on

Collaborative Information Exchange Models to Fight Cyber Threats

The fight against cybercrime should take on a new direction. It should utilize the collaborative models of social media also referred to as Web 2.0 technologies that allow for the socialization of the fight against cyber threats through a community or group. This is how we can overcome the current lack of fresh, global and qualified threat intelligence. This article aims to explain which collaborative models will help us undertake this new approach against the malicious actors on the Internet

The socialization of the fight against cyber threats 

The number of cyber intelligence or threat intelligence suppliers is currently growing. This illustrates that the market place is expanding rapidly and different vendors are positioning their solutions to offer their different visions and solutions.

Although there is an interesting range of vendors and MSSPs offering these services, no single entity can be sure that it is collecting and processing all of the intelligence that relates to cyber threats that is circulating out there on the Internet be it openly hidden in dark web. This is the reason why they are joining together, to gain more value by gathering pieces of information about the malicious actors and threats that exist in the Internet.

In addition, cybercriminals are becoming more organized and emerging threats grow exponentially. Systems cannot adapt their information gathering and detection to this speed.

How can we solve this problem?

The answer is simple: we can use information exchange collaborative models. But beyond collaboration between organizations and associations, which are essential, we must be able to collaborate with users that are subject to potential attacks. They can be the eyes of a common target: the fight against cybercrime.

Now, more than ever, it is time to socialize the threat intelligence or the fight against cyber threats.

Inefficient exchange systems

Why have other information exchange systems not worked so efficiently? Regrettably, they have not been as pragmatic, effective and even realistic as they should have been in order for them to deliver operational value.

Additionally, on many occasions, leaders in an institution, an organization, a company or even “professionals” have imposed the needs of their department or company instead of working for the benefit of the group and the agents participating in it. The gaps of these systems together with the above mentioned facts have made the project unfeasible and unable to develop. Information exchange systems on cyber threats should not suffer the same shortcomings, which are listed in the following section.

Gaps in the existing systems and how they will be amended

  • Lack of circles of trust: everyone agrees to exchange but nobody trusts anybody. There is a clear lack of confidence, so that future systems should facilitate the exchange of data at different levels of confidence.
  • Multiple and dreadful reporting formats: Until today, reporting formats have been complicated. In addition, each organization has tried to impose its own. This has lead to inefficiency and lack of agility. In fact, this has been so cumbersome that formats have become almost obsolete. As far as cyber threats are concerned, the industry is working on standards and reporting forms like IOCs, STIX, Cybox, etc. that will solve this problem and that focus on indicators or information that is quantitative, not just qualitative. These new standards and “reporting languages”, will help to act in a much more agile, specific and pragmatic way: malware hash, C&Cs IPs, Yara rules, etc. The shared information is readable by machines (MRTI – Machine Readable Threat Intelligence) meaning that security tools like firewalls, IPS, SIEMs or others are able to process the mentioned information.
  • Limitation of information sources: having multiple sources is as critical as knowing where to look for information (underground sites, closed and private sources). It is even more important to know how to analyze it and to correlate it. This is why socialization of cyber threats must facilitate the exchange of information from global and specific sources, especially the crowd sourced, with multiple partners. This is the way to obtain a larger volume of first-class information (freshness), so useful in combating cybercrime.
  • Lack of empowerment in analytical skills: for one sector or technology or for several sectors. The shared information may only and specifically be for a sector (financial, industrial, critical infrastructure…) but it should take into consideration all the agents of different industries and be able to offer analysis to learn from experience. As an example, the monitoring of a malware, which targets one sector should allow us to share conclusions and mitigations in a quick and easily reachable way. This can be achieved through the use of information tags, linked to indicators or IOCs.

Socialization of the fight against threats 2.0.

The socialization of the fight against cyber threats should provide first-hand information and should fill the gaps mentioned above. But keeping in mind we are dealing with a social need or 2.0, it is even more important to link it to a nonprofit cause with a clear social model. This will enable us to involve experts, manufacturers, organizations and users. It should be a way to generate information for the benefit of all organizations with a vested interest in cyber security.

There are some initiatives that already exist such as in Twitter, like #malwaremustdie!, where the reversing or malware experts community have launched a crusade to remove this problem from the Internet. The initiative is welcome, but a hashtag on twitter and a blog cannot be considered, indeed, a completed information sharing system. There are also “non-profits organization” or sectorial working groups that have different powerful initiatives. However, they are mostly just limited to the financial sector and they end up being controlled by a single company related to this organization. Consequently, participants become upset, as they share their information in a collaborative way. One must keep in mind that anything that belongs to the community is done for the community. If we forget this, then we can say goodbye to the socialization of the fight against cyber threats.

Definition of the socialization system

The system should be very agile and should facilitate collaboration amongst all participants. It should also be visually interesting and should be linked to a community, making it easy to interact and generate comprehensible information on cyber threats for any user. It should allow for customization depending on different purposes:

  • Enable a single user in the community to collect information, which is only and specifically interesting for him/her.
  • Sort and look for information easily, through tags.
  • Be able to interact and exchange information directly with other partners or peers belonging to the same field of interest. It should give restricted access to circles of trust created by the user. These circles of trust must have a minimum of three classification levels:

Circles of trust Timeline

Fig 1: Circles of trust and the timeline 

1st level: A professional and restricted area in a business context (either users, business units or countries in the case of multinational groups), facilitating the exchange of a specific threat that affects a business unit or country and that might be reproduced in other geographical areas. For example, a phishing attack perpetrated by a gang located in Europe and that can be reproduced in Latin America.

– 2nd level: Partners (peers) in the same sector in order to exchange identified cyber threats. An example could be Dyre, the banking Trojan that attacks the financial sector.

– 3rd level: Public. Intended for all users in the community. Non confidential or business information that enables active, collaborative and joint fight against threats. For example the organization of a DDoS by Anonymous.

  • Give distinctions and awards to those companies and users, which are more active. It is a way to improve their reputation as security experts and to acknowledge their work in the joint battle.
  • Create a feed, automatically and tailored to the information needs. Obviously it should be readable in STIX, OpenIOC formats, etc. In addition, the feed must contain information generated by users who are followed within the community (like in a social network). It should also include information generated from cyber threat tags that interest us and which can be directly integrated or injected into the traditional security elements (firewalls, SIEMs, IDS, etc.).

Hierarchy and automated exchange of information (TAXII, STIX)

So far, we have explained how this community or social network should be to socialize the cyber threat fight. However, this portal should not be the only element of information exchange. It should feed other systems through TAXII protocol, in a hierarchical system.

Global Information Exchange System through TAXII

Fig 2: Global Information Exchange System through TAXII

And finally, this information exchange would involve several TAXII servers, exchanging information through STIX. This exchange should be done as follows:

  • Public TAXII servers: open and global. Controlled by CERTS or nonprofit organizations. With a hierarchy similar to DNS protocol root servers. Companies would connect to them to share IOCs or other vital information in an automated way, to fight cybercrime collaboratively and, at the same time, the community would produce content that would be automatically transferred to these TAXII servers if this information has been classified as public and suitable for publishing.
  • Private intra-group TAXII servers: to share indicators that should not be public. In fact, we mean indicators that should be shared amongst a multinational company and they have to be fast fed to all the traditional security solutions to prevent a cyber attack from expanding to other geographical areas. These servers would obviously be fed by the public TAXII servers to be up-to-dated regarding new indicators.
  • Public extra-group TAXII servers: a meeting point with peers or organizations from the same sector to exchange specific information of that sector. For example, indicators that affect only one sector or a specific technology and that can contribute to a quick control of a cyber threat.

References

[1] STIX, stix.mitre.org

[2] TAXII, taxii.mitre.org

[3] Blueliv community, https://map.blueliv.com

Demo Free Trial MSSP
Program