Secretive industry groups share best cyberthreat intel, experts say

Some of the most valuable threat intelligence — containing the detailed activities of specific hackers, early indicators of compromise and the understood impact of cyberattacks — is closely held and shared amongst a series of exclusive private sector groups, explained Marcus Sachs, senior vice president and chief security officer of the North American Electric Reliability Corporation. 

“We have these kind of private trust groups, sort of like fight clubs; you know, the kind that you know you’re in but you don’t tell anybody you’re in. Where you need to be vetted by two or three other fighters before you’re allowed into the club. And if you screw up, then those that vetted you are also out of the club,” Sachs said Tuesday during a panel discussion at a cybersecurity conference in Washington, D.C., hosted by cybersecurity firm Cognitio.

Simply put, the single greatest barrier to sharing cyberthreat intel — either with the government or another private entity — is trust, according to experts including Defense Intelligence Officer for Cyber at the Defense Intelligence Agency Ron Carback and George Washington University Associate Professor and Director of the Cybersecurity Program Scott White.

Raw cyberthreat intelligence reports tend to be sensitive because they may contain infected customer files or information gathered via proprietary intel feeds.

At a basic level, in the private sector, a sort of classification rubric known as the traffic light protocol, or TLP, helps characterize the sensitivity of data shared between partners in the private sphere. TLP determines to what extent cyber-intelligence can be shared and how confidential it must remain within any given group. TLP also makes it clear that whoever shares the original intel must designate its classification level of for the larger group. 

In these private intel sharing environments — beyond the scope of more mainstream, corporate information sharing and analysis centers, or ISACs — trust can take years to build but disappear in a matter of minutes if confidence waivers, Aaron Staryak, an associate director of security intelligence at K&L Gates LLP.

“We often seek threat intelligence reports from the federal government but by the time we have received it, and because the indicators of compromise change so quickly, it is not as effective as we want it to be,” said Staryak, “Usually by the time I get it from the FBI, I have already gotten it from another source.”

Though some may assume that the U.S. government’s intelligence, defense and law enforcement communities boast the high quality cyberthreat intel available, it is the private sector that typically discover, disseminates and leverages this intel fastest, cybersecurity experts on the conference panel said.

“Often the federal government is limited [to share such data] due to classifications or law enforcement sensitivities. And so we have this gap where often times the private sector wants to share very quickly, while the governments wants to but can’t … that’s the gap we have to address,” said Sachs.

In the past, FBI Director James Comey has repeatedly noted that a vast majority of the Bureau’s private sector partners avoid law enforcement when they face an intrusion. Similarly, trust is a key element in establishing any positive, working relationship in these scenarios, Comey described during a keynote speech at Symantec’s Government Symposium conference in August.

It appears, at least perhaps for the moment, that a sense of trust may be greatest in cyberspace among small, select groups of American technology companies, who actively share intel based on personal relationships, insiders said.