Discover PerformanceHP Software's community for IT leaders // October 2013
Improve security through shared intelligence
Hackers and cyber-criminals don’t work alone, and neither should you.
Adversaries today have upped their game. Motivated by criminal, sociopolitical, and financial forces, our enemies have specialized and organized around a marketplace that generates and shares intelligence and malicious capabilities with disturbing effectiveness.
Evolving security technologies can and do help mitigate the damage, but linear improvements alone will not be enough to stay ahead of the enemy. Instead, progressive organizations are taking a lesson from the adversary’s playbook and collaborating to compete more effectively against common enemies. Indeed, for many organizations, the time has come to embrace the adage “The enemy of my enemy is my friend.”
Sounding the alarm
The growing frequency of advanced, multi-target attacks is spurring the need for greater speed and accuracy in identifying, analyzing, and mitigating threats. Sharing threat intelligence is one of the most effective ways to prevent such attacks from spreading rapidly.
“Organized attacks are being executed faster, occurring within minutes rather than days,” says Tomas Sander, a researcher at HP Labs’ Security and Cloud Lab who helped develop the HP ThreatCentral initiative. “They’re attacking not just one target, but many targets at the same time. If several organizations are being hit with a similar attack, it makes a lot of sense to share information to stop the common threat.”
By exchanging security data in a timely manner with others, organizations can thwart attacks in three ways:
- Work collectively to identify and react to in-process attacks more quickly
- Help others avoid falling victim to attacks that they have already experienced
- Increase the pool of security intelligence available to recognize systematic attack patterns
Sharing made simple
While the value of sharing may be straightforward, security data itself is complex. Once an organization has made a strategic decision to join forces with other good guys, the difficulty lies in knowing what data to share and how to share it without introducing risk.
Examples of threat indicator data that organizations should focus on include:
IP addresses associated with malicious or suspicious activity
- Descriptions of the activity for more context
- Types of attacks (e.g., phishing, DDoS, command and control server, etc.)
- Characteristics of attacks (e.g., the protocols used, packet length) to help distinguish attack traffic from benign traffic
- Known vulnerabilities that have been exploited
- Platforms impacted, where this information is not deemed overly sensitive
- URLs and domain names related to malware distribution
File hashes of malicious files and attachments
- Descriptions of malware behaviors
- Email samples sent in spear phishing attempts, with confidential information redacted
- Geospatial information related to attacks
- Attacker identities, handles, and associations
Maximizing the benefits of shared intelligence requires more than simply feeding data into a system. Back-end analytics can help find needles in the haystack, and participants can collaborate when they spot anomalous activity.
“The idea is that other people in the community can build on one another’s work,” Sander says.
The necessity of innovation
The benefits of open collaboration are well known, but intelligence sharing to date has mostly taken the form of ad-hoc or manual sharing within small communities. These efforts, while surprisingly effective in some scenarios, suffer from a lack of automation, confidentiality, and control that keeps their overall impact on the threat landscape minimal. In short, here’s what’s been missing:
- Automation. Traditional means of sharing—including manual posts to web forums, email or text advisories, and so on—do not scale. Some security teams report having turned off threat feeds because they provided too much information to digest. To date, enterprises have lacked a practical means of sharing security data without expensive manual intervention.
- Confidentiality. Organizations require confidentiality to prevent damage to reputation that could occur from being identified as an attack target.
- Control. Sharing can be a double-edged sword: the more information that organizations make public, the more they equip adversaries with counter-intelligence to evade detection.
To address concerns around confidentiality, the security research community has relied on industry-specific threat exchange consortia such as the Financial Services Information Sharing and Analysis Center (FS-ISAC) and more than a dozen other industry-specific ISACs.
Such groups ultimately ensure that threat intelligence is shared in a secure and confidential manner by limiting participation to invited member organizations or thoroughly vetted applicants. But efforts do not scale and require substantial resource investment from participants.
The ThreatCentral initiative
The HP ThreatCentral initiative reduces the amount of manual effort involved in sharing. Using automation, this type of exchange not only brings scale to intelligence sharing, but also improves confidentiality and control by enabling organizations to define, enforce, and audit against policies that govern what is shared and with whom.
“We need to be very careful that we distribute information in a policy-driven way among communities of interest,” Sander says. “You might build trust by creating different levels of membership. If financial companies are comfortable to share some intelligence only with other large banks and not with everybody in the finance industry, we need to provide for that within the exchange environment.”
In today’s sophisticated threat landscape, adversaries are working better together. By sharing threat intelligence, the good guys will begin doing the same.
HP’s ThreatCentral will roll out in coming months. To stay current on this and other threat research, visit HP Security Research.