The Cyber Threat Alliance, a group of 14 top security vendors sharing threat information daily, sounds about as likely as a friendship between a kitten and a shark. Security professionals typically have trust issues. And their companies compete against each other in a lucrative market that is expected to grow to $96.3 billion in 2018.
“We all recognize to a large degree the attackers are collaborating,” said Vincent Weafer, VP of McAfee Labs. “So the question is: why aren’t we doing the same thing?”
“To be honest, there wasn’t a ton of buy-in at first,” said Derek Menky, global security strategist at Fortinet. “It took a ton of conference calls with these founding four. Show me what you have, I’ll show you what I have — that’s a very uncommon thing.”
But they realized they weren’t going to beat the baddies on their own. Plus, their customers typically use several security products from multiple vendors.
“At the end of the day, all of these customers are essentially mutual customers, and it’s our job to protect them,” said Matt Watchinski, senior director who oversees Cisco Talos. “The better we can share data, the better we can protect our mutual customers.”
The member companies often see threats at different points on the network, Weafer added. “What I see as an endpoint system is very different than a gateway. There’s still a lot of space for us to be unique in this market as a company. But what we see and how we see it and how we risk rate — this is something where we are all better off if we share it.”
Sharing information is a key component of the CTA. It differentiates the group from traditional Information Sharing and Analysis Centers (ISACs) or Information Sharing and Analysis Organizations (ISAOs), said CTA President Michael Daniel. Prior to joining the CTA he served as special assistant to President Obama and cybersecurity coordinator on the National Security Council.
Traditional threat sharing groups usually have low participation rates. They also don’t share information on a real-time basis or provide context. The CTA, on the other hand, requires members to submit a daily minimum. It uses a scoring algorithm to reward quantity, quality, and speed of submission.
“We say you have to submit on average 10,000 points worth of intelligence per day,” Daniel said. “We weigh context and timeliness very highly. Don’t just tell me this is a bad binary, tell me what malware family it’s part of, what stage in the kill chain you think this belongs to, do you think this is a criminal or a nation state?”
Watchinski calls the daily threat intelligence requirement the “this is how tall you have to be to ride the ride requirement.” It prevents freeloaders, he said. “It makes sure the members have some unique visibility or something that’s useful to the rest of the members, so they aren’t getting any special benefit without bringing data in.”
CTA Team Wins
In 2015, the member companies published a white paper on the CryptoWall ransomware. They discovered that the $325 million in revenue that went to the attackers included ransoms paid by victims to decrypt and access their files. They also discovered 406,887 attempted CryptoWall infections and 4,046 malware samples.
“We had uncovered so much information about them that the next day after we released the whitepaper, they stopped that CryptoWall version,” Menky said. “It was a good win to team up and make it more expensive for the attackers.”
The white paper also showed the member companies the value in working together. “We learned that everyone had some degree of unique insights,” Weafer said. “Eighty percent was probably overlapping, but that 20 percent was incredibly valuable in filling in the pieces.”
Watchinski points to the group’s response to the May WannaCry ransomware attack as another success story. “We were all on the phone; we essentially got everybody together in a virtual room to discuss what we knew about the incident and what we could do to protect our customers,” he said. “That has never happened before.”
While initial reports pegged WannaCry as an email attack, it only took CTA members a couple of hours to determined that wasn’t the case. “We had 12 of the largest cybersecurity companies on this conference all, all saying nope, we’re not seeing email as a vector, it sure as hell is another vector spreading this thing,” Daniel said.
The companies also provided this information to the U.S. government so that the Homeland Security Department could better investigate the malware attack.
The group relaunched as an independent organization with dedicated staff and a threat-sharing platform in February at RSA.
Today, the CTA has 14 member companies: Check Point Software Technologies, Cisco, Fortinet, McAfee, Palo Alto Networks, Symantec, IntSights, Rapid7, RSA, Reversing Labs, Saint Security, SK Infosec, Sophos, and Telefónica’s ElevenPaths. The group is actively recruiting new members and will likely form partnerships with other organizations in 2018, the partners say.
The CTA is also looking to better protect customers by focusing on the tactics that hackers use, rather than just the hackers themselves. “There’s a finite number of those tactics, so we’re defining what those tactic are, how they work, how we track them, and how we provide protections for each in the products that member companies create,” Watchinski said. “If we can get the attackers to incur development costs on their tools, that will slow down their ability to attack our customers.”
The goal is to shrink the time between threat detection and threat mitigation from days or weeks to just hours.
“This model really does require a lot of investment from companies,” Daniel said. “You do not just passively join CTA. But it’s got tremendous possibility to really move the needle in the cybersecurity industry.”