Since its inception in 2016, the Department of Homeland Security's threat-sharing platform has been plagued by a lack of participation from public and private organizations alike. DHS is now vowing to make improvements, as the security community calls for better quality of data and more tangible payback for opting in.
The Automated Indicator Sharing (AIS) service, maintained by the Cybersecurity and Infrastructure Security Agency (CISA), was designed as a firehose of free threat data, intended to be a fast, unfiltered tap of every threat its participants see. But an inspector general report released this week confirmed underwhelming engagement.
"The limited number of participants that share cyber threat information in AIS is the primary impediment to achieving better quality and more actionable information sharing," wrote the IG. In 2018, only three percent of the customers receiving threats from the AIS service uploaded threat indicators.
The reasons consumers do not share data with AIS are manifold said Roberto Sanchez, senior director for threat sharing and analysis for Anomali, a company that builds platforms to utilize threat sharing data from government and other sources.
There's a lack of education of what information is worth sharing on the platform, he said. Many chief information security officers worry that sharing information pertinent to threats may inadvertently expose data the company or customers would like to keep private. Also, the system is clunky to use, Sanchez continued, and resources going to sharing a problem can't go to fixing a problem. And without a peer group who is also sharing their most valuable information, it is hard to see a benefit using a platform to help other companies without receiving help in return.
In other words, nobody wants to be first.
But the big problem preventing users from sharing data, agree Sanchez and other users, is the quality of data they receive back from the system. Consumers who want to share data only want to share where it counts.
"AIS is like being offered a free puppy," said Brian Kime, a senior analyst at Forrester for security and risk and an infosec veteran who worked at electric giant Southern Company. "First it sounds great. Then you have to walk it and clean up after it. AIS took so much time to get any value."
The firehose quality of AIS can work against its intentions. A lot of the indicators that get shared correspond to well-worn threats already stopped by most vendors.
"I honestly don't think we found anything useful using AIS," Kime said. When he shared data with DHS, it wasn't through the automated system.
Then there are problems with the lack of context for the data that comes blasting through the hose. Users complain the data can be as stripped down as single IP address.
The desire to remain anonymous in front of a huge group of AIS customers can make more complete data sharing difficult, said Wendy Nather, an advisory CISO at Cisco and former research director of the Retail ISAC, via email.
"The type of threat intelligence that lends itself best to automated feeds ends up being aged and sanitized down to a level where it's safe to share across the board without the possibility of detailed, iterative feedback," she said.
Sanchez said most firms move to ISACs for information sharing, which are more active and sector specific.
AIS is worth making an effort to improve, he said. "But it needs to be more about curation — more about what they share and what they want to receive."
Such improvements may require defined standards for what data should go on the platform, instilling reporting as part of the process to deal with incidents.
Sanchez noted that CISA's public reporting of indicators, signatures and attributions has been more frequent over the past few years. He would like to see some of that rigor and depth applied to the AIS data. Kime noted that including ATT&CK information and other context would be great, but even just adding analytics on indicators would help.
Said Naher, a more difficult task in improving data quality might be improving trust between consumers to encourage more complete data.
"Unfortunately, trust tends to happen between individuals, not between organizations, and the nature of the AIS platform is that it is an organization," she said.
CISA has already started to address some of these problems, first with several initiatives it touted in its formal response to the inspector general's findings in the report.
"CISA is committed to improving the overall quality of information it shares with AIS participants and is working with our government and private sector partners to address the recommendations in the OIG’s report and improve the ability of government and private sector to contribute to and benefit from AIS," a representative from the agency told SC Media via email.
In its response to the report, CISA said it was tackling the issue on a number of fronts, including addressing some of the challenges Sanchez raised.
The agency is exploring ways to increase the types of information it will share, for example, building more confidence and trust in the system, and increasing education. It also plans to develop new guidelines for submissions by the end of the year, a new "roadmap" to improve sharing on AIS by the first quarter of 2021, and a grand information sharing strategy by September 30, 2021.