The evolution of cyberattacks towards stealthy, targeted, persistent threats that use a cocktail of techniques is well recognized. This new set of attackers, consisting of criminal organizations, political groups and malicious hackers, are launching complex, sophisticated attacks that can wreak significant havoc not only on enterprise networks but critical government infrastructure worldwide.
It would seem that in this new world where cyberattacks take advantage of a global network of resources to implement their attacks, global cybersecurity cooperation and collaboration is what’s needed to provide visibility into attacks and slow these attackers down. If local, state and global governments can share critical information collaboratively among their entities and with the private sector, this can provide actionable intelligence on current and future attacks.
But there continues to be significant challenges with global cybersecurity collaboration:
• Absence of common language, terminologies and process for sharing – Each enterprise and government entity uses very disparate sets of languages, technologies and process that make the collaboration process ineffective today. Most cybersecurity intelligence is handled via traditional data sharing such as emails, PDFs and CD-ROMs– antiquated, manual processes that cannot support the speed at which attacks today penetrate and infect organizations.
• Fear and concerns over sharing – Enterprises, organizations and governments struggle over the extent of attack information they can reveal in attacks. Concerns range from whether the information shared is revealing too much about their business to competitors and nation states, violates user privacy, or could be used by regulators against them. This trust issue is compounded when government agencies are brought into the mix, in particular, government agencies such as the FBI that have a long established history of a closed, secretive culture. The challenge is how to develop a trust framework that can specify who the information should be shared with, and how much to share.
• Lack of resources and motivation to share – Many organizations also do not believe in the benefits of sharing details of an attack or breach. There are no incentives or fiduciary responsibility for organizations to disclose a breach unless it impacts a particular compliance requirement. There are more negative implications of sharing the details of a breach such as lost customers, lawsuits and privacy implications. In addition, there is the dilemma that once information about a breach is shared, customers that are impacted must be notified promptly. Notification of breaches must be done in an expedient manner that requires significant resources that may not be available in smaller organizations.
Where are we today?
The good news is that the negative perception on information sharing is waning. The majority of security companies that are attacked are being very open about how they have been breached. For example, companies like RSA and Bit 9 provided comprehensive analysis of attacks to their networks here and here. This is a contrast from how Verisign addressed their breach several years ago. Even though they were attacked in 2010, they did not disclose any information until 2011, and only because of a new SEC-mandated filing.
In addition, we have reached a point where many organizations and agencies have begun discussions on cybersecurity cooperation and intelligence sharing. The creation of “Information Sharing and Analysis Center (ISAC)” for national infrastructure has enabled a forum for managing risks to IT infrastructure and a way to share threat intelligence. Governments have implemented executive orders for enhancing cybersecurity, from President Obama’s executive order on cybersecurity to the British government’s focus on cybersecurity. The Department of Homeland Security has even collaborated and signed letters of intent with governments to share threat intelligence. We are also making larger strides in security companies, and the types of threat data that are being shared with the CSIRT (Computer Security Incident and Response Team) community.
Until all these mandates, forums and platforms develop into meaningful information sharing programs, what can organizations do? There are several critical best practices – the first is to segment your networks so that any breaches and ultimate data exfiltration is contained. A segmented network in your organization is akin to an attacker coming in the front door of your home, but being denied access to other rooms in the house. The second best practice is to ensure you have visibility into what applications and information are in your network, who has access to them, and what they are doing with that access. Without this visibility, organizations cannot proactively identify risks that are violating compliance and company policies. This visibility also provides the ability to analyze user data quickly to determine if and when to disclose information in the event of a breach. Finally, it is important to implement a robust threat prevention framework that can analyze both known and unknown threats. These set of best practices together with eventual collaborative intelligence sharing are the right steps toward combating cyberattacks.
