Imagine a street market with lots of vendors hawking their wares. Customers wander in and out of the market, some of whom you don’t see every day while you know others as regular visitors. Perhaps you are one of several selling coffee beans1. Now imagine that you’ve realized that there’s a thief in the market, and you know more or less what he looks like or perhaps a little about his modes of operation. It’s in your interest to let the other coffee bean sellers (and perhaps even other vendors) know, along with perhaps the local police, because you don’t want that thief robbing you, your suppliers, or your customers – nor your competition.
Some of my recent thinking about sharing and cooperation stems from recent discussions about the CISPA and similar initiatives, while some of it stems from thinking about the fact that, in many areas of business, we frequently compete with organizations whose employees we may consider friends. And of course, competition in business should only go so far. I subscribe to the belief that “there’s no such thing as business ethics” in the most positive sense: we cannot simply limit our ethical behavior to certain areas of life, then turn around and act unethically in other areas.
All of that musing sets the stage for thinking more about sharing threat intelligence. Clearly, we never want to share threat intelligence with the adversaries that may pose a threat to us. This explains why most experienced incident responders recommend not sending malware samples immediately to an antivirus vendor, particularly during an open investigation: that intelligence can easily leak back to the attacker and compromise your operational security. At the same time, we can find benefits in sharing data with our ostensible competition. For example, payment processors have formed a group within the FS-ISAC to share “information about fraud, threats, vulnerabilities and risk mitigation in the payments industry”. Yes, this means that corporations that compete doggedly for merchant accounts and transaction fees will help each other with security intelligence, since that information has more value when aggregated: each processor gets more intel from the group than they put into it. As a result, the marketplace can function more cleanly, to the benefit of all (honest) participants.
That doesn’t mean that an organization should share all of its security secrets. Generally speaking, we can say that the operational security risk from sharing intelligence has an inverse correlation with the specificity of the intelligence. So discussing the (fairly well-known) idea that a lot of fraud originates in Russia and Eastern Europe doesn’t increase the risk to an organization. Sharing information about specific BINs with extremely high fraud levels might incur slightly more risk, but not much (and that primarily from an operational or possibly legal perspective, rather than technical). When we start sharing indicators of compromise and known attacker addresses, then we have to take greater care to ensure that the information doesn’t leak to the adversary. But again, the adversary here isn’t the company next door trying to expand their market share, possibly at the expense of yours. The adversary wants information from both of you, to the detriment of others in the marketplace like cardholders, merchants, and so on.
I don’t quite know what I think about how this might extend to groups (including vendors) whose business includes collecting and selling threat intelligence, including my own employer2 and other companies with which I’ve maintained good working relationships. But I do think that there’s value in some level of cooperation even among these groups, and I’m interested to know what others think.
1: Despite my surname, I don’t have any affiliation with Maxwell House Coffee, and I don’t even drink their stuff. I just like thinking about coffee. Mmm, coffee.
2: To repeat what should be obvious, my opinions here are my own, if anyone’s. Sometimes I end up not even agreeing with myself, so don’t expect that anybody else will!
Great post Kyle! This topic is something that I’ve always considered one of the barriers to the sharing of timely threat intelligence. In some places, I think the barrier is being lowered, but it does become more difficult when you’re talking about vendors making money off of their intel.
However, I think there could be a distinction regarding the type and depth of information shared. In groups such as the Payment-Processors within the FS-ISAC, I would hazard a guess that full details of the defined threat (to the best extent possible) are shared among the members. This includes analysis and correlation that has been completed by each party. In an intel-vendor situation, I think cutting out the analysis and correlation portion of information shared could be a partial compromise. If this occurs, the vendors still get raw data, potential leads, etc., but they can use their analysis and presentation skills to remain competitive amongst each other. A version of this currently occurs with services such as VirusTotal. Each AV Vendor has access to the same intel to do with as they please.
Thoughts?
Thanks, Keith. You confused me at first with the “partial compromise” phrase, because I thought you meant “compromise” like “security incident”. But in the sense of how organizations can share data with vendors without breaking OPSEC, yeah, providing some core indicators is probably as far as most people would go. It’s a trust issue: if I run Bank A and you run Bank B, then I can give you indicators without worrying that you’ll publicize them. But I don’t (necessarily) trust Vendor X to do the same thing, because they have different motivations.
On the other hand, given how many organizations get notified of an intrusion by an external source and pull in external organizations to investigate, that model only goes so far in reflecting reality.
Excellent post, Kyle. Might I suggest that the root cause is innocent in nature? I believe we all understand that cooperative relationships can be established in a way where the water rises and all boats benefit. Even within a single organization though, cooperation and interdepartmental communications are difficult to maintain (see:Tribes, Seth Godin). Attempting to smoothly extend to integrate other organizations with different values, objectives, priorities, and operational procedures is daunting. It takes management support and a core group of dedicated project champions from all parties to come together and make it happen.
Definitely, Lucas. I’m not suggesting that any of the obstacles are malicious in nature, particularly not between vendors. It’s just that I’m still thinking this particular area through, since (as you know
) until recently I focused on this almost exclusively from the perspective of the client organizations.