Sharing Threat Intelligence

After the breach of Sony Pictures by North Korea, legislative attention has come back to cybersecurity. Its primary goal has been the sharing of threat information, allowing private companies to integrate their ‘indicators’ — pieces of information that have been associated with malicious activity — with government organizations (namely, DHS). This would give authorities the means to identify, issue warnings, and offer guidance for handling threats that span across multiple organizations or across entire business sectors.

The importance of integrating threat indicators cannot be understated. Much like a detective collecting evidence from a string of crimes, a cybersecurity analyst first needs to see all of the clues across the numerous incidents before they can conclude that they are connected. With all evidence in hand, he can assemble a more complete and accurate picture, allowing the connection of two seemingly separate events.

For example, when a business investigates a breach of their network, they may be unaware that some of attack’s indicators were also observed in the Sony breach. Having a shared list would directly give them the knowledge to attribute the event to known activity, giving them additional insight into the breach. More importantly, if the affected organization shares their attack indicators, it gives other organizations a reasonable chance to prevent such a similar breach.

Large security vendors demonstrate the value of this integration all of the time. Some Anti Virus vendors collect data about files and scans from all of their customers. From this central repository, they can identify large-scale trends that occur within industries or give attribution to a network of malicious actors working across the globe.

Because these proposals involve sharing information between private organizations and the government, privacy concerns have been cited. Certainly, the language of any acceptable bill needs to ensure that personal information for private citizens doesn’t make its way into the list of malicious indicators. Ultimately, I believe privacy concerns can be navigated and the entire concept of sharing important information should not be completely scrapped.

More alarming concerns come from security researchers. Concerns originate from the fact that, currently, a researcher testing vulnerabilities in good faith can face serious criminal charges. This criminalization causes more harm than good for security-related issues as it’s these white hat researchers that find and eliminate vulnerabilities that could otherwise cause extreme harm if they were discovered by the wrong entities.

Sharing malicious indicators has immense value — the ability to prevent highly disruptive compromises — and a system is needed to facilitate this process. Once privacy concerns and the potential damaging side effects of privacy violations are addressed, the bill should be supported by those in the security field.