Conspiracy of Silence: Threat of the Week
The poll of some 700 IT security professionals in the private sector and government delivered a head butt of a frightening conclusion: Threat intelligence sharing could have prevented recent cyberattacks.
“The participants overwhelmingly answered that exchanging threat intelligence could have prevented recent cyberattacks, and the traditional ways of sharing threat intelligence are insufficient,” elaborated the Ponemon Institute, a research company in Traverse City, Mich.
Some 71% of respondents said there had to be a better way to share intelligence than what prevails today.
Sixty-nine percent said threat intelligence goes stale in a matter of minutes, but typically, “more than half said they receive information in increments of days, weeks or even months,” Ponemon reported.
A bottomline is that America is under attack by well organized, highly professional cyber criminals — think the Target, Michael’s, Neiman Marcus breaches. And, there is growing recognition that faster, more pervasive sharing of threat intelligence might help prevent, or at least better contain, future attacks.
But a combination of institutional shyness and worries about legal liabilities is constraining the willingness of well-informed organizations to reveal the extent of their knowledge.
The gasoline on this particular fire comes from the apparent fact that the rash of recent credit card data breaches seem, to the limited extent that information has been divulged, to have common elements. That leads to the belief that, just maybe, if information had been divulged quickly enough, some of the breaches might have been avoided or stopped sooner,
Experts contacted by CU Times stressed that in financial services, some useful sharing of threat intelligence already occurs through groups such as FS-ISAC and BITS, the technology arm of the Financial Services Roundtable. However, they also acknowledged that those organizations skew towards the largest financial institutions, and it is unclear what if any benefits accrue to the vast majority of credit unions.
One expert indicated that with the sector’s fragmentation — evidenced by some 6,500 credit unions, for example — the sheer numbers present hurdles to fast and accurate information dissemination.
More specifically, Lars Harvey, CEO of IID, an Internet intelligence sharing company based in Tacoma, Wash., and the sponsor of the Ponemon study, said in an interview “the bad guys share information more readily than we do.”
He pointed to active criminal online underground forums where best practices are routinely shared.
That is much rarer among the white hats, Harvey said.
“The survey revealed two major things that get in the way of sharing,” he said. “The lack of an efficient mechanism, and … the inability to scale trusted relationships. Information exchange tends to be based today on personal relationships.”
“There is significant sharing on a person to person basis,” agreed Ori Eisen, chief innovation officer at Scottsdale, Ariz. based TrustInsight, which aims to use intelligence to better authenticate devices and thus reduce online fraud.
That is, chief security officers and chief information officers develop friendships, via industry events, and they may share, informally and perhaps swiftly, within that small group.
But when it comes to broadcasting intelligence, not so fast.
That reluctance arises, Eisen said, “because they don’t want to expose themselves to regulators, and they also do not want to violate customer privacy.”
Both, Eisen said, are understandable reasons for staying mum despite growing agreement that sharing intelligence will lead to greater successes in the ongoing wars on cyber criminals.
Dave Jevans, chief technology officer at Marble Security in Sunnyvale, Calif., offered a concrete example of where sharing intel would bump into serious obstacles.
“As an example, many phishing and malware logs include customer data. Sharing that would be a serious violation in today's environment,” he said.
And yet the only real way to illustrate what is happening in a phishing campaign, in useful detail, is precisely to share the log.
Mark Stanislav, security evangelist at Duo Security, an Ann Arbor, Mich.-based multi factor authentication developer, added it will rarely make your company look better to make public announcements about security lapses.
But those who believe sharing will lead to reduced theft have not given up.
Harvey said there are active pushes inside the Beltway, in Congress and with appropriate regulators, to create safe harbors for organizations that want to share threat intel with peers.
Will the federal government sign on? And will more organizations play?
Nobody really knows. But experts agree today’s cone of silence mainly benefits the crooks.