Rethinking Regional Threat Sharing Partnerships

March 31, 2017
Partners with Purpose: Post by David Mann and Suneel Sundar
David Mann and Suneel Sundar

Sharing cyber-threat information is valuable. So why is it so difficult and so prone to failure?

For the past year and a half, we’ve conducted research into difficulties experienced within regional threat sharing groups. We've identified two common mistakes that can be illuminated and corrected by applying two MITRE frameworks and there is good reason to believe these insights can help other information sharing and analysis organizations (ISAOs) as well. The first common mistake is the broad assumption that all organizations should aspire to defend against the advanced persistent threat (APT). And the second is that more automation always improves sharing. Both premises are wrong. Blind implementation on these underlying assumptions hinders effective sharing.

MITRE’s CyberPrep 2.0 asserts that an organization's cyber defenses should be matched to the level of threat it actually faces. Our research shows that failing to respect these differences undercuts sharing efforts. Organizations that face real APT threats need to collaborate with trusted partners to identify specific threat actors, their techniques and campaigns. Maintaining secrecy is paramount because if an APT-level attacker finds out that their techniques have been discovered, they’ll change to become invisible again. Organizations that primarily face non-APT, theft-motivated threats must ensure that their financial and human resources focus on defending against high volumes of largely automated, commoditized attacks. Diverting resources to track specific threat actors, their campaigns, and associated techniques is counter-productive for these organizations and weakens their defensive posture.

Our first recommendation for regional sharing organizations (and other ISAOs) is that they clearly distinguish between member organizations who need to defend against APT threats and those who should focus on defending against non-APT theft. Then structure their sharing efforts to accommodate these different cyber-defense goals.

Counter-intuitivily, automation can sometimes undercut sharing efforts. This typically happens when groups who are too diverse in terms of their work practices try to share too much information. While groups that do the same sort of work in the same, highly routine way are good candidates for automated sharing, groups that do closely related but slightly different work in slightly different ways tend to get mired in intractable "schema wars". Starting slow and agreeing to share less detail is often the more effective way to begin sharing. In other cases, human analysts need to collaborate. In such cases, large amounts detailed data overwhelm the human analyst and instead, collaborative sharing systems should enable easy sharing of prose-based artifacts to help establish context.

Figure 1: Diversity/Detail Trade space

MITRE's Bilateral Analysis of Information Sharing Efforts (BLAISE) methodology provides a structured way to determine the right amount of shared detail and automation based on the work practice diversity of the participants. Applying BLAISE, sharing automated indicators of compromise (IoCs) among theft oriented defenders is a good candidate for automation. Routine, commodity attacks can be defended against using routine, commodity defenses which can be made stronger by automated sharing. Sharing among the threat analysis cells of APT-oriented defenders is another matter. APT-oriented threat analysis is definitively not routine; if defenses could be automated or repeated, the threat would be neither advanced nor persistent. Automation may augment the collaborative human analysis necessary to track APT attackers but, attempting to force all shared analytical information out of prose and into highly detailed structures will lead to disagreement and confusion.

The BLAISE methodology also highlights another form of "information sharing" that has great potential in regional sharing groups in which members are geographically close enough to meet together. BLAISE describes a spectrum of information sharing modalities that ranges from automated sharing of digital data on one extreme to ad hoc, human-to-human collaboration on the other. An effective way to establish these collaborative relationships is through facilitated face-to-face engagement such as seminars and table-top exercises. Then, collaboration can be sustained through the use of automated communication systems such as email or chat.

What we've found to-date indicates that to achieve effective, risk-based threat sharing among partners, regional sharing organizations should carefully consider the way they organize. Instead of a single structure in which all members share cyber information in the same way, we recommend the following approach. First, place member organizations into a cyber preparedness group based on the capabilities they demonstrate (which should reflect the threat they face). Then the ISAO must structure member interactions as follows:

  • Accept members from all preparedness groups and only facilitate non-automated collaborative efforts.
  • Accept members only from either the Theft or APT preparedness groups and structure the sharing efforts to optimally support that group.
  • Accept members from all three groups and concurrently offer separate sharing capabilities for the Theft and APT groups while also providing support for collaboration and mediated translation efforts to the whole membership.

As advocates of sharing, we obviously have offered the first two as distasteful straw men, leading to the third as the inevitable conclusion. We also caution against the common strategy of placing an organization into a preparedness group to help educate them when it does not have the same risk or preparedness of others in that group. Although threat sharing groups do help educate members, such education and awareness is better handled when organizations are matched with others who have similar risks, threats, and operational models.

The full results of our research can be found in our paper "Effective Regional Cyber Threat Information Sharing", which provides an overview of our methodology and detailed analysis.

Achieving and sustaining effective information sharing is an on-going and iterative process. For this reason, we seek feedback on these findings to-date and any stories from those who participate in regional threat sharing groups. Applying and measuring these proposed approaches will further develop recommendations on how best to achieve effective threat sharing practices in regional threat sharing organizations.