While there's no vaccine against malware, taking the right preventative measures can have a similar effect. In healthcare, herd immunity means "when a critical portion of a community is immunized against a contagious disease, most members of the community are protected against that disease because there is little opportunity for an outbreak."[1] Herd immunity can also apply in security, often around anti-malware solutions. For example, if the majority of endpoints in your network have anti-malware agents installed, the remainder are still somewhat protected. Odds are, the protected endpoints will detect suspicious activity that's also seen on the unprotected ones.
The same philosophy can apply to threat intelligence. A community working together to share threat intelligence has greater immunity against attackers. How? Because attackers often use the same tactics against multiple targets, especially against targets that are related by industry, location, etc. When an attack is discovered by one member of the community and shared, others are forewarned and can take steps to protect themselves. The 2017 Verizon Data Breach Investigations Report likens threat intelligence sharing to a vaccine, "immunizing systems and organizations from known and suspected ransomware attacks, before they can cause lasting damage."
Operation Payback is a great example of why this is needed. This DDoS attack against banks and payment card companies wasn't done for profit—it was in retaliation for blocking funding for WikiLeaks. It used a botnet made up of volunteers to enact the denial of service attack. DDoS using a botnet was hardly a new concept, but the group of hacktivists working together was unusual. The attackers were working together, but the targeted businesses weren't, which led to the attack being successful over five consecutive days in December 2010.
How could sharing have helped? The botnet wasn't changing much other than the websites targeted each day. If the first bank attacked could have shared details with other organizations in the industry, those attacked further down the line could have put up better defenses, such as blocking the IP addresses used in the attack.
Organizations were sharing then, either through unofficial get-togethers of security personnel or via Information Sharing and Analysis Centers (ISACs), but this data wasn't shared frequently enough or in a way that was easily actionable. For example, it might have come as a very long XML message that wasn't anyone's top priority.
Sharing needs to be both faster and easier, which is why ServiceNow introduces Trusted Security Circles as part of ServiceNow ® Security Operations. When a security analyst sees suspicious activity, he can share the associated observables along with a description to provide context to one or more circles of other Security Operations customers. Circles can be defined by an industry or be a private group of organizations with a common feature. A global circle of all participants is also an option for sharing.
When the shared observables are received by other ServiceNow instances, an automatic sightings search determines how many times the observable exists in each environment, and that number is reported back to the original requestor. This data can help the requestor determine if the observables might be part of an attack.
The requestor shares observables with other members of Circle A
and receives responses in the form of sightings counts.
For other circle participants, this can also serve as an early warning. Set an observable threshold, and if that number is exceeded in an automated sightings search, a security incident containing the observables and context provided by the original requestor will automatically be created.
Sharing threat intelligence in real-time helps level the playing field. Attackers are collaborating, sharing tools and botnets, so collaboration for defense is the natural progression. Or to put it more succinctly, "The bad guys are sharing—why aren't you?"
To learn more about ServiceNow Trusted Security Circles, read the whitepaper or visit www.servicenow.com/sec-ops
Come see a live demo of Trusted Security Circles at Black Hat in Las Vegas July 26th and 27th. Just follow the signs to Booth 666. Rich Reybok, our Sr. Director of R&D for Security will present "How Threat Intelligence Sharing, Automation & Orchestration Wins the War Against Attackers" on Thursday, July 27th in Oceanside F at the Mandalay Convention Center.
[1] U.S. Department of Health & Human Services
