Can Sharing Threat Intelligence Prevent Cyberattacks?
The Obama administration and some in the private sector believe sharing threat information can help thwart cyberattacks. But not everyone is convinced.
The breach of the Office of Personnel Management that compromised the personnel records of an estimated 22 million people again raised the issue of sharing threat information in an attempt to better thwart cyberattacks.
Government and business hope that sharing of threat intelligence will offer another way to defend against hackers.
Earlier in the year President Obama signed an Executive Order to encourage the sharing of cybersecurity threat information within the private sector and between the private sector and government, arguing that rapid information sharing enables organizations to band together to fight cyberthreats.
While the sharing strategy has strong proponents, others believe sharing threat intelligence does nothing to protect against the next attack because hackers will quickly move on to new cyberthreat strategies, abandoning those about which information is being shared.
Obama's Executive Order and threat sharing collaborations are just getting started.
Early Days for Sharing Threat Intelligence
"We're probably a little behind where we should be because companies don't want to talk about what is happening," said Mark Shelhart, senior manager of the incident response and forensics practice at Sikich, pointing out that even government agencies and the Secret Service don’t always share their information.
The FBI and large metro areas all offer threat intelligence sharing opportunities, but these information sharing capabilities are largely unknown because they are poorly marketed, he said.
Such threat information sharing is necessary just to level the playing field with hackers, said Paul Kurtz, CEO and co-founder of TruSTAR Technology. "The bad guys are working together quite effectively. They have 800 sites exchanging code."
"The cyber criminal element is larger than the drug trade," agreed Chris Pogue, senior vice president of cyber threat analysis for Nuix, citing a Ponemon Institute statistic that cybercrime has become a $3 trillion industry.
Yet companies tend to share information to combat hackers only on an ad hoc basis, Kurtz said.
Threat Sharing Coalition
The most ambitious threat sharing concept is the Coalition for Open Security, a division of the Society for Information Management (SIM) which is still working out details about how it will operate, said Madeline Weiss, director of SIM's advanced practices council.
The coalition already counts CIOs from BP, Pfizer and Allstate among its members.
Weiss emphasized that any coalition needs to be a direct forum operated by the private sector, not the government, and that information has to be shared across the group.
Though the organization needs to be operated by the private sector, it also needs government assurance that information can be shared anonymously without the fear of the government being able to force disclosure of information sources, Weiss said. To that end, group members are encouraging various legislators to pass laws that will ensure that anonymously shared information will remain anonymous.
Beyond the meetings with legislators, the coalition's next steps are to:
- Identify a leadership board to coordinate the efforts of the coalition
- Establish a core team to lead this effort
- Identify and solicit broader participation
- Establish a cadence of regular meetings
Threat Sharing Startups
Beyond the coalition, the need for sharing of threat information is giving birth to private firms dedicated to this purpose.
TruStar, for example, provides a global anonymous cyber incident sharing platform for enterprises.
"Even if the government came to me demanding the source of some of the [shared] information, I couldn’t tell them because I literally don't know," Kurtz said.
According to Kurtz, the company's platform enables firms to upload threat information in as little as 15 seconds. A "deja vu" feature enables TruStar customers to immediately see if an incident like what they are reporting has been reported before.
Another threat-sharing start-up, ThreatStream, also automates the sharing of data. The company is focusing its growth efforts on recruiting Fortune 500 companies, said Colby DeRodeff, ThreatStream chief strategy officer.
"The good news is that a lot of organizations are considering sharing threat information for the first time," DeRodeff added. But for threat information sharing to truly take off, there will need to be legal protections for the sharers, he said.
Threat sharing proponents like DeRodeff are hopeful that information sharing will eventually lead to predictive analytics that will help combat future attacks.
'Not a Silver Bullet'
Not all agree that threat sharing is an effective strategy for fighting cyberattacks. Jeff Williams, CTO and co-founder of Contrast Security, thinks the sharing idea is much better in theory than it is in actual practice.
"Most of these attacks are targeted; they are not broad spectrum attacks," he said. "Threat sharing has not been effective in the past and it won’t be in the future. The administration seems to be real focused on that. That's putting a lot of eggs in one basket. It's unlikely that it's going to work. It's not a silver bullet."
Instead of spending timed on information sharing, Williams instead recommends focusing on building better defensive technologies, saying that application infrastructures often have as many as two dozen serious vulnerabilities. "Of course you're going to get breached," he said.
Phillip J. Britt's work has appeared on technology, financial services and business websites and publications including BAI, Telephony, Connected Planet, Independent Banker, insideARM.com, Bank Systems & Technology, Mobile Marketing & Technology, Loyalty 360, CRM Magazine, KM World and Information Today.