The announcement by the Cyber Threat Alliance (CTA) at the RSA Conference is an important moment in the security industry. It truly marks a new era of industry collaboration for the greater good through the sharing of threat intelligence to drive better protection for all member customers.
What is the CTA?
The Cyber Threat Alliance (CTA) is an intelligence sharing marketplace where leading security vendors have joined together in good faith to equitably share campaign-based cyber threat intelligence to improve our products and boost the security posture of our customers. The CTA’s Guiding Principles are:
- For the greater good: Share intelligence to strengthen critical infrastructure and protect our customers.
- Time is of the essence: Prevent and circumvent attacks by sharing timely, actionable intelligence.
- Context is king: Prioritize the sharing of contextual, accurate intelligence tied to specific campaigns.
- Radical transparency: All intelligence is attributed and policies will always be published and clear.
- No pay to play: All members must share intelligence to extract intelligence from the CTA.
The enduring value is CTA members improve their products by gaining verifiable, actionable, near-real time indicators of compromise from the CTA’s intelligence marketplace. This in turn – and the overarching goal – makes customers more secure.
Why did Check Point join the CTA?
While the Check Point Research team and many others around the world are doing great threat research work, the reality is that no single entity can know and understand every single threat globally. Joining the CTA to share Check Point’s leading research with the excellent research from other leading vendors creates a more comprehensive and richer threat feed that drives better protection for our customers and for all CTA member customers.
Our primary mission at Check Point is and always has been to provide our customers with the best security possible. Joining the CTA is a natural extension of our mission. We are proud to be a Founding Member of the CTA, and as leaders in the industry, we believe it is our responsibility to drive such initiatives to improve the security for all. This alliance could be a good foundation to improve market cooperation beyond the current and very important model for sharing threat intelligence. Of course, without question, all vendors will continue to fiercely compete in the marketplace on product excellence and innovation, but the time has come to formally and openly share threat intelligence for the betterment of all member customers.
But the CTA has existed for a couple years now. What’s new?
Up till now, the CTA was nascent and did not bring enough value. The members shared only a few thousand indicators a day which is truly a drop in the ocean vs. the many millions of permutations of malware that occur daily.
Launched today with six founding members, CTA Inc. is formally established as a not-for-profit entity with a formal operating structure with member obligations and product. Specifically:
- Incorporated – The CTA incorporated as a not-for-profit in January with dedicated funding from its founding members. The CTA held its inaugural Board of Directors meeting on January 23, 2017.
- Membership – The CTA’s inaugural Board includes the CEOs and senior leadership of six major cybersecurity vendors: Check Point, Cisco, Fortinet, Intel Security, Palo Alto Networks and Symantec.
- Platform – The CTA developed a new intelligence sharing platform that automates intelligence sharing in near-real time.
- Vision – The CTA’s corporate purpose is threefold:
- To share threat information in order to improve defenses against advanced cyber adversaries across member organizations and their customers
- To advance the cybersecurity of critical information technology infrastructures
- To increase the security, availability, integrity, and efficiency of information systems
While the CTA’s core mission is information sharing, the CTA will also be the first industry trade association designed by and exclusively for cybersecurity practitioners. In this capacity, the CTA’s inaugural Board is committed to expanding CTA scope over time to further items 2 and 3 above by undertaking initiatives such as developing industry best practices.
Is the threat intelligence good?
The CTA’s new threat sharing platform is highly sophisticated. The platform analyzes and validates the shared input to ensure excellent and useful intelligence is the produced output. All members must remain in “good standing” to receive threat intelligence from the CTA. To maintain good standing, members must submit a minimum-value of cybersecurity information each business day and will be assigned an ongoing “value rating” based on the information shared. Further, members must maintain the technical capabilities to share and receive information via the CTA platform. The minimum value of threat intelligence that members must share daily consists of:
- Indicators of Compromise such as
- Observables like file text
- Kill Chain Stage
- Context such as malware name
- Contextual information such as campaign or threat actor
All submitted intelligence is evaluated by a value-based algorithm. The algorithm assigns points for every vendor submission, correlates it with other intelligence for mutual validation and points are added/subtracted based on correlation or contradiction by other members. The value of the data submitted by a vendor determines how much data the vendor can receive in return. A governing body oversees and manages the algorithm. This body will review and periodically update the algorithm to incentivize sharing and minimize gaming in the marketplace.
As output, participating members can choose what data they receive in return. The key options are:
- Which member submitted the data
- Affiliation with a threat actor
- Date of data submission or detection
- Verification/validation by other members
- Data type such as malware, domain
Clearly the algorithm is central to the platform in ensuring members “give to get” as well as ensuring the shared output is valuable. It is living algorithm which the CTA members oversee and manage for the benefit of all and to drive better security for all of our customers.
Check Point is pleased to be a Founding Member of the formalized and legitimized CTA. We look forward to helping lead this alliance to drive more comprehensive and timelier threat intelligence for all members and ultimately provide better protection for our and all member customers.
Click here to learn more.