Formation of the Cyber Threat Intelligence Integration Center
Today’s White House Summit on Cybersecurity is the climax of a momentous eight-day span during which we witnessed the largest ever cyber attack on a healthcare company and the creation of a new government agency.
The formation of the Cyber Threat Intelligence Integration Center (CTIIC) certainly legitimizes the urgent need to create modern, more-agile intelligence sharing solutions and best practices to combat cybercrime. More importantly, CTIIC’s creation is an important step forward in promoting the collaboration among Federal agencies that have disparate cyber missions and capabilities; the creation of more comprehensive finished intelligence; and the real time dissemination of actionable indicators of compromise (IOC) as a key defense against today’s threats.
Chief executives of Apple, American Express, Visa and the like gathered for the White House Summit to discuss information sharing. We heard Kenneth Chenault, Chairman and CEO of American Express, talk about information sharing as the most cost-effective way with the greatest impact on reducing cyberthreats. This sentiment was echoed by Bernard Tyson of Kaiser Permanente and ultimately named a guiding principle for meeting the challenge of our digital age by the President in his address.
Information sharing should be on the minds of all CIOs, CISOs and security professionals: what does it mean for those of us who face a constant yet ever changing threat matrix each and every day? And, more importantly, what can we do about it?
Redefine “information sharing”
Information sharing among security professionals is traditionally informal and anecdotal at best. Peers reach out or meet in person for advice on a quarterly, monthly or ad hoc basis and trade information on notable incidents and perceived threats. Unfortunately, this approach is no longer viable, and “information sharing” must be redefined.
Modernized information sharing can be broken into three ongoing actions:
- Collecting real-time indicators of compromise (IOC) from multiple sources in standard machine-readable formats.
- Sharing this intelligence programmatically without the need for human interaction.
- Using these IOCs to hunt and remediate threats in true real time, even in the largest of global networks.
Although a defense-in-depth strategy should include antivirus technologies, we must abandon the overemphasis on precise threat signatures and network indicators to detect intrusions given that these signatures are days or, worse yet, weeks or months old. Also, malware can be changed ever so slightly and quite easily to conduct follow-up attacks that will bypass traditional antivirus signatures.
Therefore, an enterprise’s best defense lies in building a strong offense that utilizes threat intelligence about attack methodologies, behaviors and actual IOCs to hunt and remediate threats on endpoints in real time.
Plug in to community and industry data
Your threat intelligence is exponentially stronger when you’re receiving data and insights from multiple sources. An easy first step is to subscribe to numerous IOC sources, such as Virus Total, IOC Bucket, and iSIGHT Partners. Follow up with some simple outreach to valuable data partners:
- Join and receive insights for the FBI’s InfraGard chapter in your area. FBI Special Agents will routinely share industry or company specific threats to help protect you.
- Contact and establish relationships with your local state, or
- Industry leading Advanced Persistent Threat (APT) vendors can provide cloud-based or appliances to sit in your network to disseminate IOC threat signatures.
Though information sharing is transforming from the anecdotal to the analytical, your peers remain important partners. Widen your net by attending industry conferences and events, and connect with peers inside and outside of your industry. Facebook announced Wednesday a new platform for organizations to share information called ThreatExchange. In this new climate, our collective success will be defined by the value we extract from lessons learned. The CTIIC aims to transform these lessons into better methodologies to better communicate and collaborate, and I urge you to follow their lead. Nevertheless, all of the data in the world is worthless if you cannot utilize it in real time and at scale — the new approach to information sharing requires tools that transform intelligence into instant action. Are you ready?