Implementing Improved SOC Processes I
Facebook Twitter LinkedIn

Implementing Improved SOC Processes I

Combined Session
Wednesday, October 09, 2019 13:00—14:30
Location: Holeman Lounge

The (r)Evolution of Cyber Threat Information Sharing: Past, Present, and Future

The sharing of cyber threat information can be traced back to the response to the Morris worm in 1988. We will discuss the history of cyber threat information sharing and give an overview of where we stand today. Recognizing a sense of disillusionment with today’s landscape, we will provide a vision of what the future of cyber situational awareness and defense can look like, and how cyber threat information sharing can help us get there.

In November 1988, the Morris worm opened the world's eyes to cyber threats. Shortly after, Carnegie Mellon University started up the Computer Emergency Response Team Coordination Center (CERT/CC), the Department of Energy formed the Computer Incident Advisory Capability (CIAC), and many others did the same. By 1990, it was clear that communication and collaboration across teams would be needed and the Forum of Incident Response and Security Teams (FIRST) was formed to respond to this need[1]. Fast forward to the early 2000s and the idea of automated sharing of cyber threat information began with such early examples as: the Argonne National Laboratory's Cyber Fed Model (grassroots effort that began in 2004) and the Research and Education Networks Information Sharing and Analysis Center's Security Event System. Fast forward again, to the present, and these platforms have grown, new ones have gained the spotlight, standard representations such as Structured Threat Information Expression (STIXTM) and Trusted Automated Exchange of Intelligence Information (TAXIITM) have gained traction, and cyber threat information sharing has become a hot topic. But, despite the growth and advancement, the World Economic Forum, at their 2018 Annual Meeting in Davos, Switzerland, declared that "Currently, information sharing is not living up to expectations."[2]

This presentation will start with an overview of the cyber threat information sharing landscape. This will include a brief history, an overview of different approaches (e.g. manual vs. automated; indicators vs. intelligence), and a discussion of associated pros, cons, and challenges. These current approaches and associated challenges will be used to illustrate the view that the movement is "not living up to expectations." 

Having laid the groundwork, the presentation will focus on the future of cyber threat information sharing; namely, that the current focus on information sharing needs to shift. The focus should not be on information sharing as an end goal, but rather the use of information sharing as a foundational capability that can be leveraged for improved cyber situational awareness and more rapid cyber defense. Automated information sharing involves machine-to-machine connections and trust relationships that can be leveraged for orchestration beyond the simple sharing of atomic pieces of cyber threat information.

By passing queries (i.e. requests for information) information sharing can become a foundational capability used by cyber analysts to simplify the processes used in the research, disposition, and response to anomalous events. Combining this distributed query model with automation and orchestration will expand the datasets available and reduce the time to collect context used by analysts in disposition of an event or finding. This same infrastructure then becomes the foundational capability to orchestrate the defensive response to a given threat. 

Moving cyber threat information sharing from a "publish" model to a "research" model may require more revolution than evolution but will empower analysts to tackle more complex research. By orchestrating and automating pieces of the single-event analysis process, analysts can be freed up to start shifting to a campaign- or adversary-focus. A single-event response may result in a fast-paced game of whack-a-mole with an adversary rapidly moving from one piece of their infrastructure to another. But a campaign- or adversary-focused response will consider the behaviors and motivations behind the attack and look at the multi-step (and therefore multi-event) processes used. With a more comprehensive understanding of the threat and the availability of automation and orchestration capabilities, analysts will be able to disrupt the adversary in ways that will cost significantly more time and effort to work around than today's typical response of blocking an atomic indicator. 

This shift of focus does not mean that cyber threat information sharing is no longer important. Nor does the automation and orchestration mean that analysts are removed from the picture. But, by focusing on the end goals of improved situational awareness and orchestrated defense, we can recognize that information sharing needs to be treated not as a solution on its own, but rather as a foundational capability that leads to an improved end state.

The (r)Evolution of Cyber Threat Information Sharing: Past, Present, and Future
Presentation deck
The (r)Evolution of Cyber Threat Information Sharing: Past, Present, and Future
Click here to download the slide deck. Please note that downloads are only available for event participants and subscribers. You'll need to log in to download it.
Dan Harkness
Dan Harkness
Argonne National Laboratory
Dan Harkness leads the Cyber Operations Research & Situational Awareness (CORSA) group at Argonne National Laboratory and is a senior member of the DOE Cyber Fed Model (CFM) program. Dan leads...

Save the Threat Intelligence-based Workflow, Save the Cyber Analyst

Save the Threat Intelligence-based Workflow, Save the Cyber Analyst
Presentation deck
Save the Threat Intelligence-based Workflow, Save the Cyber Analyst
Click here to download the slide deck. Please note that downloads are only available for event participants and subscribers. You'll need to log in to download it.
Katie Kusjanovic
Katie Kusjanovic
EclecticIQ
Katie Kusjanovic is a Senior Solutions Engineer for Eclectic IQ North America. Her primary roles include conducting demonstrations of Threat Intelligence Platform and Intelligence Feed technologies...

What Really Means Actionable Threat Intelligence Today?

What Really Means Actionable Threat Intelligence Today?
Presentation deck
What Really Means Actionable Threat Intelligence Today?
Click here to download the slide deck. Please note that downloads are only available for event participants and subscribers. You'll need to log in to download it.
David Bizeul
David Bizeul
SEKOIA
David has 20 year's experience in the security industry working a variety of positions. He has published different whitepapers on the evolution of security, released several reports on Threat...

Tickets

CyberNext Summit & Borderless Cyber
€700
€1000
 
All days: Oct
Two day ticket
€550
€750
 
Day 1 + Day 2
€550
€750
 
Day 2 + Day 3
€550
€750
 
Day 1 + Day 3
€550
€750
 
One day ticket
€300
€500
 
Day 1
€300
€500
 
Oct
Day 2
€300
€500
 
Oct
Day 3
€300
€500
 
Oct
CyberNext Summit & Borderless Cyber - Gov. rate
€360
 
Government rate, All days: Oct
Two day ticket - Gov. rate
€295
 
Day 1 + Day 2
€295
 
Day 2 + Day 3
€295
 
Day 1 + Day 3
€295
 
One day ticket - Gov. rate
€230
 
Day 1
€230
 
Oct
Day 2
€230
 
Oct
Day 3
€230
 
Oct
Have you participated in our events?
Contact us to get a special discount
Subscribe for updates
Please provide your email address