It is truly maddening to see examples of bad guys sharing data, tricks, methods and good guys having no effective way of doing it. Moreover, it is considered acceptable to sit on the "hard-earned" knowledge of ways you used to detect that proverbial advanced attacker while your peers in other organizations are being owned by the same threat. And the cycle of suffering continues!!!
By the way, despite the recent CISPA regulation noise, sharing security-relevant data with the US government is not the whole story (and not even the main story) here. The principal challenge is sharing data (raw data, information, intelligence, etc) among the “defenders” in a way that helps them, but does not benefit the attackers (and, hopefully, does not violate too many laws). “Defenders” (to avoid ethical labels and stick with tactical ones) here is loosely defined to cover both organizations, facing the information threats, as well as vendors providing tools useful for such defensive efforts. The data being shared might range from malicious binaries (well-shared among the relevant vendors today), various entity “blacklists” (and broader reputation lists), IOCs, other incident details, other malicious artifacts as well as methods successfully used for detecting them.
As of today, security data sharing is a painful subject for many organizations. So, how to share what is potentially sensitive (and, occasionally, regulated) information in the context of conflicting commercial interests, hostile parties (attackers) and a mesh of conflicting international laws. Here is one structured look at the sharing dilemma today.
First, these are trivial choices for sharing:
- Not share any security information with anybody beyond own organization => attackers do not benefit, defenders do not benefit (and possibly violate data breach notification laws as some data must in fact be shared)
- Share all information with the public => attacker benefits, defender thus does not benefit after attackers adapt (and laws are probably broken in the process – plus you get sued for negligence)
From the above trivial choices, where can we go? These options are also observed today:
- Share only high-level information with the public => attacker does not benefit, defenders benefit slightly (and PR people benefit a lot)
- Share all information with the small trusted circle of “friends” => attackers do not benefit, but only a small number of defenders benefit (FS-ISAC and numerous informal “circles of CSO friends” follow this model …. and what about those pesky laws in this case?)
This leads me to believe that a key – at least a theoretical key at this stage – to cracking the sharing nut is somewhere around this:
- Share the right level of information (and, yes, the exact level is itself a big question!) where defenders would benefit, but attacker would need to work too hard to benefit from the same information, or
- Share the information with the right circle of people only and maintain trust forever, and
- Possess legal “get out of jail” free card for those who share security information for improving the defenses.
Obviously, combinations of the above “atomic” approaches apply and need to be explored further. Maybe somebody can apply game theory to this conundrum?
On an unrelated note, maybe cloud will make us share more? More than a few cloud-based security vendors are working on the analysis of data collected from their customers, with said data ranging from logs to malware binaries.
Finally, we’d be doing a research project on this in the near future – not just data sharing but collaborative approaches to security in general. To see more of our thinking on this tricky subject, please attend “Technical Insights: Improving Collective Defenses through Information Sharing and Threat Intelligence” at an upcoming Gartner Security Summit 2012. Dan Blum has been blogging a lot about this as well (great example where Dan says that “enlightened self interest [as a motivation for sharing] is wonderful, but an incentive system that rewards security intelligence sharing would be even better.”)
And, at the risk of sounding too grandiose, maybe this is a big part of the future of information security? I feel that today we are close to the tipping point in regards to security data sharing…