Indicators of Attack: it’s worth the investment

June 3, 2015 Sam Curry

Data concept: pixelated words Information Sharing on digital background, 3d render

We’re told personally from a very young age to share, and you can see it in the faces of the children who are exposed to it from day one: they don’t want to.  The value of sharing is non-intuitive to a child, and it’s the same with many organizations.  Sharing is an expensive proposition that demands a longer term view, whether it’s a child who capitulates because they realize that it’s not worth the punishment or parental scorn or whether it’s the more advanced child that sees it as a strategy to get more long term and to enter a new type of relationship with peers.

The same is true in security: not only is there healthy skepticism over the peers you might share with, there’s also concern about whether you can trust peers with what you see and find in your environment or if the literal OpEx and CapEx investment to make it work is worth it at all.

The truth is that it is worth it, but not to do it willy-nilly with all comers in all ways.  That will be expensive and won’t produce much value except by accident and at scale.  There are two important things that are needed to make any information sharing project work: critical mass and the ability to process the inputs.  ESG’s Jon Oltsik does an admirable job of outlining this with his most recent research.

Let’s deal with these one-by-one, starting with critical mass.  For years, I was puzzled by the fact that when some breeds of bees sting, they die.  It seems like an incredibly silly trait to evolve a defensive capability that winds up killing the creature.  I realized, of course, that I was looking at the wrong scale when I realized that in the animal kingdom all that matters is the selfish gene.  The bee has a better chance of propagating it’s DNA through the hive by stinging even at the cost of its own life than it does by not stinging, especially if the bees in question are of neutral gender anyway.  We hope not to be bees and have to die or pay such a high price for belonging to any community, but any information sharing community when it finally crosses a certain critical mass becomes something one must be part of to survive; and until that point, the value isn’t yet there.

For example, look at the ISACs and the FS-ISAC in particular.  In the early days, none of the ISACs produced much value, but they grew-and-grew in spite of that.  Today, the FS-ISAC is so successful that even non-US institutions are joining, duplicating the model and sharing with the rest of the “hive.”

Of course, the condition on being careful what you share and with whom is still present.  One of the things the bad guys look for is telemetry on how their attacks are running, who is in the know and who is still ignorant of their activity; so it becomes critical to vet members and participants, monitor behavior of participants with certain information and to come up with the right protocols and schemas for mutual disclosure and communities of trust, which isn’t trivial to do.

The second problem is knowing what to pay attention to.  I prefer to say that we need “Indicators of Attack” rather than “Indicators of Compromise.”  The problem with tuning into a threat feed is that it’s like tuning into a very loud and promiscuous radio network.  You can turn it on, turn it off and come back; and it’s exceptionally difficult to tell what is the signal relevant to you in the noise.  What’s needed isn’t just an ability to share indicators of attack but rather to have specific “channels” to those who have a higher need to know, to apply data mining techniques to what’s shared and to rapidly diagnose the overlaps of “what I care about” with “what you know” from the contributors to a particular feed.

Jon is onto something here: we need to get the STIX and TAXII work done, and some of it is a leap of faith since the value will build slowly and overtime until we hit that critical mass.   But as always, the real work is to be done in the Human protocols for sharing, the softer networks, the building of trust and figuring out, ultimately, how to find the Indicator of Attack against me and that I care about from the sea of Indicators of Compromise that I should share and know about but might not care that much about.

The post Indicators of Attack: it’s worth the investment appeared first on Arbor Insights - Our People, Products and Perspective.


Previous Article
Connecting the dots: Business benefits of threat hunting
Connecting the dots: Business benefits of threat hunting

Security Organizations can no longer keep up with the volume of security...

Next Article
Indicators of Attack: it’s worth the investment
Indicators of Attack: it’s worth the investment

We’re told personally from a very young age to share, and you can see it in...