You have to do more than think about it. Intel Security (McAfee) conducted 500 interviews with security professionals in a wide variety of industries and regions to understand their views and expectations around cyber threat intelligence (CTI) sharing. The report found that awareness of CTI is very high and that 97% of those who share CTI see value in it. However, the report also found that there’s a conflict between users’ willingness to receive CTI and their willingness to share it, with most wanting to receive it (91%), however far fewer (63%) are very likely or only somewhat likely to share CTI.The research also found the following:
- 72% of survey respondents using shared CTI ranked malware behaviour as the data they are most willing to share, followed by URL reputations (58%), external IP address reputations (54%), certificate reputations (43%), and file reputations (37%)
- Respondents perceive the greatest barriers to cyber threat intelligence sharing are corporate policies (54%), industry regulations (24%), and a lack of information on how it would be used (24%)
CTI is about sharing. McAfee Global Threat Intelligence (GTI) provides insight into attack volumes that its customers experience. In Q4, 2015 customers saw the following attack volumes every day:
- On average 47.5 billion queries per day.
- More than 157 million attempts were made (via emails, browser searches, etc.) to entice our customers into connecting to risky URLs.
- More than 353 million infected files were exposed to customers’ networks.
- 71 million potentially unwanted programs attempted installation or launch.
- 55 million attempts were made by customers to connect to risky IP addresses, or those addresses attempted to connect to customers’ networks.
Security professionals have relied primarily on signature and behavioural-based to block a threat. Both methods are effective but what about particularly complex threats, some of which have yet to be discovered?
How do you stop zero-day attacks that slip under the radar? That is where cyber threat intelligence comes into play. CTI goes much deeper than just a list of IP addresses with poor reputation scores or hashes of suspected bad files.
CTI is evidence-based knowledge of an emerging (or existing) threat that can be used to make informed decisions about how to respond. It provides the context around how the attack takes place, identifies indicators of attack (IoA), indicators of compromise (IoC) and potentially the identity and motivation of the attacker.
Security practitioners and security technology can use CTI to protect better against threats or to detectthe existence of threats in the trusted environment. Expectations are high that ‘integrated’ CTI will significantly improve system and network security.
Intel Security says for CTI exchange to work effectively, established technical standards for sharing information are critical. There have been multiple efforts to try to settle on a single format for sharing cyber threat intelligence but most were focused on a specific area, such as incident response.
In 2010, MITRE, under the direction of and with funding from the US Department of Homeland Security (DHS), began development of a threat information architecture with the goal of producing a representation of an automatable cyber threat indicator. This was the first effort to focus specifically on creating an automatable, structured representation of the cyber-threat lifecycle, related message format, andexchange protocol. The effort produced three specifications:
- TAXII, the Trusted Automated eXchange of Indicator Information.
- STIX, the Structured Threat Information eXpression.
- CybOX, the Cyber Observable eXpression.
DHS worked to transition the development and ownership of specifications to the Organization for the Advancement of Structured Information Standards (OASIS). OASIS has created the OASIS Cyber Threat Intelligence (CTI) Technical Committee (TC).
The CTI TC created subcommittees for each of the specifications, as well as an interoperability subcommittee. OASIS will develop, maintain, and release all future versions of STIX, TAXII, and CybOX.Intel says CTI is gaining traction within the security industry as a way to combat advanced threats.
The use of CTI will become a critical component of organizations’ defences as structured, enriched data will allow organizations to respond more quickly, with a better view of the cyber event landscape.
The full report is here. It has some interesting statistics (on page 33 onwards) on malware, mobile malware, the rise of OS X malware, ransomware and more that are too lengthy to reproduce here.