In my last article I discussed how defenders need to borrow a page from bad actors with regard to embracing automation. There’s another lesson we can learn from how cyber criminals operate – sharing information to boost success.
A new report from the U.K.’s National Cyber Security Center describes an extensive, online criminal ecosystem that supports and enables cyberattacks, including allowing the sharing and advertising of similar techniques, tools, and services and collaborating to execute campaigns. Given the nature of their business, there’s no reason not to share. If it helps cybercriminals to profit faster, they’re all in.
Many security professionals have a very different mindset when it comes to sharing. No one ever gets in trouble for “over classifying” information so they keep it siloed and heavily protected. This type of thinking leads many to overvalue their information and believe that sharing will put their data at risk. Where you’re charged with protecting the keys to the kingdom it’s hard to justify marking anything public.
For years the security industry and government agencies have been trying to shift this mindset; and, a multitude of frameworks and forums for sharing now exist. For example, Trusted Automated eXchange of Indicator Information (TAXII) and Structured Threat Information eXpression (STIX) are two open standards designed to facilitate threat intelligence sharing in an integrated and automated way across security technologies with the aim of strengthening defenses. Open source reverse engineering frameworks are emerging, using a cloud-based environment to bring the best minds together to accelerate and deepen our understanding of new threat variants. Security vendors are beginning to collaborate, enabling their security researchers to join forces in fighting the bad guys. Forums abound, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC) and those specific to industries including IT, Retail, Oil and Gas, Healthcare, and others. Each focuses on improving incident response through sharing information and collaborating on critical security threats.
Yet, for all these efforts, unless individuals think there is a reason to share – that the rewards outweigh the risks – they aren’t inclined to participate actively.
However a recent, highly-public demonstration of the benefits of information sharing should help security professionals warm up to the idea. When ‘WannaCry’ – the major ransomware attack that affected organizations around the world and in a variety of sectors – hit last month some called it the biggest ransomware attack ever. Those affected soon took to Twitter and the blogosphere to share what they knew, with other social media and traditional media outlets spreading the word. In a rush to figure out what was happening, how it was happening, and what to do about it, the barriers to sharing came down. The result? Instead of having another catastrophic worm like Conficker that plagues us for years, WannaCry was basically remediated over a weekend. By most accounts ransomware attacks will continue to mount and new variants of WannaCry will emerge, but this experience highlights the power of security information sharing.
Shifting mindsets is never easy. It certainly doesn’t happen overnight. But if we want to benefit from the value of sharing – as bad actors have been doing amongst themselves for years – here are three tips to get started.
1. Begin by sharing pure attacker data like an IP address. This limits your risk while offering some upside. Also remember that the majority of attacks are not highly targeted. Some amount of information can be shared without revealing anything sensitive or even specific to your organization.
2. If you don’t feel comfortable sharing in a public forum, find an organization where you can share (the list is long as I mentioned earlier). Your information is shared among a smaller peer group and you’ll benefit from the threat intelligence other members provide. Keep in mind however that many attacks are cross-industry or may start in one industry but move quickly to another so be careful not to put on blinders and focus exclusively on your own sector.
3. If you still aren’t ready for either of these steps, then at a minimum start sharing information within your own organization. Many internal groups are also siloed when it comes to information sharing either because they have competing priorities or out of concern for employee privacy. Again, start by sharing attacker information and you’ll likely open the door to a greater exchange of information as the benefits of accelerated detection, investigation, and remediation spread.
There’s no reason for security professionals to feel isolated when their organization is attacked, or lost when they hear about a new threat. An ecosystem exists that enables and supports the sharing of information so we can work together to thwart attacks. You just need to tap into it.