Part of my role as the Director of Threat Intelligence for Palo Alto Networks is to share the intelligence we produce with others who can put it to use in defending their networks. We believe wholeheartedly that having better information about the threats you face will help you defend yourself from harm. Knowing what kinds of actors are targeting you, what tools they have available, and what tactics they employ allows you to structure your defenses more effectively than against a generic, non-specific threat.
As a global security vendor, we have insight into attacks occurring across every industry and all around the world. Rather than hold this information close to our chest, we choose to share much of it with the security community. In the last 18 months, we’ve published over 100 entries to our threat intelligence blog, detailing new attacks, revealing attacker infrastructure, and educating our readers on what they can do to defend themselves. Some recent examples include:
- Application Usage and Threat Report: our annual summary of attack and application traffic from over 7,000 networks.
- XcodeGhost: an attack impacting millions of iOS users around the world.
- Operation Lotus Blossom: a multi-year campaign targeting the governments of southeast Asia.
As a founding member of the Cyber Threat Alliance (CTA), we were a key force the research and publication of an in-depth report on the CryptoWall 3 Ransomware, which has plagued businesses for most of 2015.
We recognize that individuals play many different roles in the security community and can therefore benefit from different types of reporting. CSOs need to understand threats at a high level: what is an actor’s goal and to whom are they a threat? Practitioners need actionable information about how they can stop the threat from harming their networks and systems? Other researchers need deep details on how the threat operates, so they can correlate with their own information and come to more accurate conclusions. Threat intelligence analysts, like the members of my team, need to understand the techniques we use to make connections between attacks, so they can verify our findings and incorporate them into their own processes.
Some in the security community argue that intelligence of this nature should only be shared in closed communities made up of vetted individuals. After all, attackers could read our reports and alter their tactics to evade future detection. This is certainly a risk of publicly exposing attacker tools and tactics, but the global benefits far outweigh the costs. By sharing this information with the entire community, we force attackers either to alter their game plan or lose their strategic advantage.
To continue their operations, attackers must develop new tools, acquire new infrastructure, or develop different attack techniques from the ones we’ve exposed. These changes require time, money and other resources, which increase the cost to conduct the attack. In some cases (i.e., during an active law enforcement operation), exposing an attacker publicly can do more harm than good, but the majority of the time we are safer than if the information were kept under lock and key.
Our world is increasingly reliant on the systems and networks we have all committed to defend. As one of the leaders in this fight, we hope to inspire others to share their knowledge of attacker techniques in the same way we have. The sooner we acknowledge that our community is stronger as a group than we are as individuals, the easier this fight will become.