The future is no longer on a distant horizon: Mobility has overtaken the desktop as a fundamental part of how business is conducted; cloud adoption is prompting businesses to transform how they roll out applications and services with the promise of a more agile and automated IT infrastructure; IoT is connecting greater numbers of devices; and big data is gathering information on everything from telemetry readings of sensors to how many calories have been burned during an afternoon walk. The security implications among all of these elements are significant.

Cyber Threat AllianceTo address key security issues as they arise, several organizations, including our MTP partner Check Point Software Technologies, have banded together to strengthen and formalize a not-for-profit entity called the Cyber Threat Alliance (CTA). Through cooperative work and intelligence sharing, member organizations hope to enhance their products and, ultimately, their customer service by improving the security posture of those they serve. Check Point provided an in-depth overview of the CTA and why the company looks forward to helping lead the alliance to drive more comprehensive and timelier threat intelligence for all members and remain on the cutting edge of critical security issues. Below is a brief summary of the information. Visit the Check Point blog to view the full post.

What is the CTA?

The Cyber Threat Alliance (CTA) is an intelligence sharing marketplace where leading security vendors have joined together in good faith to equitably share campaign-based cyber threat intelligence to improve our products and boost the security posture of our customers. The CTA’s Guiding Principles are:

  • For the greater good:  Share intelligence to strengthen critical infrastructure and protect our customers.
  • Time is of the essence:  Prevent and circumvent attacks by sharing timely, actionable intelligence.
  • Context is king:  Prioritize the sharing of contextual, accurate intelligence tied to specific campaigns.
  • Radical transparency:  All intelligence is attributed and policies will always be published and clear.
  • No pay to play:  All members must share intelligence to extract intelligence from the CTA.

The enduring value is CTA members improve their products by gaining verifiable, actionable, near-real time indicators of compromise from the CTA’s intelligence marketplace. This in turn – and the overarching goal – makes customers more secure.

Is the threat intelligence good?

The CTA’s new threat sharing platform is highly sophisticated. The platform analyzes and validates the shared input to ensure excellent and useful intelligence is the produced output. All members must remain in “good standing” to receive threat intelligence from the CTA. To maintain good standing, members must submit a minimum-value of cybersecurity information each business day and will be assigned an ongoing “value rating” based on the information shared. Further, members must maintain the technical capabilities to share and receive information via the CTA platform. The minimum value of threat intelligence that members must share daily consists of:

  • Indicators of Compromise such as: Observables like file text; Kill Chain Stage; Context such as malware name
  • Contextual information such as campaign or threat actor

All submitted intelligence is evaluated by a value-based algorithm. The algorithm assigns points for every vendor submission, correlates it with other intelligence for mutual validation and points are added/subtracted based on correlation or contradiction by other members. The value of the data submitted by a vendor determines how much data the vendor can receive in return. A governing body oversees and manages the algorithm. This body will review and periodically update the algorithm to incentivize sharing and minimize gaming in the marketplace.

As output, participating members can choose what data they receive in return.  The key options are:

  • Which member submitted the data
  • Affiliation with a threat actor
  • Date of data submission or detection
  • Verification/validation by other members
  • Data type such as malware, domain

Clearly the algorithm is central to the platform in ensuring members “give to get” as well as ensuring the shared output is valuable. It is living algorithm which the CTA members oversee and manage for the benefit of all and to drive better security for all of our customers.