Threat intelligence is king. The more you have, the better positioned you are to protect your organization from cyber attacks.
But staying on top of threat intelligence to fight these sophisticated attackers requires a new, collaborative approach to security—one that most companies and organizations haven’t embraced as yet. We need to be able to continuously share information on the latest cyber attack techniques on malware and email campaigns beyond our own networks in order to defend against an onslaught of external and internal threats. We need to “talk” to each other to warn against the latest tactics.
Getting beyond “defend” mode
Most companies are still in “defend” mode, using the traditional firewalls and other perimeter-based tools to guard their networks and data. While you don’t want to get rid of those old war horses, your company does need to expand its capabilities to defend against and respond to the more sophisticated threats. By tapping into what other organizations are seeing in terms of attack techniques, tactics and procedures (TTPs), you can detect such threats much earlier and minimize damage.
I manage the Critical Incident Response Center (CIRC) at EMC, tasked with defending the company’s revenue stream and future market value from cyber threats. At EMC, we believe we have been able to achieve a uniquely high level of incident response capability using much of our own cutting-edge information security technology.
Some 18 months ago, however, an APT (Advanced Persistent Threats) incident revealed a gap in our Trusted-IT strategy. We realized we needed to develop a program to catalog and categorize threat intelligence to stay ahead of the threat curve and reduce our exposure time.
Since then, EMC’s CIRC has been working with more than a dozen organizations as well as some U.S. agencies to improve our defense against and response to potential attacks by sharing threat intelligence. Among them is the Advanced Cyber Security Center, an intelligence-sharing alliance of a number of private companies and academic organization in the Northeast. We also work with the US-CERT (United States Computer Emergency Readiness Team). At the same time RSA, EMC’s Security Division, is striving to help develop standards and automation to make such intelligence sharing easier.
Cyber threat intelligence sharing is still in its infancy. For the most part, we now rely on phone calls, forums and emails to spread the word on the latest threats. However, I believe it is the most effective way to take on the growing threat from these highly skilled, well-funded, mission-oriented impersonators and that such cyber-crime networks will continue grow and get more sophisticated in their attacks.
Keeping the bad guys on the run
One day soon, perhaps, cyber threat intelligence will look like the AMBER Alert system. AMBER alert is a voluntary partnership between law-enforcement agencies, broadcasters, transportation agencies, and telecommunications providers, who share urgent reports in the most serious child-abduction cases. If we could broadcast a description of what cyber criminals are doing, we might have a better chance at catching them in the act.
With an effective threat intelligence network, we can keep the criminals on the run; and when they’re on the run, they’re more likely to make mistakes. Our protection mechanisms don’t need to be perfect, but defense and response is something that must be good all the time. By combining our efforts and sharing our intelligence we dramatically improve our chances of detecting a threat. The bad guys know they are better off pooling their resources. They are regularly sharing their “intelligence” and so should we.