The ability to identify common patterns in real-world attacks makes crowd-sourcing threat intelligence extremely useful, according to a study from security tools firm Imperva.
The report arrives just as a privacy row rages over the new Cyber Intelligence Sharing and Protection Act (CISPA) law in the US.
But the head of the security firm said the legislation could create several problems, not least of which was the equivalent of sticking a giant 'Hack Me' sign on the government's info stores.
The US cybersecurity bill, which passed through the US House of Representatives last week, would allow the US government to share "cyber threat intelligence" with private-sector entities. Crucially, the proposed law would also allow the firms to share their customers' web traffic information - among other things - with the Feds.
CISPA's critics also argue that the law would create a mechanism for private businesses to share intelligence with government, including private data, without judicial oversight. Privacy activists are concerned that the risks of this massive trawling exercise more than outweigh security benefits. The bill has not yet passed through the Senate.
Amichai Shulman, CTO at Imperva, said that the policy would theoretically create more repositories of data for government to analyse but warned that the gathering of threat data would be accompanied by the potential risk of hacker attacks against the newly established info hubs. Shulman also spoke of the possibility of bureaucratic creep (ie, data on info hubs being used for purposes other than security analysis, Big Data number crunching) and said the info hubs were a potential target for attack.
While Shulman didn't comment on the bill as it stands, he did insist that more information sharing needs to happen in order for defenders to stay abreast of security threats and that government involvement was a "broadly positive" development.
Stopping these assaults shouldn't be rocket science
Imperva's latest Hacker Intelligence Initiative report shows businesses can reduce risk by identifying and blocking attackers targeting multiple sources. The study analysed real-world attack traffic against 60 web applications between January and March 2013 to identify common attack patterns. Businesses can reduce the risk of successful attacks against their organisations by identifying and blocking attack sources, payloads and tools that are prevalent in targeting multiple websites.
The security firm said these attack sources - which can best be identified by analysing crowd-sourced attack data from a broader community - made up a disproportionate amount of the overall traffic against corporates.
Imperva researchers analysed the behaviour of the most common web application attacks (SQL injection, remote and local file inclusion, and comment spam attacks) over time and across targets, cross-referencing this data with the three most prevalent attack characteristics (attack source, payload, and tool), against known attack signatures.
The study - which covered data from the first three months of 2013 - revealed that several attacks are responsible for a disproportionate amount of attack traffic. Attacks targeted SQL injection attacks and RFI attacks were particularly prominent in the treat landscape.
Imperva argues that crowd sourcing and sharing information about attacks improves collective protection against large-scale attacks. Identifying a “noisy” attack source - an attacker, payload or tool that repeatedly attacks – is important.
"Our report shows that businesses can greatly reduce the number of successful attacks against their organisations by identifying and blocking attack sources that are known to target multiple sites or applications," Shulman explained.
The full Imperva report, Get What You Give: The Value of Shared Threat Intelligence, can be found here.
The security tools firm launched the survey at the same time as it announced the addition of ThreatRadar Community Defense, a crowd-sourced threat intelligence service, to its SecureSphere 10.0 Web application firewall (WAF) platform. The service is designed to aggregate and validate attack data from WAFs to protect against hackers, automated clients, and zero-day attacks.
Shulman compared the service to the sharing of anti-malware intelligence between security researchers. He said Imperva's service would create "actionable intelligence" broader than just IP addresses linked to attacks, providing early warnings about a spate of RFI-style attacks, for example. ®