I’ve long been a proponent of sharing threat intelligence. The technical level of this sharing is usually at the indicator of compromise (IOC) level. There are several protocols that allow tools to share these IOCs rapidly. IOCs are gathered through detection and various dynamic and static techniques. The analysis level of threat intelligence is a lot more diffuse with focus of various entities run from trolling hacker forums, to elicitation activities, and finally hack back and assumption of roles.
Sharing information creates a situation where the adversary must adapt faster and strategically increases the strain on the adversary resources. Sharing also creates a communal pool where risk is reduced across the various sharing entities. If all entities partake of the known risks pool equally and participate with similar resources this would be all good.
Unfortunately there may be a case for not sharing.
First, the “forced” sharing or legislated requirement to share with government increases shareholder risk through regulatory mechanisms. The violation of corporate rights puts the corporate entity at risk of secondary use of shared information by administrative and criminal courts. Regardless of the legislation for protection and anonymity.
Second, the concept of sharing is fanciful in that all share alike. However, there is a core assumption that sharing data equally or that all data is of equal value is fundamentally flawed. If I only share data that helps me, and don’t share data that helps you I have qualitatively balanced the risk quotient in my favor. Hence, why government will seek to mandate sharing. That mandate increases regulatory risk to the corporate environment.
Third, data and metadata mean something. How, why, and when a corporate entity is attacked will leak adversarial intent and corporate fidelity of business. If corporation X is sharing N data and corporation Y is not sharing N data then outside of the “safe” regime of sharing corporation Y may be sanctioned. In the absence of evidence they are obviously not taking things seriously and should be sanctioned through other than sharing administrative regulations.
Fourth, sharing data means that adversaries will adapt. Already automated tools for instant unique exploit creation exist. So, the concepts of IOCs may already have started to sunset. Other forms of adversary analysis also are becoming overcome by events as professionalization in digital crime rings increase. Sharing of information and the formalization of sharing may result in less useful tools as adversaries adapt. Creating unique capabilities for defense adaption may be a better use of time. Poorly named, “information system hygiene” and better systems of protection/detection are likely better use of budget dollars.
Obviously this is not a politically correct or welcome addition to the discussion. However, this and several other elements of the sharing discussion need to be had as limited dollars are expended and threat intelligence within the digital environs becomes a “thing”. As Kent Sherman the father of the American intelligence apparatus said, “intelligence is a thing, a process, and an entity.” You need to understand those three elements and how each will have secondary and tertiary impacts on your adversary.
1 comment for “In defense of not sharing: What is cyber TMI?”