Sharing the pie: Threat collaboration
Sharing the pie: Threat collaboration

Titan of industry

There are already an abundance of efforts underway to share information, from email lists among a few trusted parties to nonprofit efforts like the Shadowserver Foundation to industry associations like FS-ISAC to for-profit threat feeds like Microsoft or VeriSign's iDefense Security Intelligence Services. Even the U.S. government is trying to get in on the game through the introduction of a number of bills in Congress, such as the controversial Cyber Intelligence Sharing and Protection Act (CISPA), which would regulate information sharing among the public and private sectors.

The key differentiator with Titan is accessibility and interaction, Smoak says. The portal is billed as a “community-driven” threat intelligence engine, operated by an entity with no cards in the game. It already has support from close to 20 organizations in industry and government, is receiving and processing more than 100,000 malware samples each day, and is scheduled to officially go live by the end of the summer. Smoak admits, though, that the portal will best work for reporting and retrieving information about mass malware, rather than more targeted threats, because that is what organizations are more likely to fess up about.

“Members can search malware samples based on industry, specific network domains and even develop and share their own analysis module,” according to a fact sheet. “Titan users may quickly and easily pass samples of both known and unknown type to the system, which automatically processes them according to file type and user request, and produces dynamic reports within minutes. Unlike traditional malware-analysis platforms, Titan does not define a static set of analysis methods. Instead, the framework allows members to add, remove and modify ‘pluggable' analysis modules to suit analysis needs over time.” 

Titan: What makes it unique 

A trifecta of functionality 

  1. It offers a sandboxing/analysis framework that is constantly being updated/changing. 
  2. It provides a forum to share human-based intelligence on top of automatically derived intelligence from the modules described in the framework.
  3. It enlists an easy method to mold/filter the output intelligence, such as standards or reports, to what an organization needs most at the time. 

Source: GTRI

The researchers believe a big draw will be the portal's versatility. Whether one is an engineer who wants to create a script or a module that can be fed into a company's intrusion prevention system, or one is a CISO who desires high-level reports of threat activity across a particular vertical, they can all extract value. “We're adaptive,” says GTRI research scientist Andrew Howard. “We're flexible. The advantage of Titan is that as threats change, we can change at the same speed. You don't have to buy a new appliance.”

Heartland's South says systems like Titan provide help to counteract some of the pressures organizations are facing, such as an overworked security staff and small budgets, which have worked to tip the balance very much in favor of the attacker. “It gives us insight into the things we should be looking for,” he says. “For example, by someone making a DLL [dynamic-link library] available to us as an indicator, we could look at our network to see if that DLL exists somewhere.”

John Johnson, the global security program manager at Illinois-based John Deere, the world's leading producer of agricultural machinery, says he sees the value in Titan's drive to cross-pollinate threat information across industries. That's because the manufacturing sector in which John Deere plays traditionally has been slow to embrace the latest security technology and doesn't have the formalized sharing infrastructures that the more heavily regulated verticals do. Instead, Johnson relies on data sharing within a CISO peer circle to which he belongs in the Chicago area. “It's basically a dinner group where we get together and talk in person,” he says.

But, he recognizes that malware and the techniques used to spread it often are agnostic of industry. No longer is anyone immune. “We can't rely on obscurity and lying low and waiting for the financial companies to take a lead,” Johnson says. “I think we need solutions that are more intelligent and more proactive. If academia can step up and pull people together and demonstrate it's going to work and these concerns are being addressed, I think it'd be a worthwhile approach.”