Threat intelligence information sharing efforts have become increasingly important as breaches become more pervasive. Karen Epper Hoffman reports.
Most organizations are loathe to share their secrets. But when it comes to cybersecurity preparedness, more and more private companies and government agencies are realizing that sharing their information is perhaps the only way to staunch the growing tide of threats.
Threat sharing initiatives in both the public and private sectors have been around for a decade or more. It started out as an informal understanding: IT security professionals at different companies might swap notes over beers about common problems or pesky IP addresses that were commonly plaguing their industry. But it has become more formal and more focused in efforts to get out ahead of the slick cybercriminals and even nation-states which are increasingly mounting online attacks at multiple targets across industries. Financial firms, health care companies, retailers and utilities operations alike are working with each other and in concert with federal agencies to share their real-time intelligence on breaches and potential threat as they are happening, to more quickly react, or even proactively stave off such attacks.
Robert M. Lee (left), the CEO of Dragos Security and a certified instructor for the SANS Institute, says that high-profile breaches in recent years in both business and government, like the ones at Target and the Office of Personnel Management, have encouraged more organizations to open up with experiences and become involved in industry and public-private threat intelligence-sharing efforts. “More organizations are realizing they need cybersecurity information real-time,” he says.
The launch of cross-industry initiatives – such as the Cyber Threat Alliance, co-founded by a handful of IT security vendors, including Palo Alto Networks, Symantec and Intel Security – as well as the growing popularity and success of sector-specific Information Sharing and Analysis Centers (ISACs) in financial services, retail and oil and gas, has driven more attention for such efforts. Similarly, the Cybersecurity Information Sharing Act (CISA), passed last December, has made it easier for companies in the private sector to share their threat intelligence with government agencies in efforts to reduce and mitigate threats. In February 2015, President Obama also introduced a new Cyber Threat Intelligence Integration Center to act as a central station for private-public threat-sharing. These efforts, across government and industry, have in turn given rise to the development of new platforms and standards aimed at helping the organizations involved better share their information.
Network defenders unite!
“The network defender community has learned that information-sharing groups benefit from the crowd-sourcing phenomenon just like any other community,” says Rick Howard, CSO at Palo Alto Networks. “In this case, the main benefit is speed.”
Typically, Howard (left) points out, cyberadversaries are “small, nimble and execute a finely tuned playbook in order to accomplish their mission.” Mostly, he says, they do not invent new attacks every time they change victims. “Once they have a campaign that works, they use it until it does not work anymore.” Or, he adds, they may change something in the playbook but not the entire plan.
“Network defenders operating in a vacuum have no chance against these agile adversaries,” he says. That’s because organizations are too small to keep track of every existing adversary playbook, even the well-resourced staffs, he says. By sharing information among themselves, companies and government agencies can turn the tables on the bad actors who are plying their schemes across multiple attack vectors at the same time.
According to a 2015 study by the Enterprise Strategy Group, 37 percent of North American organizations share their threat information regularly, while some 45 percent say they share information occasionally but not regularly. And, until recently, most information-sharing only took place through the ISACs.
John Carlson (left), chief of staff for the Financial Services ISAC and a former IT security executive with Morgan Stanley, says that the threat-sharing environment is changing not only because threats are becoming more constant and pervasive, but harder hitting with the onslaught of adversaries that include major hacktivist groups like Anonymous and even nation-states. “There’s a need for greater context about who is behind these attacks,” Carlson says “as well as more effective and efficient ways to protect systems and customers.”
Carlson admits that while, “ideally, the goal is to be proactive, where we are right now is still reactive, and trying to understand what’s occurring and why… anticipating where the threats are coming from.” In order to become more efficient and to share information more quickly, groups like the FS-ISAC are investing in automation to dig through the pieces of information collected across so many organizations and find the nuggets of gold in all the dirt. Case in point: FS-ISAC and the Depository Trust & Clearing Corp. (DTCC) together in 2014 launched Soltra, a threat-intelligence sharing platform for financial services companies using standard protocols that also acts a model for threat intelligence efforts in other industries now.
In addition, Carlson (left) says the FS-ISAC has a “regular dialog with government partners in the U.S. Department of Treasury and other agencies, as well as regulators.” FS-ISAC and its members conduct regular cybersecurity exercises and play out responses with government agency partners, in order to practice their preparedness and improve their resiliency.
“We connect in different ways, but the main way is through our online portal,” Carlson says. Members of the ISAC can submit anonymous tips directly or through different listserv groups that cover the more than 7,000 financial institutions that belong to the FS-ISAC. Geographically, most of the group’s members are based in North America, but the group does have members in Europe and Asia, which also include clearinghouses and payment processors which serve the financial industry. The group meets for summits four times per year. “We are still very much grassroots-oriented,” Carlson adds.
Information, in context
Information-sharing efforts may be gaining steam, but they are also gaining more complexity. And, in doing so, the need to make sure the information itself is trustworthy and in context is paramount. “Trust is an issue because many sharing groups consist of competitors,” says Howard. “In the marketplace, they are competing to dominate. But they have also recognized that there is a mutual benefit to sharing threat intelligence with each other.”
Nonetheless, Howard claims that trust issues exist. The best way for information sharing organizations to overcome trust issues is to get to know their other partners. “Over time, you realize that they are just trying to protect their organization that same way that you are trying to protect yours,” he explains.
But context and efficiency come into play here as well, since the more organizations involved means more information and more potential threats are being pumped through the pipeline. And determining which pieces of information and which potential threats are worthy of pursuing makes all the difference, especially if an organization is dealing with limited IT security resources and feeling overwhelmed by the plethora of data that is typically blasting them.
“Context is king in this space,” says Mark Clancy (left), CEO of Soltra, and CISO of the DTCC. “It’s about knowing what is useful, for the government and the private sector.” Implicit in this, Clancy says, is having the maturity of experience to differentiate good intel from bad intel, or better intel, and how to use it.