It seems to be all threat intelligence all the time in the tech media, so I might as well jump on the bandwagon. My pals Wendy Nather of 451 and Jamie Blasco of AlienVault recently did a webcast on the topic. Dan Raywood has a good overview of the content. Wendy does the analyst thing and categorizes the different types of threat intelligence. She points out that sharing is taking place, but more slowly than it should. Jamie then makes a compelling case for why everyone should share threat intel when possible. Shared intelligence increases the cost of compromise.
…by removing the secretive aspect, (i.e vendors keeping their threat intelligence close to their chests and monetising it – instead of making it freely available) we can force attackers to raise the bar and spend more and more money on their infrastructure, which decreases the return on investment for cyber criminals.
Attackers make crazy money leveraging their tactics. They can buy an inexpensive attack kit (with Bitcoins) and use it a zillion times. If you aren’t talking to your buddy, you don’t know what to look for. If you don’t have a list of C&C nodes or patterns of exfiltration, then when they hit you it won’t immediately raise an alarm. And you will lose.
Cento used this awesome looking sign to announce the bad news: a slight increase in drip coffee price.
(note: you can read the fine print in the original size)
By sharing information we can force attackers to change their attacks more frequently. They will need to turn over botnet nodes faster. Let’s cost them more to do business. Can we make enough difference for them to give up and stop attacking? NFW. They will still make a ton of coin, but over a long enough period this kind of information sharing can get rid of less sophisticated attackers who would make more money doing something legit – you know, like gaming search engine results.
Photo credit: “Cento’s Prices (Awesome sign)” originally uploaded by Dave Fayram
Reader interactions
One Reply to “Increasing the Cost of Compromise”
Yes, what a great idea. Sigh. Everyone should do this. Sigh.
My first thought brought me to the National Vulnerability Database. Once vulnerabilities are discovered, they are shared with the world. “Hey, here is where you are vulnerable, and where you might be attacked. But you could avoid that vulnerability if you download this patch and apply it.”
This practice works well for many organizations. When bad vulnerabilities are identified with fixes available, they race to patch quickly. Others, well, they are not paying attention so well, and leave themselves vulnerable to the attackers. Because, of course, the attackers are paying attention to where their easy wins can be found.
While sharing information is admittedly a great first step, making it a priority to listen and then act appropriately is even more important. While acting on the information is not impossible, it doesn’t happen as often as it should.
Advantage: Attacker (because they are better at listening and acting on the info…at least, for now).