Executive summary
In recent years, there has been an explosion in the number of information security conferences held around the world. Despite this, the weeks leading up to Black Hat in Las Vegas are still reserved for some of the most significant security announcements, advancements and hacks of the year, all of which generate their fair share of controversy and coverage.
In light of this, we asked attendees of Black Hat 2015 how aspects of threat sharing, vulnerability disclosure and data from leaks should be handled.
Key Findings
- Half of participants will share threat data only with trusted peers.
- Although 22% of participants believe data dumps from hacks is not public data, they support the use of the data for research purposes by security professionals.
- In the case of a vulnerability that presents itself in a device with life-threatening implications (car, plane) 36% of participants believe tests should be conducted in private.
- The majority of participants (54%) rely on their own detection processes for threat intelligence.
Hacks, Vulnerabilities and Disclosures
When it comes to making headlines, Black Hat 2015 was no exception. The security (or lack thereof) of internet connected devices such as self-aiming rifles, cars, and airplanes were bought to light amid differing opinions.
It was also in the midst of the Ashley Madison hack that resulted in the membership data being dumped online. As a result of events like these, the correct way to disclose vulnerabilities and how and with whom do you share threat intelligence (information about malicious actors, their tools, infrastructure and methods) is currently a hotly debated topic amongst security professionals.
Are these debates part of the “growing pains” of the security industry, or do they point to fundamental differences in opinions between security practitioners that are too wide a gulf to bridge?
Standards and Sources of Threat Intelligence
Threat intelligence (Information about malicious actors, their tools, infrastructure and methods) can be obtained and collected from a variety of sources. However, not all threat intelligence is created equal – the relevance, origin, freshness, variety, overall confidence, and other factors all play a part in how valuable a threat intelligence source is.
The majority of participants, 53.9%, relied on their own internal detection processes for threat intelligence, with paid feeds and trusted peers coming in at 34.1% and 32.7% respectively.
Only 5.5% of the participants responded that they did not utilize threat intelligence at all.
The long tail of the different types of threat intelligence sources is an interesting one. Crowd-sourced, open source, blogs, online forums and others all rank pretty consistently as sources of information. Whilst the depth of information varies between sources, the biggest challenge some practitioners reported was the manual effort needed to extract relevant information and import it into their workflows.
The long tail of the different types of threat intelligence sources is an interesting one. Crowd-sourced, open source, blogs, online forums and others all rank pretty consistently as sources of information. Whilst the depth of information varies between sources, the biggest challenge some practitioners reported was the manual effort needed to extract relevant information and import it into their workflows.
Reflecting the fact that participants rely on homegrown processes and sources, it is not surprising then to find that the same group of users are unlikely to use open standards, with 59%% claiming to not use STIX, TAXII, CyBOX or OpenIoC. From the open standards, STIX appears to have the edge at 22.1 % amongst those that use them.
Using Threat Intelligence
Gathering threat intelligence is only half the job. The real value emerges in how threat intelligence is actually being utilized.
The majority of participants utilize threat intelligence data for either security monitoring or incident response. Monitoring also includes using IOCs to go ‘threat hunting’ and seek out malicious activity that may be occurring within the environment.
39% use threat intelligence for active controls. That is, they use threat data to automatically configure security devices to block malicious activity. While this approach lessens the manual effort required considerably, many enterprises either struggle to integrate a reliable workflow with security devices or are reluctant to fully automate out of fear of blocking legitimate activity as the result of a false positive.
As a result, we’ve seen many organizations automate for less complex changes where intelligence is reliable and the impact of false positives is low.
Sharing Threat Data
One of the key aspects of threat intelligence is that its vitality and robustness increases with the number of contributors. The more variety of sources that can contribute towards a feed, the more it can be refined and made useful. Threat intelligence is one of the few markets where providers do not displace one another – each contributor provides different data that adds to the overall feed.
While most people we spoke with agreed that sharing threat intelligence benefits everyone, the results showed that most organisations still keep threat intelligence to themselves. Of those who do share threat intelligence, the vast majority will share only amongst a trusted peer community (49.3%) or only internally (34.3%).
A number of participants indicated that one of the underlying challenges they faced was how to share threat intelligence data amongst multiple peers in a consistent manner. Many professionals stated they had developed their own homegrown solutions to help pull in data, analyze and take decisions – often by combining several different applications. While this may work well for individuals, it doesn’t scale well and, as a result, most respondents resorted to spreadsheets and plain text emails to share data with peers.
Spoils of Cyber-War
In light of the Ashley Madison breach–where hackers released the membership database–security professionals were split in their opinions as to whether or not the data should or could be used.
23.2% believed the data should be treated in the same manner as any stolen property should and no-one should have the right to use it. 21.8% of participants were of the opinion that although the data should not be classified as public – security professionals should have the right to use the data for research purposes and to improve defenses. Whilst some would argue this sounds like a case of wanting your cake and eating it too – supporters of this stance claim that ‘bad guys’ will be analyzing the data, so not doing so would put security professionals at a disadvantage.
The majority of participants (28.7%) stated no opinion – indicating that this is a tricky topic that is far from resolved and that will undoubtedly remain at the center of many a debate to come.
The Internet of Vulnerability Disclosures
Rightly or wrongly, there seems to be a race by manufacturers of nearly every kind of device to include the ability to connect to the internet. As history has proven, the security of such devices is more often than not a low priority, which has resulted in these devices being exploitable.
This becomes particularly concerning in cases where the exploitation of an internet connected device can result in life-threatening situations such as an external entity being able to tamper with, for example, auto-targeting functions on sniper rifles, or the operational features of cars and even airplanes.
One of the biggest challenges that security researchers face when such vulnerabilities are discovered is the lack of response they get from manufacturers to fix these issues. As such, many resort to alternative disclosure mechanisms in order to prove that these vulnerabilities exist outside of a lab environment, and pose real dangers to consumers.
The majority of participants at 35.8% agreed that proving the vulnerability with willing participants in a private space was the best course of action. After that, it was a pretty even split between proving the vulnerability on a live system without live participants, proving it in a public space, disclosing details to the media, or disclosing details in a talk at a conference.
Conclusions
Security vulnerabilities and their exploitation have evolved rapidly and become much more widespread over the last few years. Whilst exploits are having an impact on daily life, or have at least risen in profile amongst the general public – security professionals are at odds as to the best way to collaborate to prevent breaches and how to react in the aftermath of one.
Vulnerability disclosure processes need to be ratified within the industry. There are only so many displays that will be taken seriously before public fatigue sets in and the window of opportunity to influence change is lost.
Threat intelligence is not a new discipline, and while virtually every company claims to utilize it to some degree or another, there is no uniformity yet in how it is gathered, shared or applied. By adopting a collaborative approach to threat intelligence and vulnerability disclosure, companies and professionals can take advantage of the many benefits that a combined security ecosystem can provide.