During the opening montage of every Law and Order episode is the statement (by now probably burned into all our collective consciousness): “In the criminal justice systems there are two separate yet equally important groups, the police who investigate crimes and the district attorney who prosecutes the offenders. These are their stories.” What is typically left out of both the TV show and the real life criminal justice system is any discussion of what happens before the crime takes place. In some ways, that is intentional.
Historically, the government has had very little role in crime prevention or even anticipation. Aside from petty crime arrests under the “broken window theory” and a few investigations targeting organized crime, little is done to predict when a crime is to occur. Part of the reason for that is that actively investigating, prosecuting, and penalizing offenders is presumed to deter others and therefore serves a sort of crime prevention. That has partly changed as the terrorist threat has increased because deterrence tends to be less effective, particularly when some are willing to give up their lives for the cause. However, those efforts are understandably focused on potential attacks where loss of lives is likely. By contrast, governments have always spent significant resources on gathering intelligence on potential attacks from other nation states. In fact, that is one of the primary purposes of our intelligence community. However, despite the billions being spent, there are only so many resources available. Despite their offers of assistance, government agencies simply do not have the resources to anticipate every crime, particularly cybercrimes, and they never will.
Consequently, we in the cybersecurity community are left to figure out what kind of data we can collect and what to do with it. For centuries, the first piece of security threat intelligence has always been vulnerabilities as researchers (and those with less than pure motives) demonstrated weaknesses in walls, locks, moats, firewalls, encryption algorithms, and various other controls. Today, the vast majority of what is labeled as threat intelligence are reports from vulnerability researchers and product vendors highlighting weaknesses in hardware and software. However, under typical definitions of risk, there are three components: threats, vulnerabilities, and impacts. Something cannot be both a threat and a vulnerability. Admittedly, evidence that an exploit has been developed based on such a vulnerability would likely be a threat, particularly if the exploit was in the hands of someone with malicious intent. But with the exception of vulnerability reports that note that exploits of the vulnerability have been seen “in the wild,” we rarely get much real threat data.
What little we do get beyond vulnerability data tends to fall in a few different categories. The first category is what the intelligence community would call chatter; which is usually very vague and broadly applicable indicators that someone is about to do harm. It may be as simple as an increase in activity on hacker message boards. At best, it offers warnings to particular industries to heighten their vigilance. As these warnings increase in frequency, their value becomes negligible, as no actual actions are called for. Another category includes reports of actual cybersecurity incidents either through the media or more restricted communication channels. If details of the attack, such as source addresses or malware signature, are provided, organizations can benefit from the information and respond appropriately. Unfortunately, incident investigations are often limited to containing and eradicating the threat and recovering the systems affected. Moreover, any useful threat data collected is usually reported too late to be actionable by others. A third category includes more detailed information from private hacker chat rooms and Internet Relay Chat (IRC) channels as well as data from the so-called “dark web,” which are often sites accessible via Tor and related tools. Law enforcement, intelligence agencies, and various private companies selling threat data routinely troll these resources for actionable information. However, law enforcement and intelligence agencies have limited budgets and other priorities. And companies in the threat collection and dissemination industry have business model problems. As things stand, it’s hard to make much money selling threat data. Much of what is sold are often glorified clippings services that aggregate and then summarize publicly available information. The truly useful, timely, and actionable data requires a lot more effort and expertise to gather. As a result, we’re seeing a proliferation of products labeled as threat analysis platforms being offered as a service or as licensed software. The threat data is often offered as an added bonus, often with dubious value. Unfortunately, many of these companies are struggling to demonstrate value to customers who are still trying to understand why they need these products that sound a lot like the Security Information and Event Management (SIEM) platforms they’ve already spent hundreds of thousands of dollars on.
But, just because the state of cybersecurity threat intelligence remains stuck in neutral, that doesn’t mean it has to stay that way. Despite being insufficient, the development of infrastructures for sharing this threat data, such as the Structured Threat Information Expression (STIX) markup language and the Trusted Automated Exchange of Indicator Information (TAXII) protocols for communicating between threat repositories is a good step forward. Soltra, the joint venture between the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the Depository Trust Clearing Corporation (DTCC) dedicated to the free dissemination of its Soltra Edge platform to propagate a STIX/TAXII-based information sharing framework, is also a good first step. Additionally, organizations should consider other actions, such as:
- Implementation of a STIX/TAXII-based threat intelligence repository, such as Soltra Edge, that is synchronized with partners, peers, ISACs, government agencies and other entities
- Deployment of an integrated asset and vulnerability management system that exchanges data with a SIEM, threat analytics platforms, and threat intelligence repositories
- For organizations unable to deploy the above, engage a managed security services provider who can offer these services
- Actively solicit threat data, include incident details, from partners and industry peers on a formal and informal basis with an emphasis on actionable and machine readable data