Making Real-Time Threat Intelligence Sharing a Reality
Cyber attacks vary from theft of research, personal information and other valuable assets to disruption of service, and while finance and media have dominated recent headlines, no industry is immune from compromise. To make matters worse, increasingly, organizations that are perpetrating attacks are either well-funded through criminal revenues, state sponsorship, or both. Similarly, there is continually increasing collaboration and sophistication in the tools used by attackers.
Since cyber adversaries tend to use the same/similar infrastructure across multiple victim targets, an early warning system that enables threat intelligence sharing between trusted partners could provide future victims an opportunity to put preventive counter measures in place. Real-time threat intelligence sharing among trusted partners is the concept behind a Catalyst demonstrated at Management World Nice, France.
According to Brian Rexroad, Principal Security Architect for AT&T’s Chief Security Officer, “Defending against these threats necessitates collaboration among enterprises as well as providers of services on the Internet. No organization can defend against the array of cyber-threats on their own, and there are many ad hoc communities forming to share information, but this means does not scale. To date, there has been only limited effort to standardize and implement means to automate sharing of threat information. I believe this effort represents an interest and intent to improve how we share information about threats.”
The project which is being championed by AT&T, Bell Canada, Telstra and DSTL (an agency of the UK MOD) has settled on two very different Use Cases for the demonstration and standards development.
The first, Mobile Malware, uses the Spam Soldier1 malware that was identified in December 2012 as the backdrop for threat intelligence sharing. In this Use Case, there is an opportunity to expand the sharing community participants to include additional parties – from mobility service providers to OS providers, software and A/V vendors, and application stores – as the understanding of the threat progresses across the Security Management Lifecycle. TM Forum’s Security Management Lifecycle is an abstract model that defines process flows and operational states. In the case of our Mobile Malware threat, sharing can be accomplished in two phases: (1) as “monitoring” identifies suspicious behavior, and (2) when “detection” confirms the threat with root cause determination and impact. Amir Gefen, Director of Industry Relations for cVidya Networks says, “With the tremendous proliferation of smartphones, fraudsters and hackers are finding these devices to be much more vulnerable than PCs, and shifting their efforts into this area while causing CSPs and their subscribers tremendous financial and reputation damages. This Catalyst is dealing with one of the most burning issues in the industry.”
The project’s second Use Case is focused on a targeted attack from an advanced persistent threat (APT). Again, this case is being modeled after a real-world Case Study, “Crimson Ash”2 , provided by Cyber Squared. Adam Vincent, Cyber Squared’s CEO, explains, “APTs are aggressive in the way they target their victims, and their capabilities are only as advanced as required by the targets they plan to use them against. Our threat intelligence sharing community will share information as the threat advances so that we can establish patterns and identify the threat, hopefully before they’ve accomplished their mission. We are clearly outmatched when acting alone, and we need to work together.” Alex Hamerstone, Compliance Officer for TOA Technologies, adds “Correlation is essential to identifying and thus mitigating security threats. Being able to correlate threats faced by multiple providers enables better mitigation.”
To view our work at: www.tmforum.org/CyberSecurity/13516/home.html#LIST

|