Cyberthreat intelligence is getting crowded

As threat intelligence communities multiply, it may be time to revisit crowdsourcing security.

When it comes to dealing with zero-day threats, time is of the essence. The quicker an IT security team can respond and repel an attack, the safer the organization.

Many security teams rely on pattern matches and malware databases, but these methods have become less effective as custom viruses, created almost continuously, make algorithms obsolete. Crowdsourcing threat data so that a community can act quickly and repeal potential invasions is delivering results for more enterprises.

Karl Hart, IT security analyst for Ohio National Financial Services in Cincinnati, has used AlienVault's Open Threat Exchange (OTX) for several years. "We have found better than a 90% success rate with finding infected hosts when we receive an alert from the platform," he said. "We know that our antivirus software doesn't catch everything, and this allows us to become more proactive and find malicious actors more readily. The chances of finding these without OTX would be close to zero."

We see malware warnings a few days to a month ahead of what is being caught in the real world by others.

Damon Rouse, IT director, Epsilon Systems Solutions

The idea of having a community share IT resources isn't new: CollabNet has been doing this for the DevOps world since 1999 and has over a million members at last count; Spiceworks has had its own help desk and systems management community since 2006. But the concept has faltered in the security and risk management fields because for competitive reasons many companies do not want to share information security incidents or breach data with a larger threat intelligence community.

Members only

Some collaborative communities are open to any IT operation while others, such as the Information Sharing and Analysis Centers (ISACs) are specialized around geographic or vertical markets, such as healthcare or banking. Financial Services-Information Sharing and Analysis Center (FS-ISAC), launched in 1999, provides physical and cyberthreat alerts to its members in the financial sector. Microsoft Active Protections Program requires potential participants -- security software providers -- to fill out a questionnaire that asks whether they actively sell security products and support more than 10,000 Microsoft customers. Some communities are invitation-only. Others are wide open: Georgia Tech's Apiary, launched in 2010, has added defense contractors, oil and gas companies and other academic institutions to its collection of contributors.

Crowdsourced security community tools

The benefit of crowdsourcing is all about speed. "The fast identification of some attack agents can have a meaningful contribution to all members of the community," according to a 2013 Hacker Intelligence Initiative, Monthy Trend Report by Imperva's Application Defense Center research arm. Imperva offers ThreatRadar Community Defense as part of its reputation services. The trick, according to the research, is "whether the information being shared can be automatically translated into structured actionable intelligence information that can be disseminated back to the community and deployed automatically in a timely fashion."

When evaluating these services, it's imperative to figure out up front which systems can automatically process the incident data logs. Some of the crowdsourced communities are open; some are controlled by a vendor but open to its channel partners; and others, like Imperva, are strictly under the purview of a single vendor. AlienVault's OTX product was initially designed for its own endpoint security products but has been extended to work with a variety of other systems, including Spiceworks' help desk. The integration with Spiceworks took just a few weeks to disseminate to the thousands of OTX members.

Several threat-sharing standards efforts are underway, largely at the urging of various government initiatives -- and they sound like it, too: Mitre's Structured Threat Information eXpressions language for describing cyberthreats data, Cyber Observable eXpressions schema and Malware Attribute Enumeration and Characterization language. All three of these structured languages are payloads that can be carried by the current standard "darling," Trusted Automated eXchange of Indicator Information. TAXII is being implemented by Microsoft and other threat communities. AlienVault and Georgia Tech have published their own APIs so that others can connect with their communities.

Checks and balances

Trust is critical, so it's important to determine how the threat information is posted -- and authenticated. With some communities, members have to authenticate themselves to join, and be vetted by the moderator. Others have automated data verification routines to determine how often a contributor has posted accurate information or if they are scamming the system with false data. Regardless, each community needs some checks and balances so that some rogue or random person can't pollute the data collection.

I am always online, always monitoring what is going on, but then I like doing that and consider it part of my job.

Karl Hart, IT security analyst, Ohio National Financial Services

Information sharing doesn't work unless there is some level of trust. Emerging tools enable users to define how much of their data is shared and with whom. For instance, Internet Identity (IDD) launched an ActiveTrust threat intelligence exchange platform in February that offers a Controlled Exchange component, data governance controls and social network for information sharing among its users.

Sometimes it helps to already have been hacked. Damon Rouse is the information technology director at San Diego-based defense contractor Epsilon Systems Solutions Inc., and a user of Cyber Squared's ThreatConnect community. "We were hit late in 2012 with attacks and looking for ways to streamline our threat intelligence. We had a lot of log data of potential exploit information but didn't know how to keep it or share it with peers."

Rouse bought into the collective concept and "liked the vetting process and validation of what I was doing and what our company was doing" before the defense contractor was accepted into the ThreatConnect community.

And it has paid off: "We see malware warnings a few days to a month ahead of what is being caught in the real world by others," Rouse said. ThreatConnect now has 1,800 registered users, including dozens of Fortune 500 and Fortune 1000 companies, and many small- to medium-sized businesses.

Community workflow

It's important to understand how threat information is shared in the community and the typical "threat" workflow among participating organizations because this may affect IT staffing requirements. (See figure.) 

A community workflow showing how threat information one member collected helps others in the community

The downside to these communities is that they are only as good as the time that you have to invest in them. Ohio National's Hart spends several hours each day updating information on various discussion forums, both for other local Ohio financial services businesses as well as general security discussions. "I am always online, always monitoring what is going on, but then I like doing that and consider it part of my job," he said.

When an organization is evaluating membership in a threat intelligence community or investing in associated platforms and tools, it's important to consider the following:

  • How many members are actively participating?
  • How do you post information?
  • Are standards important?
  • How is that threat information shared?
  • What systems can automatically process the incident data logs?
  • What is the typical "threat" workflow among the organizations in the community?
  • Are you willing to put in the time to participate on the discussion forums?

These communities aren't for everyone. Some IT departments are so stretched that it is all they can do to keep up with updates to the OSes and critical applications: "At this point, our known security holes are so large that our efforts are more on patching them first," said one chief information officer of a nonprofit. "These types of products are of more use when you feel like you've already got good locks on your doors and windows."

"A lot of these communities are starting to pick up steam lately," said Russ Spitler, AlienVault's vice president of product management. "IT managers are waking up and realizing that organization is essential to defeating the automated malware creation kits that are proliferating around the Internet." 

Think about joining multiple communities. "There is no silver bullet, and I like to overlap these tools," said Epsilon's Rouse, who uses both OTX and ThreatConnect. "And sometimes I get some false positives from OTX, so it is nice to have another source."

About the author
David Strom is a freelance writer and professional speaker based in St. Louis. He is former editor in chief of, Network Computing magazine and Read more from Strom at

Send comments on this article to [email protected].

Next Steps

Learn whether CFOs should care about the rise in mobile payment systems

This was last published in June 2014

Dig Deeper on Security industry market trends, predictions and forecasts