Threat Intelligence Sharing Should Start at the Top

How many vendor phone calls do you dodge every day? One of the most consistent calls that I receive is from vendors selling the latest, greatest “Threat Intelligence” product.  If you are not familiar with threat intelligence, it is the aggregation of suspicious or known malicious information from multiple sources around the world.  This information is then used to warn subscribers of the impending threats.  It is a way for a subscriber of a particular service to achieve “actionable intelligence” about an impending threat.  Sounds neat!

However, I have heard at least one brave webcaster declare that threat intelligence is a steaming pile of dung. This is a bold statement in a world that seems over-run with constant news of cyber-attacks and an even louder tocsin by the public about the urgency to stop it.In a recent meeting with a threat intelligence provider, I too am starting to hold my nose when I am given the pitch about threat intelligence.Most of the threat intelligence vendors will proudly speak of information sharing, that is, when they see a pattern of malicious traffic forming against one of their clients, they will share that information amongst the threat intelligence feed to their other clients.

We are all aware by now of the unprecedented DDoS attack against Brian Krebs In mid- September.  This attack was the largest DDoS ever witnessed on the internet; traffic clocked at 620Gbps was aimed at Brian Krebs’ server. We all felt threatened that such an attack could be so easily carried out by using all of the unsecured IoT devices out there.  We were all equally shocked at Akamai’s initial response to dump Brian, yet we understood the difficult business decision that they had to make to protect their paying customers.

So, why am I all of a sudden holding my nose about threat intelligence?  A vendor was demonstrating their “superior threat intelligence product” and part of their presentation included a boastful commentary about how they saw the attack against Krebs forming before it took place.  Their excellent intelligence gathering capabilities allowed them to see the attack against Akamai in formation.

Allow that to sink in for a moment.

Here are some questions for that vendor: Are you actually boasting that you stood idly by when you witnessed the formation of the greatest attack to date against the entire internet? 

And this model you are selling derives its power from information sharing?

The incongruence of ideology here is somewhat baffling. Sort of like boasting about your superior powers in space defense, yet when an asteroid, capable of an extinction-level event is heading towards the planet, you chose to stand by because it will not impact your country.  What is the logical or ethical sense of that?

I understand business decisions, and how sharing with a competitor is generally considered a poor business decision, but if threat intelligence companies won’t share their information with another intelligence company in the greater interest of the preservation of the internet, why should they expect anyone to subscribe to their sharing and intelligence service? Threat intelligence sharing should start at the top.

Guest Author: Art Logan