How might that effort be helped if individual corporations start contributing to threat intelligence that they gathered?
If everybody is doing this, if vendors do it, white hat researchers do it, corporations do it big and small, just think if we could crowd-source all of that intelligence and stick it into prevention vehicles that we all have deployed. That’s the value of it.
So if you’re really after the indicators of compromise, would every contributor have to analyze things they detect and come up with a list of IOCs or would that be done by somebody else? I’m thinking of a business that might not have huge resources.
Maybe those guys might belong to other kinds of sharing organizations, like [information sharing and analysis centers] and maybe the alliance collects that from those organizations. They would be sort of a gathering point of all that stuff. It’s yet to be seen.
And the growth of the alliance, how has that been over the year? It started with four.
We’ve added four contributing members since then. The contributing members are Reversing Labs, Barracuda, Zscaler and Eleven Paths. We sort of put a cap on it last year while we got our act together. We had to learn how to trust each other and we had to build some infrastructure to allow efficient sharing.
Would you say you’re up to speed?
No. We had to solve a pretty big problem. I go in with my counterpart from the Alliance and brief the CEOs every quarter about the status of the Cyber Threat Alliance. They called us in June and said, 'What are we going to do with this thing? Can you guys just do a proof of concept? Can you do one adversary group? Can you just do one? We’ll give you 90 days to do it.'
We put our best analysts on it and we went after CryptoWall 3 over last summer. At the end of it we published a whitepaper and when we published the whitepaper, the adversaries behind CryptoWall 3 moved to CryptoWall 4 the next day. Now we didn’t make them move, they were ready to move but we bumped them and that’s the whole idea. They probably weren’t ready to go when we did, but they used that as an excuse to go to the next version and if we can do that in real time every day then we are making [adversaries] spend resources that they probably don’t want to spend.
What other hurdles do you face?
One of the bigger ones is how do you measure the quality of intelligence if the pool of intelligence people providing intelligence to everybody else is large? Right now we make everybody share 1,000 pieces of malicious code a day. At Palo Alto Networks we collect 20 million samples of malicious code a week so sharing 1,000 a day with eight other vendors is not going to move the needle. If we want to share indicators of compromise for every adversary group out there, that takes a significant upgrade in capability.
Sign up for Computerworld eNewsletters.