Businesses don’t trust the government, at least when it comes to information about cyber attacks. And while the U.S. Defense Department has attempted to create a more open sharing process, most notably through the Defense Industrial Base Cyber Pilot, the results have been mixed, experts said, with companies being less than forthright and the government sharing in¬formation only about threats contractors already know.
“They don’t trust DHS [De¬partment of Homeland Secu¬rity], they don’t trust the fed¬eral government, they don’t trust DoD [Department of Defense], they don’t trust the people that are there suppos¬edly to be the honest broker of information,” said Jeff Moulton, a researcher at the Georgia Tech Research Insti¬tute (GTRI). “That’s where we come in.”
GTRI is launching a new threat analysis system, Titan, in the hope that open infor¬mation sharing can be fos¬tered by a third party.
“We’re anonymizing the input and we have nothing to gain by any kind of breach of that trust relation¬ship, because we’re not sell¬ing anything,” Moulton said. “We are truly an academic organization.”
A View from Abroad
What sets GTRI’s model apart from most security ini¬tiatives, besides its effort to bring companies and the government together at a neutral table, is its effort to make a stand against threats overseas.
Most cybersecurity sys¬tems confront threats much like the old county fair game Whac-A-Mole. With little warning, a fully formed threat pops onto a network and defenders scramble to react. The attacks and at¬tackers themselves lie in darkness below, waiting to be mobilized.
But in building a new threat analysis system, Titan, and building an overseas presence, GTRI is looking to get ahead of the game by catching a glimpse of threats as they’re being developed.
The trick, GTRI scientists say, is that many attack tools are tested regionally, and if one can catch the experi¬ment in progress, projecting the fully formed version is a possibility.
“Western Europe may see something today, and they may experience a campaign for a week that the United States won’t see for another couple of days or a couple of weeks,” said Chris Smoak, one of the leads on the proj¬ect for GTRI.
“We’ve seen cases through¬out the history of analysis where there’s evidence of the bad guys writing things and testing things in other ar¬eas of the world that, if I’m just looking at one particular scope, I might not ever see,” Smoak said. “If we can use a broader scope, we can pro¬duce both trends and fore¬casts.”
To that end, and coinciding with the organization’s launch of the Titan software, GTRI is plotting the develop¬ment of a threat center in Eu¬rope far from its Atlanta headquarters, likely in Ire¬land or Sweden. Each coun¬try has its advantages, with Sweden offering relative po¬litical neutrality and Ireland a beneficial environment for technology.
“It’s truly an information exchange model on an inter¬national scale,” Moulton said. “We’re looking at other places in Europe to bed this system down into, but we’re still really pushing Ireland. There’s an amazing move in the Irish government to at¬tract industry.”
The center would serve as a regional clearinghouse, helping to establish lines of communication that would feed into the Titan software.
Titan is designed as a threat analysis tool, allowing users to input data, have that data stripped of identifying information to create ano-nymity, and compare the data with the larger sets in the system. It can handle all kinds of data, including social media intelligence and even human intelligence.
One potential partner that GTRI has been talking to monitors Internet cafes seen as hotbeds for attacker activ¬ity in the hope of overhearing conversations that might pro¬vide insight. This data could be fed into the system and compared with other data sets, including information GTRI is getting from a DoD partner, to paint a clearer pic¬ture of a potential threat. That research would be ac¬cessible to the larger user community, although the sources of the information would be obscured.
The software, which has been running as a prototype for eight months, will be ful¬ly launched this summer.
GTRI researchers said they recognize that to create a worthwhile tool, a large pool of users is required, and the overseas center would help attract users in Europe whose participation would beef up the database.
“We need to be communi¬cating before the exploits be¬come exploits, while they’re still in the blueprint stages, and the only way to have a chance of that is to talk to each other, country to coun¬try, individual to individual, institution to institution,” Moulton said.
Legislation is being devel¬oped in the U.S. House of Representatives and Senate that aims to improve infor¬mation sharing. But passage of any measure in both hous¬es of Congress faces tremen¬dous challenges and may not fix companies’ underlying trust concerns.
Trying to overcome the tendency of companies to re¬main quiet about attacks won’t be easy, Smoak said.
“We recognize that when it comes to sharing threat data and analysis, it’s akin to air¬ing your dirty laundry,” he said. “Traditionally, compa¬nies and organizations don’t like sharing that type of in¬formation, but what we’re trying to do is facilitate a new mindset.”
GTRI, part of the Georgia Institute of Technology, isn’t alone in devising an alterna¬tive to a government system, as other academic entities and think tanks are wading into the sharing waters.
Alan Paller, director of re¬search at the SANS Institute, said all of these efforts face a common problem in creating trust, and academic institu¬tions may have a higher hur¬dle than some.
“There’s probably nothing scarier to a company than giving it to a school, because of the sense of sharing,” he said. “They’re open and they’re sharing and there’s a sense of research.”
Paller said pre-existing trust is likely necessary. “The only place that there’s confi¬dence is when there is al¬ready a trust relationship, so the guys who could do this would be the Internet service providers, especially the ones that are already provid¬ing managed security servic¬es, because there’s already the trust relationship.”
Smoak said he is optimistic that companies and govern¬ment agencies would share information, pointing to in¬creased public knowledge that is diminishing the taboo of acknowledging an attack.
“At some point, we’re all going to have a problem with a compromise, and it’s how we deal with that informa¬tion,” he said.