At Palo Alto Networks and within Unit 42 threat intelligence, we share our findings about threat actor activity regularly with the Cyber Threat Alliance (CTA) – an intelligence sharing organization founded in 2014 by Palo Alto Networks alongside several of our competitors. Over the past nearly 10 years, the CTA has grown to include even more cybersecurity vendors. The practice may seem counterintuitive – in the early days of cybersecurity, part of the edge that set companies apart was having detections others didn’t. However, sharing threat intelligence is a vital practice that ultimately makes everyone safer – and it leaves plenty of room for maintaining a competitive edge. I’m proud to share that I've recently joined the board of directors of the CTA, and a key part of what I see as my mission is fostering more sharing of actionable threat intelligence, from within Unit 42, from across the CTA and from new organizations who have yet to join the CTA.
Cybersecurity is different from many industries in that we’re not simply competing with each other. We’re actually trying to stop evil. Threat actors are damaging national security, halting hospital operations, threatening people’s livelihoods and more. All of us in the cybersecurity industry share a mission to stop the attacker, and so the days of not collaborating with each other are long gone.
The ongoing commitment of Palo Alto Networks to the CTA stems from this knowledge. While public policy changes matter, government alone can’t form all the relationships needed to defend against threat actors. The private sector must realize the need and give up the idea of looking bad or good individually, focusing on overall detection across the industry. There’s no joy in seeing a competitor suffer a major zero-day that leads to worldwide exploitation. No one company can truly realize their maximum potential without collaborative efforts to reduce the prevalence and impact of global cyberattacks. Of course, we can each set ourselves apart with how we use the threat intelligence we share, offering our customers sophisticated product features and services.
Over the past few years, events such as the attacks on SolarWinds and Colonial Pipeline or the Log4j vulnerability inspired a new emphasis on operational collaboration. With attackers taking up and putting down infrastructure very quickly these days, both public and private organizations recognize the need to work together so we can move as quickly as possible to make progress against cyberthreats.
And specific to the CTA, an early win came in response to the WannaCry outbreak, when within hours, the CTA kicked off an internal collaboration process. This joint effort sped up analysis by 24-48 hours per member, allowing needed protections to be put in place within a key timeframe.
Currently, we’re seeing a massive benefit of information sharing in Ukraine. I don’t believe organizations have ever shared information to this level in the history of cyber – and the coordination explains why we haven’t seen more harmful impact from cyberattacks, which could have intensified other forms of damage in the region.
Closer to home in the U.S., Unit 42 Senior Vice President Wendi Whitmore’s participation in the Cyber Safety Review Board alongside other leaders from government and industry is one example of public and private collaboration.
I’m thrilled to be joining the CTA’s board because of the organization’s focus on fostering sharing between companies that would otherwise compete. I deeply value its vision – which started as a handshake agreement between two cybersecurity CEOs over a cup of coffee in 2014 – and am proud to be part of a neutral organization that encourages all companies to work together to make people safer.
A big part of what I like about the CTA is the commitment to ensuring that all members participate in sharing. Everyone must share and meet a minimum sharing requirement. The organization doesn’t allow free riders or pay-to-play – you give information in order to receive it. What we do share needs to be actionable, and sharing is done in a structured format that includes contextual information – increasing the value of what is shared and the ability of members to build real-life protections based on the information.
CTA members hold each other accountable as well. If we find a vulnerability in each other’s security software, the organization provides a healthy, productive way to coordinate with each other.
The sharing platform has evolved over the past seven years, incorporating industry standards like STIX/TAXII, Kill Chain and MITRE ATT&CK. The CTA typically shares “about 11 million observables per month… with an average of three pieces of context per observable.”
Palo Alto Networks maintains a strong presence across all functions of CTA governance, from the board on down to committees and working groups including Membership, Algorithm and Intelligence, Policy and Standards and others. We continue to walk the walk and spread the word on how an organization like the CTA can be successful and why it matters.
There is still work to be done, and we can’t do it alone. Please feel free to reach out to me, Michael Sikorski, for further information on how Palo Alto Networks has benefited from and why we continue to move forward with the CTA mission. If you’d like to join our ranks, the CTA would love to hear from you!
The more we coordinate, the stronger we will become. I envision a future in which we use the force multiplier of thousands of coordinated threat intelligence analysts and cybersecurity professionals to push back the tide of threat actors.