Q&A: How the Cyber Threat Alliance solved threat intelligence sharing

Threat intelligence sharing has never been an easy task, but the companies behind the Cyber Threat Alliance believe they've finally found the right approach.

The organization, which was founded in 2014 by Palo Alto Networks, Intel Security, Fortinet and Symantec, was designed to collect and share high-level threat intelligence amongst the leading vendors in cybersecurity. Originally, the group's members engaged in collecting and sharing malware code samples. But according to Rick Howard, chief security officer at Palo Alto Networks, the Cyber Threat Alliance evolved and drastically changed its approach for the better.

Howard spoke with SearchSecurity at RSA Conference 2017, where the Cyber Threat Alliance announced its formal incorporation as a nonprofit organization, as well as the addition of Cisco and Check Point Software Technologies as founding members. He talked about his own role with the organization, the challenges of traditional threat intelligence sharing and how the Cyber Threat Alliance ultimately overcame those challenges. Here is part one of the conversation with Howard.

Going back to the beginning, how did the Cyber Threat Alliance come together?

Rick Howard

Rick Howard: It started about two years ago. My boss, [Palo Alto Networks CEO] Mark McLaughlin, started talking to the three other original founding CEOs. There are four of us: Palo Alto, Symantec, Fortinet and Intel Security. They talked about why the security vendor community was only vertical and why it hasn't really learned how to share threat intelligence. All the other industries do it. You have fierce competitors, but they've figured it out; how come we can't?
 
The reason is we don't want to give intelligence -- we want to sell it. They all agreed that that's the wrong way to think about the problem. So, we pretty much all have the same intelligence anyway; we have pockets of niche stuff, but as a gross overstatement, it's all about the same anyway. So, why don't we share it to make sure we have the same and compete on product instead? What an interesting idea that would be.
 
They got together with a handshake and an NDA [nondisclosure agreement]; nobody was dedicating any resources to this. It was all part-time, evening and weekend work. We had to figure out some stuff. We had to figure out how to trust each other like every information-sharing group. And I do know the secret sauce for that.
 
What's the secret sauce?
 
Howard: It's not that great a secret. It's really about getting in a room many times and drinking beer together. That's it. Again, it's not much of a secret. And we did that for a while, and we looked at how the ISACs [information sharing and analysis centers] work. We noticed a couple of things. They do threat intelligence sharing really well, but you have two big problems.
 
The first problem is -- let's just take the financial sector ISAC as an example -- not everybody shares. It's just the big guys that share because they have resources. They have people, money and they spend time on it. The other 500 members, like the two-man credit unions, consume the information. It's all they do. As a rule for the Cyber Threat Alliance, you had to share, and we made it a minimum requirement.

The first requirement was 1,000 pieces of unique malicious code a day. And we measure it; I get a report in my inbox every day that may say, for example, 'Palo Alto Networks today didn't meet the threshold.' Phone calls are made, we yell at each other because we're competitors and we fix it for the next day. We've been doing that for about a year and a half now.
 
The second problem that the ISACs have is something I call crossing the last mile. Even if you do receive the intelligence, somebody in your staff has to read the report, decide that it's important to them, decide what to do about it, and then they have to do it. That takes time. Most organizations never get around to doing all that, and if they do, it takes them days or weeks or months. And so the adversaries hit them 1,000 times before they get around to doing it. They have no way to automatically cross the last mile.

How do you solve that?
 
Howard: Because we're security vendors, we can already automatically update our own products. At Palo Alto Networks, we can take a new indicator of compromise, convert it into multiple prevention controls down the kill chain, and distribute it to 36,000 customers around the world in five minutes. That's an amazing capability.

All the other vendors have something similar and can do similar things. We all can automatically cross the last mile if we pool resources. And, by the way, we brought our four additional members [in 2015]: Zscaler, Barracuda Networks, Telefonica and ReversingLabs. And we had to cap it. We didn't have enough resources to bring in more.
 
The way it was set up, could you only have a certain number of member companies for the Cyber Threat Alliance early on?
 

It sounds impressive that we're sharing 1,000 pieces of malicious code with seven other vendors every day. The problem was, at Palo Alto Networks, we collect 20 million samples a week.

Howard: No, but every new member you brought on brought more work. So, we had to say let's stop until we get our act together. And we've gone on to do this for a while, and we brief the CEOs every quarter about the status. They called us in last summer and they said, 'What are we going to do with this stuff? Is it just going to be a marketing thing, or are we actually going do something important?'

It sounds impressive that we're sharing 1,000 pieces of malicious code with seven other vendors every day. The problem was, at Palo Alto Networks, we collect 20 million samples a week; sharing 1,000 a day is not moving the needle. So, they asked us what we were going to do with this.
 
This is what we told them. We want to share malicious code, but more importantly, we want to share adversary playbooks. What I mean by a playbook is this: Two football teams come together to play. The coaches bring in an offensive playbook and a defensive playbook with plays they have practiced over and over again to run against the other team. In the network defender community, we are familiar with defensive playbooks. A breach happens, you pull the notebook, and it says, 'OK, do this, and this and this.' We know how to do that.

Cyber adversaries have offensive playbooks. We know that they don't reinvent the tool set every time they attack a new victim. They just reuse the same stuff. We know they run the same playbooks over and over again until we figure out how to stop them; then, they have to invent something new. We want to share adversary playbooks with each other in the Cyber Threat Alliance.
 
How many playbooks are there?
 
Howard: These are playbooks, not attacks. There's a gazillion attacks, but when the adversary comes to work in the morning, he pulls his notebook off the shelf and says, 'OK, step one, step two, step three ...' So, how many playbooks are there that are running on the internet on any given day? Want to guess? Do you think it's big or small?
 
I would say it's probably small because they're probably copying one another.
 
Howard: In my job, I get to go around and talk to a lot of different people, and I've been asking this question for two years. Everybody has an opinion. If you talk to governments and cyberintelligence people -- and I've talked to the U.S., U.K., Japan, Singapore and Australia -- they think it's small, less than 100.

If you talk to normal people, like me, they think it's bigger -- like 10,000 or 20,000 playbooks. Here's the point: It's not a million, and it's not even 100,000. It's about 5,000. If we wanted to, we could put all the playbooks in a spreadsheet and pass it around.
 
That's what we told the CEOs; we want to share changes to every known adversary playbook, every day in real time. And if we get enough vendors in the alliance -- and I think that number is also small, maybe less than 50 -- every organization on the planet that connects to the internet will have at least one of us in their networks, and probably multiple members, receiving real-time updates to every known playbook in existence. That's a game changer.

What happened when you pitched this?

Howard: I'm briefing the CEOs. I've got my Superman cape on, and I'm doing the 'I'm going to save the internet' speech. They said, 'Hold on. Why don't you guys see if you can do one playbook and see if we can collectively protect our customers better than we have been doing by ourselves?'

Remember, we're doing this part-time. So, we went after CryptoWall 3.0 ransomware. We put our four best analysts on from the four companies, and we killed this research. We knocked it out of the park. We told all our customers about the playbook, and we told governments, agencies like Interpol, and all those kind of people. And then we published a white paper, because that's what security vendors do [laughs]. We publish white papers all the time.

What do you think the adversaries did the day after we published that white paper? They went to CryptoWall 4. Now, we didn't make them go. They were ready to go, but we bumped them. That's the point. We wanted to make them react to what we were doing, as opposed to the other way around. And truth be told, the adversaries running CryptoWall 4 abandoned the platform two months later because it wasn't ready for prime time. They had to do something else.

We're going take credit for CrypoWall 3 and 4. More importantly, we convinced the CEOs to invest in Cyber Threat Alliance. They all put money in to form a nonprofit, and we convinced two more big companies -- Checkpoint and Cisco -- to come in this year. We hired a president to run it -- Michael Daniel, the former cyber czar for President George W. Bush. We rolled out the new platform for sharing adversary playbooks earlier this year, and all the alliance members that are in it already, we are sharing adversary playbooks right now.