Collective Threat Intelligence: We’re All in This

2016 was a banner year for data breaches, including the high-profile hacks of the Democratic National Committee (DNC), Yahoo, and the National Security Agency (NSA). The following year was no better, with the WannaCry and Petya ransomware outbreaks grabbing headlines and wreaking havoc. Already this year, the U.S. power grid and other infrastructure have reportedly been breached while cyber attacks hobbled the city of Atlanta and sent aircraft giant Boeing Co. scrambling.

With the sheer volume of incidents and sophistication of threats on the rise, it’s increasingly difficult for any single organization, regardless of size, to defend itself adequately. As a result, a growing number of organizations are exploiting an alternative approach to cyber security: Collectively sharing intelligence and best practices in order to wage a more effective protective posture.

“No single company or no single enterprise has the whole picture—they’re only seeing a piece of the puzzle,” says Brian Witten, senior director of engineering for Symantec.

Witten points to the Dragonfly series of attacks on the global energy sector as a prime example of how collective threat intelligence can uncover patterns that might fly under the radar screen of individual enterprise efforts. Symantec, collaborating with others, was able to determine that the initial Dragonfly phishing attacks were not aimed at any specific individual target, but rather were part of a collective force to disrupt the entire energy supply chain and ecosystem. “The companies that felt like targets were just stepping stones or staging targets, but not one of those companies individually could have seen that by themselves,” he explains. “Putting the whole picture together—that’s how a community paints a bigger picture.”

A Changing Landscape

The ability to see the forest through the trees is crucial given the nature of today’s threat landscape. According to Michael Daniel, president and CEO of the Cyber Threat Alliance, an independent organization that fosters the sharing of advanced threat data through a platform aimed at cyber security and technology vendors, the dangers have evolved in three ways. To be sure, the landscape is now far more broad and diverse, driven by the rush to connect an explosion of heterogeneous devices to the Internet—by industry estimates, an anticipated 30 billion by 2020.

“It’s the only environment I know of where there is more of it on a daily basis,” Daniel explains. “Cyber space is also becoming more varied—we’ve gone from wired desktops to laptops to mobile devices, and now it’s on to cars, Fitbits, light bulbs, and refrigerators. They are all slightly different and everything is communicating with each other.”

At the same time, Daniel says the threat landscape has become more dangerous. Instead of bad actors looking to be disruptive or steal identity data for profit, recent activity is more nefarious, he says, aimed at disrupting infrastructure like street lights and power grids or taking down key business processes like stock market trading. There’s also an expanding roster of bad guys that have discovered cyber space is a fabulous place to make money, including nation states, which raises the stakes even higher.

“It’s become far more disruptive—things that used to be minor annoyances are now potentially existential for an organization or country,” Daniel says. “The only way to tackle this problem is to take a more collaborative approach.”

Collaboration can happen on multiple levels. Cyber security technology providers, along with cloud and Internet service providers and telecommunications giants, should be actively sharing technical data on threat intelligence—which is where the CTA sharing model comes into play.

Members, which includes Symantec, are required to upload threat intelligence daily to a shared platform, where it scored to keep members in good standing. Daniel said that collective intelligence helped facilitate the response to the WannaCry outbreak, ruling out email as an attack vector early on so companies could shift focus to exploring alternative sources.

There’s also plenty organizations can do to foster threat intelligence sharing on an enterprise level. Information Sharing and Analysis Centers (ISACs), non-profit organizations that serve as a clearinghouse of information on cyber threats, are an invaluable resource for collective threat intelligence and security best practices and are well established for vertical industries from financial services to automotive.

Other global consortiums have formed to combat the cyber threat in specific industries, including one recently announced in the financial technology industry being lead by the World Economic Forum.

Managed security services are another way enterprises can benefit from a global network that curates threat intelligence on hundreds of thousands of adversaries worldwide. When engaging with such a service or a security technology provider, organizations should align with those firms that leverage technology like artificial intelligence to provide contextual insights into potential threats and that perform monitoring on a 24x7 basis to target vulnerabilities in real time.

“No single enterprise can have the whole picture by themselves, but they’re not alone,” Symantec’s Witten says. “There are lots of ways companies can partner to get that bigger picture.”