One of the more pernicious and as-yet incurable diseases in security is the resistance to sharing data. Organizations large and small collect all sorts of information on attacks, vulnerabilities and threats and, for the most part, it simply sits in databases and is never of any use to anyone outside of the organization. But there’s an effort underway at the Georgia Tech Research Institute to change that through the use of a new information-gathering and analysis system called Titan.
On its face, the reluctance by enterprises, government agencies and other organizations to share attack and vulnerability data seems to make sense. If your company has just been hacked, the last thing you want to do is let the rest of the world know about it. That can be not only embarrassing but also have potential legal and regulatory ramifications, depending on what industry you’re in and what the company’s situation is. Most security teams prefer to focus on cleaning up the mess, assessing the damage and trying to repair whatever weaknesses led to the compromise. Telling other companies that the attackers got in through a two-year-old bug in your database and that they apparently came from New Zealand is not on the list of priorities.
Executives look at the headlines and see that Company XYZ was hacked, see them being shamed and ridiculed and say, “Not us. No thanks.”
But looking at the problem from a different angle can show how short-sighted that approach can be. For the most part, companies are compromised through a handful of well-known and preventable attack vectors, regardless of the industry or size of the target. Spear phishing, as old as it is, still is highly effective against even well-prepared organizations. Likewise for SQL injection, cross-site scripting and drive-by download attacks against specific, well-chosen employees. But what changes are the tools the attackers use, the net blocks they’re attacking from and the specific phishing emails and lures they’re using. The more information that security teams and IT staffs have about the details of ongoing attacks, the better chance they have of defending against them.
Private data-sharing initiatives have been ongoing for a long time now, both formally and informally. Volunteer groups and industry coalitions such as the Shadowserver Foundation, Honeynet Project and many smaller informal working groups pool data on attackers and attacks. Some of that data is made public via reports on especially bad hosting providers or the most frequently exploited platforms or bugs. But data on how specific attacks went down, what the timeline, tactics, techniques and tools were and what was stolen is much harder to come by. It’s shared over beers or in hallways at conferences, between former colleagues or through a friend of a friend. And that’s the most valuable stuff, the dirt on who stole what from whom and how.
Without that kind of data, it’s difficult for organizations to know what they’re up against and what to look for at any given time. That’s where GTRI’s Titan project will attempt to fill the void. The system is built on a collection of data on malware that is growing by about 100,000 samples a day. Participants in the project will contribute their own data on malicious code and attacks and also will be able to see what others have contributed, to glean information about ongoing attacks. The data will be anonymized so no one will know which company was compromised by which malware. Right now, the system is being used by a handful of Fortune 500 companies and government agencies, but that’s going to grow.
“We hope to provide information about the trends that organizations can expect to see, and help them prioritize what they should do to address the risks,” Andrew Howard, a research scientist at GTRI, said in a case study on the Titan project. “We have a significant system behind the scenes to facilitate the exchange of information.”
What would make the Titan system even more valuable is the publication of some or all of the data that’s collected. This isn’t just a nice-to-have feature. Many companies are drowning in information gathered by their own defensive systems, and trying to find the specific piece that will identify an ongoing attack or point to a recent compromise can be nearly impossible. For organizations that are under attack every day from state-sponsored attackers or highly organized financially motivated crews, data on how attackers are compromising other companies and how those companies are defending themselves would be a lifeline.
Right now, that information is mostly gathering dust in after-action reports and hassock-sized forensic analyses by consultants. Titan has the potential to push more of that intelligence out into the light of day and make it useful to a much wider audience. Here’s hoping they seize the opportunity.