I think almost every one of us working in the IR/Threat Intel area has faced this question at least once: shall we share intel information? Although I have my own opinion on this, I will try to state some of the most common arguments I have heard in these years, pro and against sharing publicly, as objectively as possible not to influence the reader. Why not sharing publicly?
Why sharing publicly?
Pasquale [1] – “When Threat Intel met DFIR”, http://archive.hack.lu/2015/When%20threat%20intel%20met%20DFIR.pdf |
Pasquale Stirparo 15 Posts ISC Handler |
Reply Subscribe |
Jul 31st 2016 1 year ago |
Pasquale,
Sharing is definitely caring. I believe there is an dimension of sharing that does not have to get into all the gory details, rather it can be in the form of "trust me, you should look for this in your environment". Russell |
Russell 90 Posts Posts ISC Handler |
Reply Quote |
Jul 31st 2016 1 year ago |
You can add one more "sharing" fan to your pile
To me it comes down to 3.5 core problems: 1/ I want to share but would like to keep my name/organization as anonymous/confidential as possible 2/ I want to consume but need to trust the information submitted by someone else 2a/ I would like to be able to analyze the modus operandi by seeing if and how others are impacted (reconstruct their TTP and see how it changes, compare similarities from the past) 3/ I would like to limit the bad guys' access to what I shared How I see it: Subgroups: satisfy partially (1), (2) and (3) - as these groups are not anonymous, the information gathered are limited even between the trusted parties (e.g. an insurance company might not be willing to disclose all details of an attack which led to breach of several millions of health-related personal sensitive data until it is fully analyzed and vulnerability fixed which might take days/weeks). Also if several big companies are attacked by the same folks, they might not be part of the same subgroup, so even if they share, it might be difficult to see the big picture in this case as already pointed out A community-owned portal for everyone: satisfies (1) and (2a), potentially also (2) in case of registrant verification process is in place which would still allow keeping entity submitting the info confidential. It doesn't satisfy (3) but I would argue that getting the big picture and even seeing the changes in modus operandi will be extremely beneficial, even for the future pattern recognition. Yes, the bad guys will follow it as well, and might adapt, but at the end, this is what they already do, just currently it is with couple days/weeks/months delay when they realize that their existing TTP doesn't work anymore. |
Anonymous Posts |
Reply Quote |
Jul 31st 2016 1 year ago |
Closed communities and paid intelligence services is only means of earning money. We need to understand how our adversaries are working. Sharing intelligence does not mean you have to share your organisations name. Mostly you are sharing Indicators of compromises. If you are putting your organisations name on any open threat intelligence platform you are violating major policies and breach notifications legalities. Organisation will require to analyse and disseminate based on their infrastructure and consumption capabilities.
Example : If "bad guys" are on a open threat intelligence platform, try an evaluate what are the risks. The person can get Indicators of compromises or actual code or malware. That is available for free anyway. If a new malware is designed its freely available on forums and sometimes github. Love being on DFIR and sharing my research via blogs and updating open threat intelligence sources. There are lot of blogs where most of DFIRs and other independent security researchers updates and share. Our adversaries are working as a team and we should too. |
makflwana 17 Posts Posts |
Reply Quote |
Aug 1st 2016 1 year ago |
Sign Up for Free or Log In to start participating in the conversation!