Stronger Together: How Sharing Orchestration Models Makes for Better Cyber Defense
Security collaboration has, and still is, generating lots of attention: How can we join forces and use crowd intelligence to employ better security defense strategies against growing cyber-attack threats?
From virus databases through reputation sources and others – many security collaboration projects are receiving support and backing from both commercial and governmental entities. Here’s a partial list, and I apologize in advance for omitting other initiatives and projects.
Application and OS vulnerabilities, such as CVE, “the ultimate security vulnerability datasource.”
Open attack pattern databases such as Snort, which includes patterns of attack intrusion, i.e., network patterns of exploitation attempts. Snort also includes an open regex language to represents attack patterns.
Open malware databases, such as Virus total, which enable searching and sharing malware samples to facilitate the detection of viruses, Trojans and other types of malware.
Malware research data, such as Yara – a tool aimed at helping malware researchers to identify and classify malware types. This is similar to the snort tool and language, but with a focus on malware classification rather than on intrusion network patterns (traffic patterns).
Reputation sources – open information about bad reputation sites (URLs, domain and IP addresses) that are associated with malware infection, phishing campaigns and C&C activities. Some examples include OTX, Virus Total, and Zeus Tracker.
STIX/TAXII – An initiative or more recent years for describing and classifying cyber-attack campaigns in a standardized manner and share data about techniques used in a campaign (i.e., with a wider context) rather than individual attack vectors.
Is Sharing and Classifying Attack Data Good Enough?
What do the majority of collaboration projects have in common? Almost all are focused on attack-side information – classification and sharing of vulnerabilities and attack techniques, or identifying single vector attacks such as an individual malware or specific intrusion pattern.
STIX/TAXII takes a more relevant (up to date) approach since it focuses on advanced attack campaigns, which are the most difficult challenge that large organization are facing today.
Advanced attack campaigns include multiple attack phases (kill-chains) and exploit multiple vulnerabilities including exploitation of human weaknesses in order for the attack to succeed. They are typically prolonged and adapt to the defenses they encounter – so in that sense, the STIX structured language is able to characterize the course of attack behavior.
However, what’s still missing is how to share security solutions (rather than the analysis of attacks) – or shared methods to detect, investigate and mitigate advanced attacks. Put differently, a shared security orchestration model. While STIX/TAXII analyzes and classifies attack campaigns, it does not teach the best way to defend against them.
Sharing Security Orchestration Models
Protecting against advanced attack campaigns involves multiple security technologies such as network security (network IDS and IPS, Anti-malware (e.g., sandbox), Network and user behavior analysis, DLP, WAF, Mail security, Firewalls), endpoint security (client firewalls, AV, anti-malware), threat intelligence (URL and IP reputation, malware databases), and others. All security solutions must work in synch to be effective.
Each of the security technologies must be provisioned with the right policy in order to ensure it complements the neighboring solution, and must also be activated in the right sequence. So essentially what’s needed is the ability to share a security orchestration model(s) that can manage the above tasks.
This immediately raises several issues, the first of which is that collaboration or sharing of orchestration models doesn’t really exist yet.
Next, to be shared, an orchestration model must be vendor agnostic. Organizations deploy different security tools from a wide range of vendors – so that an orchestration model should work transparently without any change, each time using different security products. It should essentially be able to “translate” the same model into a language understood by security tools from different vendors as well as analyze and correlate the logs of vendor-specific functions. A few early bird companies are addressing this issue in different ways and should be under the radar of any large network organization.
Attackers share their ideas including attack tools, attack techniques etc. and thus can innovate rapidly. Similarly, defenders should be able to accelerate the pace of innovation of security solutions – and have the ability to share security orchestration models.