Critical challenges ahead for threat intelligence sharing

McAfee Inc. today released a threat report, which detailed the challenges facing threat intelligence sharing efforts, probed the architecture and inner workings of Mirai botnets, assessed reported attacks across industries and revealed growth trends in malware, ransomware, mobile malware and other threats in Q4 2016.

“The security industry faces critical challenges in our efforts to share threat intelligence between entities, among vendor solutions, and even within vendor portfolios,” said Vincent Weafer, vice president of McAfee Labs.

“Working together is power. Addressing these challenges will determine the effectiveness of cybersecurity teams to automate detection and orchestrate responses, and ultimately tip the cybersecurity balance in favour of defenders.”

>See also: The value of sharing threat intelligence

The report reviewed the background and drivers of threat intelligence sharing; various threat intelligence components, sources, and sharing models; how mature security operations can use shared data; and critical sharing challenges that the industry must overcome. The challenges are aplenty.


A massive signal-to-noise problem continues to plague defenders trying to triage, process, and act on the highest-priority security incidents.


Attackers may file false threat reports to mislead or overwhelm threat intelligence systems, and data from legitimate sources can be tampered with if poorly handled.


If vendors focus just on gathering and sharing more threat data, there is a risk that much of it will be duplicative, wasting valuable time and effort. Sensors must capture richer data to help identify key structural elements of persistent attacks.


Intelligence received too late to prevent an attack is still valuable, but only for the cleanup process. Security sensors and systems must share threat intelligence in near real time to match attack speeds.


The failure to identify relevant patterns and key data points in threat data makes it impossible to turn data into intelligence and then into knowledge that can inform and direct security operations teams.

>See also: Sharing cyber intelligence can prevent security breaches

To move threat intelligence sharing to the next level of efficiency and effectiveness, McAfee Labs suggests focusing on three areas.

Simplifying event triage provides a better environment for security practitioners to investigate high-priority threats, while establishing relationships between indicators of compromise allows threat hunters to understand the connections to attack campaigns.

Finally, better sharing models will improve ways to share threat intelligence between businesses own products and with other vendors.

“Increasingly sophisticated attackers are evading discrete defense systems, and siloed systems let in threats that have been stopped elsewhere because they do not share information,” Weafer continued.

“Threat intelligence sharing enables us to learn from each other’s experiences, gaining insight based on multiple attributes that build a more complete picture of the context of cyber events.”

Mirai botnet proliferation

Mirai was responsible for the fourth quarter’s highly publicised DDoS attack on Dyn, a major DNS service provider. Mirai is notable because it detects and infects poorly secured IoT devices, transforming them into bots to attack its targets.

The October public release of the Mirai source code led to a proliferation of derivative bots, although most appear to be driven by script kiddies and are relatively limited in their impact.

>See also: What’s next for threat intelligence?

But the source code release has also led to offerings of “DDoS-as-a-service” based on Mirai, making it simple for unsophisticated yet willing attackers to execute DDoS attacks that leverage other poorly secured IoT devices. Mirai botnet-based DDoS attacks are available as a service in the cybercriminal marketplace for $50 to $7,500 per day.

McAfee Labs estimated in its report that 2.5 million Internet of Things (IoT) devices were infected by Mirai by the end of Q4 2016, with about five IoT device IP addresses added to Mirai botnets each minute at that time.

Q4 2016 threat activity

In the fourth quarter of 2016, McAfee Labs’ Global Threat Intelligence network registered notable trends in cyber-threat growth and cyber-attack incidents across industries.

There was significant malware growth. The number of new malware samples slowed 17% in Q4, while the overall count grew 24% in 2016 to 638 million samples. Mobile malware also saw a dramatic rise with total mobile malware growing by 99% in 2016.

>See also: Pay attention to your threat intelligence’s shelf life

Ransomware, the reported greatest threat to businesses this year, inevitably grew in size. The number of new ransomware samples dropped 71% in Q4, mostly due to a drop in generic ransomware detections, as well as a decrease in the activity of the Locky and CryptoWall strains. The number of total ransomware samples grew 88% in 2016.

The public sector experienced the greatest number of incidents out of any ‘sector’ by far, but McAfee believes this may be the result of stricter requirements for reporting incidents, as well as an increase in attacks related to the US election process, mostly voter database incidents and defacing of election websites.

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics

DDoS Attack