The sharing of cyber threat information can be traced back to the response to the Morris worm in 1988. We will discuss the history of cyber threat information sharing and give an overview of where we stand today. Recognizing a sense of disillusionment with today’s landscape, we will provide a vision of what the future of cyber situational awareness and defense can look like, and how cyber threat information sharing can help us get there.
In November 1988, the Morris worm opened the world's eyes to cyber threats. Shortly after, Carnegie Mellon University started up the Computer Emergency Response Team Coordination Center (CERT/CC), the Department of Energy formed the Computer Incident Advisory Capability (CIAC), and many others did the same. By 1990, it was clear that communication and collaboration across teams would be needed and the Forum of Incident Response and Security Teams (FIRST) was formed to respond to this need[1]. Fast forward to the early 2000s and the idea of automated sharing of cyber threat information began with such early examples as: the Argonne National Laboratory's Cyber Fed Model (grassroots effort that began in 2004) and the Research and Education Networks Information Sharing and Analysis Center's Security Event System. Fast forward again, to the present, and these platforms have grown, new ones have gained the spotlight, standard representations such as Structured Threat Information Expression (STIXTM) and Trusted Automated Exchange of Intelligence Information (TAXIITM) have gained traction, and cyber threat information sharing has become a hot topic. But, despite the growth and advancement, the World Economic Forum, at their 2018 Annual Meeting in Davos, Switzerland, declared that "Currently, information sharing is not living up to expectations."[2]
This presentation will start with an overview of the cyber threat information sharing landscape. This will include a brief history, an overview of different approaches (e.g. manual vs. automated; indicators vs. intelligence), and a discussion of associated pros, cons, and challenges. These current approaches and associated challenges will be used to illustrate the view that the movement is "not living up to expectations."
Having laid the groundwork, the presentation will focus on the future of cyber threat information sharing; namely, that the current focus on information sharing needs to shift. The focus should not be on information sharing as an end goal, but rather the use of information sharing as a foundational capability that can be leveraged for improved cyber situational awareness and more rapid cyber defense. Automated information sharing involves machine-to-machine connections and trust relationships that can be leveraged for orchestration beyond the simple sharing of atomic pieces of cyber threat information.
By passing queries (i.e. requests for information) information sharing can become a foundational capability used by cyber analysts to simplify the processes used in the research, disposition, and response to anomalous events. Combining this distributed query model with automation and orchestration will expand the datasets available and reduce the time to collect context used by analysts in disposition of an event or finding. This same infrastructure then becomes the foundational capability to orchestrate the defensive response to a given threat.
Moving cyber threat information sharing from a "publish" model to a "research" model may require more revolution than evolution but will empower analysts to tackle more complex research. By orchestrating and automating pieces of the single-event analysis process, analysts can be freed up to start shifting to a campaign- or adversary-focus. A single-event response may result in a fast-paced game of whack-a-mole with an adversary rapidly moving from one piece of their infrastructure to another. But a campaign- or adversary-focused response will consider the behaviors and motivations behind the attack and look at the multi-step (and therefore multi-event) processes used. With a more comprehensive understanding of the threat and the availability of automation and orchestration capabilities, analysts will be able to disrupt the adversary in ways that will cost significantly more time and effort to work around than today's typical response of blocking an atomic indicator.
This shift of focus does not mean that cyber threat information sharing is no longer important. Nor does the automation and orchestration mean that analysts are removed from the picture. But, by focusing on the end goals of improved situational awareness and orchestrated defense, we can recognize that information sharing needs to be treated not as a solution on its own, but rather as a foundational capability that leads to an improved end state.
