Crowdsourced Threat Intelligence
The exponential growth of a global information economy — driven by disruptive business models and new technologies such as artificial intelligence (AI) and machine learning — means that an ever-increasing amount of sensitive data is collected, used, exchanged, analyzed, and retained online. In addition, many people depend on online services delivered over cyber networks — email, GPS navigation, the internet-of-things (IoT) being just a few examples.
Unfortunately, an unintended consequence of this new reality is that hacktivists, cyber criminals, extortionists, and others are also using these technologies and disruptive business models to deny access to online services and/or to compromise, exfiltrate, or destroy collected data. They use the dark web (e.g., the Tor network) to anonymously share information about host, web application, and mobile application security vulnerabilities; discuss ‘best practices’ for managing and evolving attacks; share botnets and vulnerable IP addresses and URLs; and create marketplaces and supply chains.
Why Use Crowdsourced Threat Intelligence
In other words, cyber attackers are increasingly self-organizing to leverage ideas, technologies, and practices to enhance and expand their attacks. They are attacking faster, further, and more deeply than ever before. For example, 75% of attacks can now spread from Victim 0 to other victims within 24 hours; more than 40% can spread in less than an hour (Verizon DBIR).
- Given the attackers’ ever evolving modus operandi, organizations must be able to quickly:
Identify and patch security vulnerabilities, before an attack
- Identify and block potentially malicious IP addresses and URLs
- Remediate infiltrations and damage, after an attack
One way of doing that is to crowdsource threat intelligence — to use the wisdom of the crowd to develop defenses (and potentially, offenses) against the attackers. This approach acknowledges that one can no longer be a ‘lone wolf’ fighting these attacks.
Essentials of Crowdsourced Threat Intelligence
Crowdsourcing threat intelligence leverages principles and practices from crowdsourcing, social networking, open source software development, and the creative commons.
At its most basic level, it is the free and transparent sharing of information about suspected security vulnerabilities, actual security incidents, and operational code for mitigating a specific attack such as DDoS, cross-site scripting, phishing, malware, etc.
Crowdsourcing can occur at one or more of the following levels:
- Organizational, which encourages its customers to share information with the organization’s IT department. Facebook, Microsoft, Tesla are just a few of the many companies crowdsourcing security intelligence.
- Governmental, which encourages white-hat hackers to identify and provide remediation for security vulnerabilities, in exchange for awards and contracts. The Department of Defense recently implemented such a crowdsourced program.
- Vendor, which collects, aggregates, and vets security intelligence information gathered from its customers, partners, open source/crowdsourced security intelligence platforms, white hat hackers, and other sources. Some vendors can also provide continuous monitoring at the host, web application, and or mobile application level to provide:
- Reputation Service: Filters traffic based on latest, real-time reputation of IP and URL source
- Bot Protection: Detects botnet clients and application DDoS attacks
- Account Takeover Protection: Protects website user accounts from attack and takeover
- Fraud Prevention: Simplifies deployment of best-in-class partner fraud prevention solutions
- Emergency Feed: Delivers latest signatures and mitigation instructions to protect against zero-day vulnerabilities