As more and more organizations find themselves facing advanced cyber threats, information sharing becomes more critical, yet it is still not widely practiced. The sophisticated threats facing many organizations today tend to be orchestrated by skilled and motivated threat actors. They use tools and techniques specifically designed to defeat traditional security controls, like firewalls, intrusion prevention systems and anti-virus. These actors are also very dynamic in that they generally do not use the same IP addresses, domains or malware over and over. This creates a significant challenge for the security vendors. By the time malware, malicious domain names or IP addresses are added to their security products, the threat actor has already abandoned those in favor of new ones.
This information or intelligence is commonly referred to as an indicator of compromise (IoC). In addition to those examples, an IoC could be the hash of an executable, a unique HTTP user agent string or a specific email subject line. Almost anything that could be used to identify a compromised system and searched for could be considered an IoC. There are several electronic formats that can be used to store and share IoCs. However, none of these formats is a standard.
“With each cyber intrusion or email phishing campaign comes the possibility to share what you have learned with others.”
– Christopher Harrington, consulting security engineer at EMC
Today, there are pockets of sharing cyber intelligence and IoCs. Most of these are industry specific in nature. The U.S. Department of Defense (along with military contractors) has the Defense Industrial Base (DIB), the Defense Industrial Base Collaborative Information Sharing Environment (DCISE), and the Defense Security Information Exchange (DSIE). Industry verticals, like finance, have Information Sharing and Analysis Centers (ISACs). There are commercial providers of this information as well. These are not generally vertical specific, but can be expensive depending on the specific need.
There are several challenges with sharing intelligence and IoCs though. Many organizations are quite content to take in IoCs, but do not share anything back. This, unfortunately, is common because these organizations do not want to let anyone know that they have had a cyber incident, no matter how small. It is still regarded as a mark of shame to many if one admits a breach or attack.
While there are several electronic formats that can be used to share IoCs there are none that could be considered a standard. Common formats, like OpenIOC, CybOX and IODEF, can be used to describe IoCs. Each one has a slightly different purpose, and they all have very different origins. Which one is best will be determined by how the IoCs are to be shared and, sometimes, with whom they are shared.
Sharing of IoCs and cyber intelligence is still in its infancy. While there are services that sell this information, there are very few products that can process it. Without products to process this data, it falls on the shoulder of the security analyst. This can be a daunting task depending on the volume of IoCs that are involved.
But, we have an opportunity to turn a negative into a positive. With each cyber intrusion or email phishing campaign comes the possibility to share what you have learned with others. Traditional security technologies – while still a valuable part of the equation – do not provide the level of protection needed to counter this threat. By sharing indicators of compromise in a timely fashion with the rest of our community, we make the threat actor's job that much harder. By making them adjust their tools and techniques more frequently, we create a larger window for us to detect and respond.