Over the last several years we have been watching as technology has been evolving, but standard models of defense have remained static in Government. The Government strategy has been to make it costly for threat actors to stay active by chasing them and reporting their indicators as the sources of attacks evolve. By doing so, this makes threat actors have to change their attack methods and sources often, thereby making it harder to impact infrastructure and targeted entities. This is the equivalent of swatting flies and is actually very costly for the organizations publishing data. This never ending cat and mouse game never ends and is inefficient, costly and highly ineffective. So what can we do to improve this situation.
Here are some ways that our working group have come up with that may fix this issue:
Instead of swatting flies (IOC tracking) we need to be swatting the tools themselves that are being used. By rendering the tools themselves useless, this really causes the threat actors to have to redevelop whole campaigns instead of just changing where attacks originate
Three strikes your out model. One of the issues the working group has seen is that the same compromised host are used over and over to launch attacks. If hosting providers can't clean their source networks, then their entire networks should be blocked. This is an incentive to get network and hosting providers to do their part to stop abuse, today they simply ignore request and rarely if ever take action even with evidence showing their infrastructure was used to carry out harmful attacks. In this model if you fail to respond on three occasions, your network should be blocked until you remove the offenders
Contribute attack data not indicators of compromise. Actual data showing what happened that can allow systems (IDS/IPS/Firewalls) to identify and drop traffic is more useful than where the attack originated. These patterns are used to drop malicious traffic instead of just alerting to the activity
Effective sharing - Today the Government relies on STIX and TAXII to move indicators around. The issue is that this is a publication type service. Just having the information is not useful, actually using the information to take action on the other hand is much more valued.
We have been trying in earnest to work on solutions that are wholly effective to protect our Government partners and fellow contractors but these pushes keep falling on deaf ears. We have launched a working group and will be publishing the results of our research by years end.