Shared threat intelligence saves the day

A Distributed Denial of Service (DDoS) attack took down a residence hall network switch at the University of Maryland (UMD) over spring break 2018, but it could have been a lot worse without the collaborative threat information sharing partnership of U-M and other universities.

90% of attack traffic blocked

“If we hadn’t been using our shared threat intelligence, we would have likely lost internet access across campus, caused serious disruptions of all UMD IT services, and negatively impacted a disaster recovery plan test that was being conducted at the same time,” said Bertrand Sobesto, IT senior engineer, Division of IT-Security at UMD. Activity logs showed that “90% of the attack traffic had been blocked thanks to the shared intelligence framework we are part of.”

Shared across the Big Ten

The threat intelligence information resides in a repository hosted and facilitated by U-M Information Assurance (IA) and shared across the Big Ten Academic Alliance (BTAA), with seven schools participating in threat intelligence sharing. The repository resulted from collaboration among BTAA chief information security officers.

“Attackers frequently go after more than one university with the same approach,” explained Sol Bermann, U-M privacy officer and interim chief information security officer. “They often try an attack out on a small number of targets, fine tune it, and then go after additional targets. By sharing information across the Big Ten, we can help each other react to threats faster—and even end them before they begin.”

The repository contains Internet Protocol (IP) addresses, domains, email addresses, and more that are known to be malicious. U-M IA staff gather and compile the information from multiple trusted sources, including REN-ISAC, Spamhaus, and others—as well as threats detected at U-M. The BTAA universities contribute their own information and then use the shared intelligence to configure firewalls, network intrusion prevention systems (IPSs), malware filters, and other security services.

U-M is smitten with the MITN

While it began with a shared repository, U-M IA expanded that by developing a framework for collecting, generating, sharing, and using threat intelligence, now known as MITN—Michigan Intelligence for Threat Negation. At the heart of MITN is the “Collective Intelligence Framework” (CIF), a threat intelligence application developed by REN-ISAC. CIF is widely used in the higher education community to share threat data among universities. Some of the BTAA schools have their own CIFs, which they have connected to MITN to synchronize data. Others use the MITN data directly.

“MITN data makes email infrastructure, network IPS, and other services stronger and more effective,” said Matt Coons, senior incident responder and threat analyst. “We now have more than 25 open source threat feeds, data from our BTAA peers, and threats we’ve identified at U-M.” All of that adds up to more than 60,000 actionable indicators updated hourly. We use it to block 300,000–500,000 threats daily on our IPS alone.”

“We are smitten with the MITN,” said Kevin Cheek, university incident response lead, with a grin. “At U-M, we share the data with Michigan Medicine and UM-Dearborn. We are working to extend its protection to additional systems, add more threat intelligence sensors, and make the threat intelligence generation more modular so it is easier for others to use.”

Stay tuned for more as universities throughout Michigan and across the country potentially leverage MITN to protect their systems and data.