As the toll of successful cyberattacks has spiked it’s become uncomfortably obvious that IT professionals trying to keep attackers out of critical systems are at a massive disadvantage before they design a single policy or turn on any defensive systems. Attackers have a good idea what sort of technology they’re up against and have plenty of forums to exchange intelligence, sell weaknesses (including zero days) and buy the sort of credentials that can help them burrow inside networks.
The great hope of cybersecurity was for defenders to even the fight with collective threat intelligence. At first, these were modest and vendor specific, essentially a way of circling the wagons around a subset of customers with a bit of input from national CERTS. More recently, multi-vendor initiatives such as the Cyber Threat Alliance (backed by Symantec, Intel, Palo Alto, Fortinet, Barracuda, Zscaler) boosted the concept by pooling several sources.
They even up the balance but most defenders are still essentially on their own. Attackers know this, deploying similar attacks against a fragmented mass of organisations each of which experience them as new events. Threat intelligence, then, is a good idea but its success remains patchy and partial.
Recently, security firm and long-time threat-sharing advocate Carbon Black (formerly Bit9) has fired up something called Detection eXchange, a threat-sharing platform with a slightly different mission. Its creators describe it as being like TripAdvisor on steroids’, which sounds confusing when applied to such a technical subject but contains the germ of an intriguing idea.
In Carbon Black’s view, today’s threat sharing systems are over-reliant on distributing what in forensics parlance are termed ‘Indicators of Compromise’ (IOC). These include many familiar artefacts such as known bad IP addresses, web domains, malware files, or the latter’s MD5 hashes packaged as signatures. In a sense, the whole cybersecurity industry has been based on understanding such elements since its earlies days, using them to identify and fingerprint attacks.
The problem is that these are common to different attacks and can easily be changed. Finding one gives defenders at best a small fraction of a story when time is of the essence.
By contrast, Detection eXchange focusses instead on ‘patterns of attack’, best described as a sequence of unusual events that might be detected on a host Windows, Linux or Mac computer or server.
“A lot of time people talk about sharing threat intelligence they are really talking about sharing data,” says Carbon Black’s chief strategist, Ben Johnson.
“It’s lowest common denominator. Nothing is optimised. But if you can start looking for the ‘story’ of the attack and tie in relationships it’s so much more relevant.”
A pattern is entered into eXchange in a form that can be queried. To this can be added screenshots and even analyst comment and data.
An example he offers for what one of these patterns would look like is an application such as Outlook spawning Word which in turn spawns Powershell interface, an unusual sequence of processes in short order.
Alternatively, an unsigned binary might load itself before modifying or copying files and opening a network port. On some networks this might be innocent but on many others it would not.
The key to this type f threat sharing is that a team of Carbon Black analysts aided by the company’s tier of MSSPs can vet patterns before turning them into something that can more usefully be consumed.
“With most threat sharing clearinghouses the onus is on the recipient to do the work,” points out Johnson, putting his finger on the known deficiency of threat sharing that something is only useful data if you can find it in the first place from the background noise.
A key issue is that this sort of information should not overwhelm Carbon Black’s customers who can consume it either by logging into the platform or passively by receiving a feed.
Johnson estimates that the system will only generate a few dozens of these per week at present.
But do these patterns make for better security. John son is convinced they do because while IOCs will change constantly, deeper patterns repeat over and over.
“They don’t have the same half-lives IOCs have. Years from now…the patterns remain the same. Instead of millions you might have dozens.”
Significantly, says Johnson, people are involved in this system rather than it being a machine-driven database that receives and pushes out data to other machines. It almost functions as a verified social network for security in which real individuals can openly or anonymously share what they’ve seen.
“It’s like a forum or Wikipedia system. Everyone can communicate and be as open or anonymous as they want. All people know is they have been validated by us. A big aspect is the human-to-human connection.”
Carbon Black is now looking to share the data more widely beyond its own ecosystem, says Johnson. That is still an issue because while the firm’s network is large, taking in MSSPs and government as well as many large Fortune 100 companies and even vendors (Dell Secureworks, EY, Trustwave, Kroll, Rapid7), if threat-sharing systems remain islands of knowledge in a deep sea of ignorance then they will, ultimately, not close the gap with attackers fast enough.
More generally, Carbon Black seems to be working hard on industry support, opening its API sufficiently to attract 44 third-party firms to integrate with its wider security platform. Time will tell whether this benefits Detection eXchange.
The threat intelligence universe is slowly improving and expanding even if competing interests often get in the way. Carbon Black’s design suggests that it is not size that’s the real issue - customers need usable intelligence not data.