Skip to main content
Introducing Polarity Intel Edition: Streamlining Intel Distribution for SecOps
Polarity Intel Edition
Request a Demo

What the Verizon DBIR Says About Threat Intelligence Sharing

Before we get started on Verizon’s 2015 Data Breach Investigations Report (DBIR), let’s address the elephant in the room. I created the DBIR back in 2008 and have led the excellent team that produces it since then (including the new 2015 edition). In a purely coincidental twist of timing, I joined ThreatConnect mere days before the 2015 DBIR released. The nifty thing about this is it allowed me to write the “DBIR is out” blog post for Verizon as well as this one featuring ThreatConnect’s takeways and contributions to the report. Pretty cool, right?

Center stage, second page

It offers a compelling proofpoint that sensitive data can be shared–even across national and competitive boundaries–to improve security awareness and action.

In case you didn’t know, ThreatConnect is one of the 70 organizations that contributed data to the 2015 DBIR (2nd logo page, dead center). I’ll get into what we provided soon, but this is actually the first important takeaway; the DBIR represents a very large, global, public-private info/intel sharing community. It offers a compelling proofpoint that sensitive data can be shared–even across national and competitive boundaries–to improve security awareness and action. I love this aspect of the DBIR and what it means for our industry. In fact, my desire to leverage a platform to aggregate and analyze intelligence in a more ongoing, operational capacity across an even larger community is what led me to join ThreatConnect.

The scope and structure of the DBIR is quite different this year. Typically, the report focuses on data breaches and the who, what, when, where, why, and how behind them. That’s all still in there, but the 2015 version goes “Before and Beyond the Breach” to examine things like industry threat profiles, financial impact models, vulnerability disclosures/exploits, and intelligence sharing trends. As you may have guessed, the latter formed ThreatConnect’s contribution to the report.

She shares IP snares by the softwares

Using high-level data across 15 intel-sharing communities within ThreatConnect (some comprising distinct verticals, others a combination of regional or threat-focused participants), we aimed to give insight into the types and level of sharing and how these dynamics may differ across groups. The specific numbers in the figure below aren’t as important as their basic message: communities are sharing (and that’s good), but they could be sharing (and benefiting) more.

IP addresses are often the initial ante for intel sharing, but become much more useful when connected to other IPs, context, domains, emails, malware, campaigns, adversaries, etc. I’m keen to learn more about how communities can leverage the ThreatConnect platform to increase the diversity and depth of sharing and analysis. The rest of the DBIR’s intel section makes a solid case for why this maturation process is so important. Many intel providers boast about having the best indicators of compromise (IOCs), and typically back this up with some claim on exclusivity. The DBIR will surely take the wind out of a few sails (and maybe sink a few RSA Conference presentations too). It compares 50+ IOC feeds over a 6 month period and finds they all exhibit high levels of uniqueness. That exclusivity card is looking less and less like a winner, isn’t it? Instead, the report suggests the winning strategy will aggregate numerous sources of IOCs to build the strongest possible hand. At this point, you might suspect I’m stacking the deck to convince you investing in a threat intelligence platform is a smart move, but I assure you that I’m not. I don’t need to; the data’s doing that for me.

The intel section in the DBIR also studied how quickly IOCs (mostly IPs) need to be shared in order to create a kind of “herd immunity” where we’re all safer together. Three-quarters of attacks (with a common IOC) spread from the first victim to the second victim within a day. The report also shows most IOCs have a relatively short shelf life, often lasting only hours between their first and last observation in the wild. As the report states, “that puts quite a bit of pressure on us as a community to collect, vet, and distribute indicator-based intelligence very quickly in order to maximize our collective preparedness.” We need to close the gap between sharing speed and attack speed.

Reading between the lines

Reinforcing the need to close gaps, the infamous “detection deficit” chart introduced in the 2014 DBIR is back this year. It contrasts how often attackers (orange) compromise the victim’s network in days or less with how often defenders (teal) discover the compromise in the same interval. Attackers usually get their job done within days, yet defenders usually don’t. This creates the so-called deficit between attacker timelines and defender timelines. The deficit was less than it ever has been before, but it’s it’s still too wide and too early to declare victory just yet.

What you can’t see from the deficit chart is how defenders discover incidents. The 2015 DBIR doesn’t provide a comparable figure, so I’ve borrowed the one below from last year’s report. Overall, breach discovery isn’t a happy story, but there is a ray of sunshine peeking through the figure. The quickest rising discovery method is third party notification, and while not stated on the label, this is usually due to observations of the victim communicating with known adversary infrastructure. I include it here because it provides another data point on how intelligence helps level the playing field by informing defensive action.

Cousins by chance, friends by choice

Another section in the report, Industry Profiles, isn’t about intelligence per se, but it most certainly has ramifications for how we share and use it. Besides that, I find it incredibly well-written and insightful, and I’m sure whoever wrote it must be wicked smart. ;-b The figure below is the handiwork of a clustering algorithm that places industries with similar threat profiles in proximity to one another. The DBIR explains it well:

Each dot represents an industry “subsector” (we chose to use the three-digit NAICS codes—rather than the first two only—to illustrate more specificity in industry groupings). The size of the dot relates to the number of incidents recorded for that subsector over the last three years (larger = more). The distance between the dots shows how incidents in one subsector compare to that of another. If dots are close together, it means incidents in those subsectors share similar VERIS characteristics such as threat actors, actions, compromised assets, etc. If far away, it means the opposite. In other words, subsectors with similar threat profiles appear closer together.

You should definitely read the report to get the whole story on this one, but my abridged version is that it challenges our notions of industry-based peer groups for things like info/intel sharing, compliance standards, and regulations. Notice how the subsector dots in the Public (92x), Manufacturing (32x and 33x), and Finance (52x) sectors spread out all over the place rather than cozy up close. The critical lesson here is there is no “financial sector threat profile;” consumer banks, investment firms, and insurance carriers have very different business and technology profiles. Thus, it only makes sense that their threat profiles would be different as well. And if that’s true, then we can’t expect all subsectors in a given industry to share the same intelligence requirements. Why, then, is it standard practice to organize info/intel sharing groups along industry lines? If these results are legit, they beg for those lines to be redrawn.

And this leads to my last pivot back to ThreatConnect. The platform lets users draw (and redraw) those lines to create custom intelligence communities around shared intelligence needs and threat profiles. Pretty cool, right? I think so. Being a part of the DBIR was a hugely rewarding experience in so many ways. But after 8 years of studying the problems we face as an industry, I joined ThreatConnect because I’m ready to start fixing them. I look forward to working with our communities, customers, partners, users, and friends to accomplish that goal together.

UPDATE: The Verizon DBIR team released an interactive version of the cluster diagram above. It’s definitely worth checking out.

TL;DR: The 2015 DBIR is out and ThreatConnect contributed. Info/intel sharing works and produces valuable results. But we all have some work to do in order to maximize those benefits. We need to share more, we need to share/analyze quicker, and we need to share/analyze smarter. I’m jazzed about helping to achieve those goals in my new role with ThreatConnect.

Get a free Community account of ThreatConnect now to get started analyzing data and participating in one of our communities. Upgrade to a Team or Enterprise edition for even more features.

About the Author

ThreatConnect

By operationalizing threat and cyber risk intelligence, The ThreatConnect Platform changes the security operations battlefield, giving your team the advantage over the attackers. It enables you to maximize the efficacy and value of your threat intelligence and human knowledge, leveraging the native machine intelligence in the ThreatConnect Platform. Your team will maximize their impact, efficiency, and collaboration to become a proactive force in protecting the enterprise. Learn more at www.threatconnect.com.