It is often said that attackers have an advantage, because the defenders have to protect every part of their systems all the time, while the attacker only has to find one way in.
This argument oversimplifies the security landscape and the real strength that defenders can achieve if they work together. While it’s true that it is difficult to defend against an adversary that targets a single victim, this isn’t the way most malicious actors work. It is easier and cheaper for malicious actors to reuse techniques, infrastructure and tools. Most malicious actors build capabilities that work across many targets and modify and reuse them.
This is where the industry has the most opportunity to evolve. Industry collaboration and information sharing is part of the solution, but the real key is finding a way to coordinate action. When an attack targeting dozens, hundreds, or thousands of systems occurs, identifying a similar aspect of that attack can begin to unravel it everywhere. The fact that attackers use the same or similar methodologies in many places can actually put them at a disadvantage.
Think of how different animals in the wild respond to attacks. Some respond as individuals and scatter in all directions. This allows predators to focus their attack on an individual and give chase. Yet this same attack unravels against animals who respond by forming a circle and standing their ground as a group. As long as they stick together, the predators are at a disadvantage – unable to separate and run down an individual.
This kind of coordinated defense, and more crucially action, is the key to our industry taking the next big leap in the fight against cyber-attacks. It’s not enough to share threat indicators such as yara signatures, IP addresses and malware hashes. What we really want to do is move defenders to take action that defends them and undermines an adversary’s attack. As an industry, we have to come together and decide on a set of standards or principles by which we’re going to not just share information, but use it.
So why hasn’t the industry moved towards actionable information sharing? In my opinion, we need to advance the current class of information sharing tools, processes, and technologies. Think of the Traffic Light Protocol. TLP tells us how sensitive the information is, and whether we can share it. What it doesn’t say is whether it’s ok to incorporate an IP address into a network defense system, or to ping the address, or to try and have the address taken down.
As an industry, we must work to design and adopt technologies and programs that facilitate a two-way conversation and enable actionable information sharing. This should be the start of partnerships, not where things end. Our tools can no longer just be streams of after-the-fact data that flow from one place to another in varied forms and formats. Appropriate action needs to be part of the dialog, and part of us working together.
Part of this transformation is happening today at Microsoft with our Microsoft Active Protections Program (MAPP). While MAPP initially started as an information-sharing effort amongst security vendors, it’s moving to a place where it provides a set of guidance for defenders to protect themselves. To truly evolve to the next level, it will mean shifting from sharing information one way to taking coordinated action. The Microsoft Malware Protection Center (MMPC) has recently talked about the concept and called for a coordinated malware eradication approach at this blog post.
When we get to that point, it won’t just be security vendors who are working to keep everyone safe. It will be the networks, the service providers, the government entities, the retailers, the banks, all enterprises of the world pulling together and sharing actionable threat information necessary for defeating the adversaries — consistently and permanently.
This will take a greater degree of trust than just information sharing. But to take that next big leap in enhancing our defense against cyber-attacks, it’s where we must begin.
Microsoft Security Response Center (MSRC)