Do Threat Exchanges Work?
Sharing intelligence on security threats is an old idea getting new cred, thanks to Facebook's new Threat Exchange. But how well do such exchanges work?
Facebook recently caught the attention of security professionals with the announcement of its new Threat Exchange, a special social networking platform (currently in beta) that allows companies to share information about security threats they have encountered so other companies can be better prepared to face those threats.
There's nothing new about the idea of sharing threat intelligence. National security and intelligence services share information with their counterparts in friendly countries all the time. And in the world of computer security, anti-virus companies have been proactive in turning customers' computers into sensors which collect information about malware they encounter and submit it for analysis so that other customers can be protected from the same malware in the future.
The concept of a more general IT security threat exchange is not new either. Microsoft announced its Interflow exchange in July of 2014, and other threat exchanges include AlienVault's Open Threat Exchange and the Health Information Trust Alliance (HITRUST) Cyber Threat XChange (CTX).
Harnessing the Intelligence
The big question is, do these threat exchanges work? Sharing information about threats is one thing, but does this sharing result in reducing your security risk by preventing your organization falling victim to viruses and other malware infections or more concerted attacks by hackers?
"The main problem with threat intelligence is that it can be difficult to use it effectively," said Ken Weston, senior security analyst at Oregon-based security company Tripwire. Before threat exchanges can be useful, you need a solid infrastructure that provides visibility into your network and log activity picked up by intrusion detection systems, he noted.
"Say you receive information about a particular file hash or malware. To use that, you need to know if you have seen it on your network. So you have to have good visibility on your network," he said. "The same is true with a malicious IP address. If you don't have IDS logs to see if you are under attack now, or have been in the past from that IP address, then the value of the intelligence you may receive is moot."
Information about malicious IP addresses is only useful to you if it is very up-to-date, he added, as an IP that is malicious today may be legitimate tomorrow. That's likely to be the case if a server is hijacked to be used in an attack, but is subsequently disinfected.
A more complex problem comes down to scale. The more members in an exchange contributing threat information, the more potentially useful if will be to you. But contributors are likely to possess differing degrees of sophistication, Weston pointed out.
Members of the exchange are useful to you if they are in a position to detect and report threats they encounter accurately, for example, but not if the information they supply is vague. Someone reporting an IP address as "suspicious" may cause more harm than good. "It doesn't seem to give enough info to make an informed decision - it just seems to cause panic," is a comment by a Spiceworks community poster in a discussion about AlienVault's Open Threat Exchange that sums up this problem.
Question of Trust
Despite the potential benefit of having an exchange with many members, there's also the need to restrict membership to trusted organizations. That's because given the chance attackers can -- and do -- make use of security tools for their own uses. A classic example of this is malware writers passing their code through anti-virus services (like VirusTotal) to ensure their code is not detectable by anti-virus products.
In the same way, attackers that have access to threat intelligence services can find out when their attacks have been detected and modify them so they can continue to use them.
Security startup ThreatStream deals with this issue by thoroughly vetting participants in what CEO Hugh Njemanze calls "trust circles." In addition, organizations get to pick the members with whom they want to form circles and collaborate digitally on emerging threats. Members can belong to different circles and set specific levels of sharing for each.
"You might have 10 organizations in a circle. All the members know who the other members are, but the actual contributions are anonymous. This makes it practical for organizations to start sharing useful information," Njemanze said.
The size of such circles can be a problem, noted Dr. Anton Chuvakin, a security expert at Gartner. In a paper on information sharing he pointed out that: "Most sharing happens within trusted circles. In general, the broader that the circles of sharing become, the less trust that exists, and the range of information that is shared and the value that is received diminishes."
Nonetheless, there is evidence that threat exchanges are worthwhile and can help companies repel attackers, Chuvakin wrote. "They are most definitely useful because there are known examples where companies learned of new attack methods from others and then those same methods are used to attack them - and they were ready."
Ready to Respond
But he reiterated Ken Weston's point that the quality of the information they provide is only half the story. It's just as important that you are agile enough to respond quickly to the information you receive. "A threat exchange -- or a subscription with a commercial threat intelligence provider -- is not magic; you may receive good signals, but you still have to act on them," Chuvakin pointed out. "Can you rapidly change your security infrastructure and deploy new detection?"
He also believes that if you join a threat exchange you need to think carefully about the organizational changes you may need to make to derive the maximum benefit from it.
"In some cases, organizations should establish a new functional group to undertake and coordinate sharing efforts," he said in the report. "In other cases, an existing incident response or security operations center team can handle the function. Organizations should expand sharing efforts and relationships to involve supply chain partner organizations, customers and end-users."
Does Size Matter?
An interesting question is whether there is an optimum number of members for an exchange. An exchange of two members could have a high level of trust but might not be exposed to many threats. A huge exchange may just get bogged down in noise and false positives.
There are probably too few exchanges to come to any useful conclusions about size. In any case, Chuvakin believes that concentrating on size may be a red herring. "Frankly, the value of the exchange will be determined by the value and utility of signals - i.e. shared data - you receive and your ability to utilize them. This is the only direct measure -- all others (like size) are merely proxies."
Ultimately what that means is that while threat exchanges can certainly be useful, it's up to you to find one which offers the right combination of size, trust and expertise. In addition, it's a good idea to look for exchanges that allow you to connect with members in a similar geographic region and in an industry similar to yours (so they face threats that you are likely to face in the future).
It's impossible to know in advance which exchange offers the right combination of these traits to be helpful for your organization. All that can be said is that you'll recognize it if and when the threat information you receive starts to help you ward off viruses, malware and hacker attacks.
Paul Rubens has been covering enterprise technology for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.