassing or sensitive information with the government or each other, so legislation was passed and policy was developed to define acceptable sharing, provide liability protections under certain circumstances, and recognize dedicated sharing organizations and standards in nearly every industry.
Even with all of that hard work, it’s clear that there are still limitations. Private sector entities don’t always share, whether it’s with the government or each other. The government is sharing regularly, but the private sector is rarely impressed by what they get. What’s going on? Is anyone doing it right?
Within the private sector cybersecurity community, the Cyber Threat Alliance (CTA) is an example of an organization where information sharing is working. CTA was first established as an informal community of cybersecurity vendors in 2014 and then as a non-profit in 2017 to regularly share indicators of compromise, context, analysis, and detailed reports through both automated and human-to-human means. CTA members routinely share more than 3.5 million indicators of compromise and its associated context per month and turn this shared information into protections for their customers and deploy them worldwide in a matter of minutes. Protections are often in place before the activity is publicized and actors realize their activity has been discovered.
This near-simultaneous deployment of security solutions protects a larger part of the ecosystem than what any single cybersecurity vendor could do on its own, leading to an increased effect on the adversary. CTA members also share sensitive finished threat intelligence reports and blogs with each other before they are published publicly. This early sharing gives members a chance to research and track threat actors more effectively, providing a chance to disrupt threat actors more systematically.
CTA’s information sharing isn’t perfect – members don’t share everything with each other and some details, such as victim information, are actively discouraged from sharing – but it’s moving the ball forward.
What have we learned?
From a technical perspective, CTA takes full advantage of the innovations to automate threat intelligence, like using STIX 2.0. Members are encouraged to provide ATT&CK techniques and other important context with their submissions so that members have the information they need to protect their customers. CTA benefits greatly from the protections of the Cybersecurity Information Sharing Act of 2015 (aka, “The OG CISA”) and other policy that guides information sharing.
Additional keys to CTA’s success have been the establishment of business rules and principles to enable a sense of equity and trust among the members. CTA goes a step beyond most information sharing organizations and requires members to share a certain level of threat intelligence on a regular basis to gain access to all of the available information. Submissions are scored according to an algorithm that incentivizes the timely sharing of information and the context necessary to enrich it. Contributions are tagged to the submitter, so members must stand by the information they share. Finally, members know that the information they share will be used by their peers to protect their customers. Members understand that sharing is equitable across the membership and there are no free rides.
In many ways, these rules have led to the most important element of CTA’s success: a community of trust. If people don’t fundamentally trust each other to use information appropriately, they will not share because they don’t believe others will handle the information competently. The fear of legal or reputational risk will inhibit sharing.
CTA provides opportunities for members to build trust. Members meet regularly and get to know one another, engage in friendly debates, and display their capabilities and competence. They know each other on a personal basis and understand their skill levels. As trust among CTA members developed, a process we refer to as our “early sharing program” took off. Under this process, members share pre-publication versions of blogs or research papers, usually 24 to 72 hours in advance. Since May 2018, over 215 reports and blogs have gone through this process. Members trust that everyone will keep the information private until release and will not scoop their reports – in fact, the opposite usually happens as members build on one another’s research and assist in publication. Trust between members provides opportunities to collaborate in various ways, such as the development of joint reports, threat assessments, and planning around events that are likely to be targeted by malicious cyber activity. CTA’s shared information and trust community leads to operational collaboration with the common goal of improving cybersecurity for all.
Information sharing is never as easy as we want it to be. You can’t flip a switch to activate the flow of information through the pipes across various sectors and communities and watch malicious cyber activity go away on its own. While it’s not perfect, CTA has provided a model that can be followed by both the government and the private sector. We have to leverage the already available technologies and frameworks for automated sharing while identifying new areas for innovation. We must continue to establish proper legal and policy frameworks to provide protections and standards for information sharing. Organizations should build the right business rules for their community to ensure equitable sharing of contextual information. Perhaps most importantly, we must actively build trust among the members of the community where information will be shared and acted on appropriately with the right protections. None of this is easy and it requires time and hard work. A good place to start is by coming together to find common ground and collaboration opportunities. So let’s get to it.
Neil Jenkins is the Chief Analytic Officer at the Cyber Threat Alliance. Neil leads the CTA’s analytic efforts, focusing on the development of threat profiles, adversary playbooks, and other analysis using the threat intelligence in the CTA Platform. Previously, he served in various roles within the Department of Homeland Security, Department of Defense, and Center for Naval Analyses, where he spearheaded numerous initiatives tied to cybersecurity strategy, policy, and operational planning for both the public and private sectors.