Despite the long-touted benefits of information sharing in security and intelligence, the practice isn’t as widely adopted as it should be. Often citing concerns over trust, many organizations remain largely siloed in how and with whom they share information.
However, a recent use case addresses these concerns and makes what is perhaps the strongest argument to-date in support of information sharing. It also sheds light on how to do so effectively. Indeed, I’m talking about the collaborative takedown of the WireX botnet.
Ever since the news broke in late August that researchers from Akamai, Cloudflare, Flashpoint, RiskIQ, and others teamed up to neutralize the botnet, they’ve received no shortage of well-deserved recognition — and not just for tackling WireX. What’s perhaps most impressive is that their joint effort transcended boundaries that have long hindered the efficacity of information sharing in security and intelligence.
Regardless of the extent to which your organization shares information, there’s a lot we can all learn from the WireX takedown. Here are my key takeaways:
Strive for diversity
Most information sharing in security and intelligence occurs within well-established groups — many of which are segmented by industry or business function. I have witnessed firsthand just how beneficial these groups can be for helping security and intelligence teams detect threats and indicators specific to their function or their organization’s industry.
In some situations, however, the highly-segmented structure of such groups tends to exacerbate a separate issue altogether: the fact that many organizations view information sharing as a “checkbox” item rather than a necessity. Especially for those new to information sharing and/or concerned with trust and privacy, membership in a group comprising familiar, like-minded members can easily seem like a “one and done” solution.
But when it comes to matters of security and intelligence, I’m confident we can all agree that “one and done” doesn’t really exist. While industry- and function-specific groups can and should play a role in our overall security and intelligence strategies, it’s crucial to recognize that the information shared within these groups tends to be limited to that which pertains to its respective industry or function.
In other words, if we want to become better-equipped to address the full spectrum of complex threats facing our organizations, we should do as the WireX researchers did: seek greater diversity in our data, insights, and in the experts with whom we collaborate.
Indeed, the team of researchers that led the WireX takedown spans several industries — not to mention their professional backgrounds, specialties, and functions at their respective organizations are just as varied. In addition to contributing unique perspectives and insights, each researcher also had access to their organization’s tools and data. It wasn’t until the researchers pooled these diverse insights and data that they were able to combat the botnet.
Establish relevant objectives
As I mentioned above, information sharing is considered a “checkbox” item for far too many organizations. In other words, organizations shouldn’t share information to share information, they should share information to protect their customers, to combat fraud, to prevent insider threats, to mature their in-house capabilities, to make the world a safer place — or any other objective(s) they deem relevant, important, and relatively attainable.
And while past events should never serve as indicators of future occurrences, they can and should inform our information sharing strategies and objectives.
“This trust group was formed immediately following the initial massive attacks that originated from Mirai..This group of researchers was also instrumental during the initial triage of WannaCry, NotPetya, and other events since Mirai,” commented Justin Paine, WireX researcher and Cloudflare Head of Trust & Safety.
Not only did the WireX researchers’ collaboration in the aftermath of previous attacks help shape their approach to WireX, it fueled their motivation to neutralize the botnet and halt a series of ongoing DDoS attacks. Regardless of an organization’s objectives, information sharing is most effective when conducted in support of those objectives.
Share information that is timely, contextual, and actionable
My last key takeaway — though it should come as no surprise — is by far the most crucial. The most valuable information sharing initiatives tend to be rooted not in raw data but in information and/or intelligence that is timely, contextual, and actionable. Just as I’ve written previously, raw data in and of itself is useless. For data to be actionable, it requires context. And in order to establish context, we need to have a comprehensive understanding of — as I mentioned above — the specific objective the data will address.
In the case of WireX, the researchers were not simply exchanging raw datasets in hopes that someone, somehow would figure out a way to derive something useful from their activities. Instead, they allowed their observations around a volumetric DDoS attack to establish their objective, direct their research, and add much-needed context to their data. It wasn’t until they pooled this data and the context around it that they were able to unite around their common objective and eventually tackle the botnet.
In the words of Allison Nixon, Flashpoint’s Director of Security Research:
“This was more than just a malware analysis report. The working group was able to connect the dots from the victim to the attacker. The group also used the information to better mitigate the attack and dismantle the botnet — and this was completed very quickly.”
Above all else, it’s important to recognize that information sharing is yet another common practice in security and intelligence that can provide immense value. The challenge is, attaining that value isn’t always simple, fast, or easy. And while there is no “one size fits all” solution, the most effective information sharing initiatives are built on diverse insights, perspectives, and expertise, purposeful objectives and goals, and information that is timely, contextual, and actionable.