News this week that the Retail Cyber Intelligence Sharing Center (R-CISC) is collaborating with the Financial Services ISAC (FS-ISAC) on its new threat intelligence portal. The R-CISC is working with the FS-ISAC to share threat information, in an attempt to improve security within their industries. The portals will remain independent, yet integrated.
According to a Dark Reading interview with Brian Engle, executive director of the R-CISC:
“[The R-CISC] evaluated a number of different platforms to help enable information-sharing for retailers…and given the statge of [R-CISC’s] maturity, and the amount of interaction with the financial services industry, we selected FS-ISAC’s portal and technology platform. Our portal rides on the same technology as the FS-ISAC’s, but there’s a separate instantiation for retail.”
The R-CISC was created in 2014 after a rash of high-profile retail breaches, including Target and Home Depot. The threat intelligence portal represents a significant upgrade for the retail industry, which had previously been sharing threat intelligence, such as indicators of compromise, through email distribution lists.
The push for threat intelligence sharing is a great initiative for the retail industry. The STIX format developed at Mitre has become a de-facto standard for threat sharing between major Financial Services during the past year. It allows an organization to share key threat data – including the addresses of remote servers used in the attack and the malware fingerprint, among other attributes, in a suitably anonymized form, without breaching confidentiality. STIX and other open threat indicator formats are of great importance because they allow sharing of information between different vendor tool-sets. Contrast this with the proprietary formats of traditional signature feeds from major anti-virus vendors, and you should realize this is a major advance for the industry.
Kudos to the retail industry for its effort in implementing this threat intelligence initiative. Of course, the more cynical among us may believe that these threat intelligence initiatives are putting the cart ahead of the horse. Case in point, this week, MWR Infosecurity published its report, “Threat Intelligence: Collecting, Analyzing, Evaluating,” which contends:
Threat intelligence is at high risk of becoming a buzzword. With so many disparate offerings and so much pressure to be ‘doing’ threat intelligence, organisations risk investing large amounts of time and money with little positive effect on security.
However, the report does take a pragmatic approach:
However, by taking threat intelligence back to its intelligence roots and applying the same strict principles, a far more effective strategy can be devised. As is the case with traditional intelligence, tackling cyber threats demands rigorous planning, execution and evaluation. Only then can an organisation hope to target its defences effectively, increase its awareness of threats, and improve its response to potential attacks.
This is good advice. At the end of the day, the value of threat intelligence is only worth what you can do with it.