Over the past few decades, the world economy, including institutions and individuals alike, has grown dependent on computerized systems at an increasing rate. The amount of data generated by computer systems and users each day is already large (in 2012, approximately 2.5 exabytes per day) and the dependence of individuals and institutions on computer systems promises to grow even more with the recent proliferation of mobile devices, cloud computing, and the so-called “Internet of things.”
While this increase computing power has yielded growing benefits in productivity and efficiency, it has also increased the incentives for bad actors (including hackers, cyber criminals, sophisticated organized crime outfits, and terrorists). These bad actors often seek to breach the security of computerized systems for a variety of different reasons. For example, such bad actors may seek to misappropriate personal information, obtain trade secrets from a corporation, uncover confidential government and military secrets, or compromise the crucial infrastructure of utilities.
These cyber-threats have not only increased in number, but also in their complexity and impact. An institution that has placed its data in a repository “in the cloud” now faces the prospect of having its information stolen and compromised by a hacker who gains access to that single repository. Firms who allow employees to use their personal mobile devices to access secure computerized systems can be vulnerable to malware introduced onto any one of those individuals' personal smartphones. As the potential damage that can be inflicted by a cyber-attack grows in magnitude, the ways in which a malicious entity can carry out that attack also increase.
While the cyber-attack threat faced by individuals and institutions can seem dire, an industry's defense against malicious actors can be a simple one: the open sharing of cyber-threat information between targeted individuals and institutions. A system for sharing and distributing cyber-threat information can act as an “immune system” for participating entities—by sharing the source and methods of a cyber-attack detected by one member, the remaining members of the system can be “vaccinated” against that cyber-threat vector, mitigating any future attacks. For example, a detected malicious IP address can be distributed to other users of the information-sharing system, who can then block that IP address from gaining access to their networks. A piece of detected malware's filename can be shared with other firms, who can then warn their employees not to download or install the malicious software on their personal devices. Therefore, even when a cyber-attacker succeeds, the sharing of information about that successful attack will assist in detecting and preventing any future attempts that cyber-attacker makes.
While the concept of threat-sharing seems simple enough, attempts to implement systems and methods to effectively combat cyber-threats through the sharing of threat information have been inadequate. For example, the Department of Homeland Security's Cybersecurity and Information Sharing and Collaboration Program (CISCP) has attempted to combat cyber-threats by publishing documents that share current security threats and system vulnerabilities, ways to combat and fix threats to systems, and best practices for the general public. While CISCP's suggestions and notifications are helpful, however, an entity must manually process the threats contained in each document and manually implement the remedies it identifies—a time-consuming and costly process. It is estimated that it takes an average of seven hours to process a single CISCP intelligence document, and that processing the entire CISCP document corpus would cost tens of millions of dollars per institution. As a result, participating entities only process and protect against a fraction of the cyber-threats published by CISCP.
Another example of an existing cyber-threat sharing network is the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC), an international community of research and higher education institutions. Unfortunately, like CISCP, REN-ISAC's member colleges and universities have not automated the sharing and processing of threat information, because REN-ISAC does not share threat information in a standardized format. A member school can share threat information in whatever proprietary format it wishes, forcing other member institutions to undergo the time-consuming process of manually processing and acting on each piece of threat information.
Because of the increasing costs (both in time and financial resources) of manually processing the growing number of cyber-threats faced by organizations, what is needed is a way to automate the sharing and processing of cyber-threat information, as well as the implementation of defensive measures against identified cyber-threats. By automating the threat information sharing system, the power of these computing systems can be brought to bear against the malicious entities that threaten them. At the same time, however, because of the sensitive nature of cyber-threat attacks, it is desirable that institutions and individuals have the ability to control which detected cyber-threats they share, how they share them, and which other entities they share them with, in order to protect against sensitive and sometimes embarrassing disclosures which can damage their privacy, security, and reputation.