Security Experts:

Threat Information Sharing - Fighting Fire With Fire

The Security Industry Must Rally Around the Same Sort of Massive Information Sharing Model That the “Bad Guys” Use—Only Better...

I recently saw a TV commercial dramatizing a cybercriminal bazaar of sorts. And what were they selling you ask? Simple: your information and various methods to obtain it. But this was no ad hoc collection of street vendors. This was an organized, calculated sale.

Although many cybercrimes are committed by individuals or small groups, large organized crime networks have emerged. These "professional" criminals find new ways to commit old crimes, treating cybercrime like a business and forming global criminal communities. Criminal communities that share, swap and sell strategies and tools and can combine forces to launch coordinated attacks. They even have an underground marketplace where they can buy and sell stolen information and identities.

Globe Information SharingThe point is, gone are the days of most cybercriminals hiding out in mom’s basement, crouched over a computer trying to break into that large enterprise or government agency. No, today, the bulk of effective cybercrime is conducted over complex, organized information-sharing networks.

And why are these networks of operatives successfully infiltrating some of the world’s largest and supposedly most secure businesses and governments? Simple. Cybercriminals are actually sharing information among each other much more effectively than legitimate businesses and governments. For the most part, the “good guys” are operating in their own silos. Sure they are keeping up on the latest attack methods, but often times the information they are obtaining a) is not actionable b) is not timely enough and c) takes substantial human capital to obtain.

In order to stay ahead of the latest threats, some very limited security information-sharing groups have emerged. But these groups are typically confined to very tight industry and peer circles and/or ad-hoc email communication lists. As a result, the effectiveness of these groups is limited; they are siloed and lack the large-scale structured collaboration needed to combat today’s constantly evolving, highly organized cybercrime networks.

Simply put, cyberthreats are evolving so quickly today that traditional security tools and current information sharing networks can’t keep up.

Sharing By Industry

Today, there are some operational security communities that specialize in information sharing across select industries that are showing some promise. Take for example FS-ISAC for the financial industry. Launched in 1999, FS-ISAC was established by the financial services sector in response to 1998's Presidential Directive 63. That directive mandated that the public and private sectors share information about physical and cyber security threats and vulnerabilities to help protect the U.S. critical infrastructure.

FS-ISAC’s Critical Infrastructure Notification System (CINS) sends security alerts while providing for user authentication and delivery confirmation. The FS-ISAC also provides an anonymous information sharing capability across the financial services industry. Upon receiving a submission, member experts can verify and analyze the threat and identify any recommended solutions before alerting other FS-ISAC members. This assures that member firms receive the latest tried-and-true procedures and best practices for guarding against known and emerging security threats.

While FS-ISAC is a good place to start, the problem is that this information is predominately only gathered and disseminated to financial industry companies and on a limited basis to their security vendors. It is not shared at all across industry lines. Therefore, financial companies aren’t privy to the latest threats against, say, e-commerce companies, threats that no doubt will hit them next. Furthermore, these are usually just delivered as alerts to an email group. While having the latest information is extremely important, along with some discussions about what the data might mean, it is very difficult to make the information scalable and actionable since it is usually tied up in email attachments sent to individuals, Finally, members within FS-ISAC may be wary to share all of their information as the direct benefit isn’t always clear, and the “competition” is there.

Sharing By Peer Groups

Map With SecurityWhile FS-ISAC is confined to the financial industry, there are a number of one-off forums that drill down into IT security peer groups. One such example is NSP-SEC. According to the NSP-SEC website, it defines the forum thusly: “The nsp-security forum is a volunteer incident response mailing list, which coordinates the interaction between ISPs (Internet Service Providers) and NSPs (Network Service Providers) in near real-time and tracks exploits and compromised systems as well as mitigates the effects of those exploits on ISP networks.” While the emailing of attack vectors was a great initial step when NSP-SEC was created, in today's evolving threat landscape a tool that is not automated and doesn't provide actionable intelligence is not sufficient.

Another shortfall of NSP-SEC and other groups like it: membership in NSP-SEC is restricted to those actively involved in mitigation of NSP Security incidents. As such, it is limited to operators, vendors, researchers, and others working to stop NSP security incidents. That means being a “security guru” or being “from the Government” does not qualify for NSP-SEC membership. Bottom line, you need to be someone who touches a router in a ISP/SP backbone or can tell someone to touch a router. This is very limiting and again contributes to the silo effect.

Moreover, “point to point” collaboration outside of the main NSP-SEC lists does happen and is strongly promoted. So valuable information that could benefit the members as a whole is lost to offshoot discussions. If you are trusted enough to make it into one of the breakout groups, THEN you’ll get the real dirt.

NSP-SEC has and will continue to thwart cyberattacks and is a great resource. Yet the question remains: is it doing it in the most effective and efficient manner possible given how cybercriminals operate today? My answer is a definitive “NO.” This critique shouldn’t be construed as singling out NSP-SEC or anyone else mentioned. Indeed, these limitations at NSP-SEC are not an exception, but rather the norm for security industry information sharing groups. Take DNS-OARC, FIRST as further examples of great organizations that bring people together to solve problems. They and most other such groups operate within their own peer groups, are loose nit and communicate via email without effective collaborative platforms or unified, real-time data sharing.

There are some interesting efforts out there that have progressed in getting past some of these challenges. Of particular note, REN-ISAC, the Research and Education Networking Information Sharing and Analysis Center, is sharing real-time threat indicator data at scale amongst member universities. This allows one university to detect an attack and notify everyone else in the network automatically to protect the entire ecosystem. Beyond data, members collaborate to solve issues. And while this is focused on the higher education system today, the folks at REN-ISAC are looking to collaborate with other groups to expand effective collective intelligence.

Trust and Organization

The problem comes down to two issues: trusting fellow members in a group and a lack of resources to organize a massive, organized information-sharing network. The key word here is organized. If there was an information sharing group that operated in circles where with one type of threat, you could share all of your data with one circle, some of your data with another and a small amount of data with the another, then there would be much more trust with sharing information.

Threat Sharing

While the security industry has taken great strides in information sharing, in order to stay one step ahead of the highly organized bad actors, the industry must rally around the same sort of massive sharing model that the “bad guys” use—only better. As a collective, the “good guys” have vastly more resources than the bad guys do. However, those resources are often not directed towards security, and when they are, everyone is busy building their own organizational or industry-group silos. This is highly inefficient and tips the scales in the miscreants favor.

It is refreshing to see the tone changing on this in both public and private circles. The latest National Strategy for Information Sharing and Safeguarding released in December 2012 by the White House provides a clear roadmap towards these kinds of reforms for the federal government and critical industry members. Work in Europe by the European Network and Information Security Agency or ENISA to normalize information between EU countries, and the EU’s new European Cyber Crime Centre focused on sharing information across the continent are also welcomed developments.

Can these government-led efforts break past the barriers that have hemmed-in prior initiatives, keeping such information tightly-held? Time will tell, but as an industry, we must all work to encourage such efforts to be inclusive of a much broader, yet trusted, community.

Related Reading: Combating Emerging Threats Through Security Collaboration

Subscribe to the SecurityWeek Email Briefing
view counter
Rod Rasmussen co-founded Internet Identity and serves as its lead technology development executive. He is widely recognized as a leading expert on the abuse of the domain name system. Rasmussen is co-chair of the Anti-Phishing Working Group’s Internet Policy Committee and serves as the APWG’s Industry Liaison, representing and speaking on behalf of the organization at events around the world and works closely with ICANN. He also is a member of the Online Trust Alliance’s (OTA) Steering Committee and an active member of the Digital PhishNet and is an active participant in the Messaging Anti-Abuse Working Group. Rasmussen earned an MBA from the Haas School of Business at UC-Berkeley and holds two bachelor’s degrees, in Economics and Computer Science, from the University of Rochester.
view counter