If your organization is involved in critical infrastructure such as public utilities, finance, healthcare, national defense, technology, or a similar field, nation-state attackers have put a huge target on your network. Considering the sophistication and ongoing nature of attacks against your networks, it’s important to secure your infrastructure.
A 1998 executive order designed to protect critical infrastructure created Information Sharing and Analysis Centers (ISACs). For ISACs to be effective, they require companies, and more specifically CISOs, to share critical information about attacks they experience with other ISAC members, including direct competitors.
The more detailed information a company can share about an attack or breach, the better. CISOs are known for being extremely protective so participating in an ISAC might seem counterintuitive. That said, when all members submit data about attack vectors, new versions of malware, and new approaches attackers are using to breach a company, it improves the collective intelligence industry-wide.
Given that this data is being shared with direct rivals, a critical part of an ISAC strategy must be sanitizing the data. This is done so that rivals know everything about the attack but little to nothing about who the specific victim was or anything else that might disclose proprietary information.
Alex Rifman, the Director of Customer Success at Anomali, describes this as herd protection, where each member gets indirect benefits from protecting fellow herd members, even if they are competitors. Rifman offers the banking vertical as an example. For banks to convince customers that financial institutions are a safe place to deposit funds, each bank must make sure the customers realize their accounts will be safe.
When all banks work together to share information about attacks that one of its members has experienced, they all benefit from being able to protect themselves from the same attack— the bank “herd” is safer because now all member banks can protect themselves without necessarily being attacked, according to Rifman.
But sanitization has its issues. There can be a nuanced line between removing everything that reveals details about your defense systems and your company’s identity to making the information useless to other members of the ISAC. Other times, there exists no such line: To share information helpful to others, the company might have to reveal some sensitive operational details. That’s where the CISO needs to make a difficult decision.
Roberto Sanchez, Director of Threat and Sharing Analysis for Anomali, adds that when sharing attack data, context is crucial. Although essential, it is not solely about what the attacker did and tried to do. It is also important for CISOs to say what they tried to do to counter the attack and what did and did not work. The whole point is to help others defeat—or block—their common attackers.
To do this, CISOs and CSOs must be motivated to prioritize feeding the ISAC. “It’s a question of value. You need to take care of your own house, first and foremost,” says Travis Farral, Director of Security Strategy at Anomali, adding that technology can allow a company to prioritize protecting itself first and then feeding intelligence to the ISAC without asking CISOs to sacrifice the speed of their own defensive actions.
One determining factor as to what type of intelligence sharing a CISO can conduct is as basic as looking at their employer’s business. Currently, there are 20 ISACs that address critical infrastructure industries. You can find a list of ISACs here.