Imagine a street market with lots of vendors hawking their wares. Customers wander in and out of the market, some of whom you don’t see every day while you know others as regular visitors. Perhaps you are one of several selling coffee beans1. Now imagine that you’ve realized that there’s a thief in the market, and you know more or less what he looks like or perhaps a little about his modes of operation. It’s in your interest to let the other coffee bean sellers (and perhaps even other vendors) know, along with perhaps the local police, because you don’t want that thief robbing you, your suppliers, or your customers – nor your competition.
Some of my recent thinking about sharing and cooperation stems from recent discussions about the CISPA and similar initiatives, while some of it stems from thinking about the fact that, in many areas of business, we frequently compete with organizations whose employees we may consider friends. And of course, competition in business should only go so far. I subscribe to the belief that “there’s no such thing as business ethics” in the most positive sense: we cannot simply limit our ethical behavior to certain areas of life, then turn around and act unethically in other areas.
All of that musing sets the stage for thinking more about sharing threat intelligence. Clearly, we never want to share threat intelligence with the adversaries that may pose a threat to us. This explains why most experienced incident responders recommend not sending malware samples immediately to an antivirus vendor, particularly during an open investigation: that intelligence can easily leak back to the attacker and compromise your operational security. At the same time, we can find benefits in sharing data with our ostensible competition. For example, payment processors have formed a group within the FS-ISAC to share “information about fraud, threats, vulnerabilities and risk mitigation in the payments industry”. Yes, this means that corporations that compete doggedly for merchant accounts and transaction fees will help each other with security intelligence, since that information has more value when aggregated: each processor gets more intel from the group than they put into it. As a result, the marketplace can function more cleanly, to the benefit of all (honest) participants.
That doesn’t mean that an organization should share all of its security secrets. Generally speaking, we can say that the operational security risk from sharing intelligence has an inverse correlation with the specificity of the intelligence. So discussing the (fairly well-known) idea that a lot of fraud originates in Russia and Eastern Europe doesn’t increase the risk to an organization. Sharing information about specific BINs with extremely high fraud levels might incur slightly more risk, but not much (and that primarily from an operational or possibly legal perspective, rather than technical). When we start sharing indicators of compromise and known attacker addresses, then we have to take greater care to ensure that the information doesn’t leak to the adversary. But again, the adversary here isn’t the company next door trying to expand their market share, possibly at the expense of yours. The adversary wants information from both of you, to the detriment of others in the marketplace like cardholders, merchants, and so on.
I don’t quite know what I think about how this might extend to groups (including vendors) whose business includes collecting and selling threat intelligence, including my own employer2 and other companies with which I’ve maintained good working relationships. But I do think that there’s value in some level of cooperation even among these groups, and I’m interested to know what others think.
1: Despite my surname, I don’t have any affiliation with Maxwell House Coffee, and I don’t even drink their stuff. I just like thinking about coffee. Mmm, coffee.
2: To repeat what should be obvious, my opinions here are my own, if anyone’s. Sometimes I end up not even agreeing with myself, so don’t expect that anybody else will!