When credit card processor Heartland Payment Systems suddenly saw an uptick in fraud coming from outside the United...
States last year, the company didn’t just quietly handle it internally
In the past, the company would have referred the issue to its internal security team to analyze and recommend an action. This time, John South, the company's chief security officer, had other options: He contacted members of the Payments Processing Information Sharing Council (PPISC), a group formed in 2009 that brought together Heartland and its competitors in the industry to share information on threats attacking their systems. He described what the company was seeing and how the attackers were operating.
“We were able to validate that other processors were seeing the same pattern and then take that pattern information directly to the U.S. Secret Service to help them and educate them in regards to the mechanism the attackers were using,” South says.
Because the incidents are still under investigation by law enforcement, South declined to describe any details of the event. However, Heartland’s response highlights a fundamental shift in information sharing.
Following post-mortem analyses of how barriers to information sharing stymied the U.S. government’s investigation of the terrorist groups that went on to destroy the Twin Towers on 9-11, federal agencies and industry have pushed strongly for better sharing of information. For nearly a decade, however, progress has been slow, especially in sharing cyberthreat information. Most industry sectors do not readily share information with the government or competitors, and barriers to sharing classified information block many government organizations from warning companies about possible attacks.
Companies like Heartland continue to take part in larger information sharing initiatives -- such as, in Heartland’s case, the Financial Services Information Sharing and Analysis Center (FS-ISAC) -- but they have also pushed out on their own. The major information sharing initiatives, such as industry information sharing and analysis centers (ISACs), tend to work for the largest participants, and while government sanctioned information sharing channels are working hard to be more nimble, smaller grassroots efforts have become the nexus for groups worried about cybersecurity.
“Through the PPISC, we were able to take security out of the competitive landscape and allow members to benefit from each others’ experiences,” South says.
Other industries and even government agencies that have felt their needs were not being met have created their own groups to better share cyberthreat information. State and local government have teamed up with law enforcement and created the Cyber Threat Intelligence Coordinating Group. In April, the health care industry announced that its own grassroots security information group, the Health Information Trust Alliance (HITRUST), had created a center to act as a hub for sharing information on attacks.
A tangled web
Such efforts are a break from the large information sharing channels set up by the U.S. government.
At the center of government efforts to share cyberthreat information with industry is the U.S. Department of Homeland Security’s National Cybersecurity Center (NCSC) and U.S. Computer Emergency Readiness Team (US-CERT). The Federal Bureau of Investigation’s InfraGard program works to inform and educate companies in more than 80 locales and, in return, gathers intelligence on particular threats.
Yet those three groups hide a bewildering array of information sharing initiatives and programs in the government that most companies never see.
The U.S. military collects and disseminates information through the National Security Agency’s Threat Operations Center (NTOC), the Department of Defense Cyber Crime Center (DC3), and the U.S. Cyber Command. Threat intelligence is also provided by the Intelligence Community Incident Response Center (IC-IRC). Information gleaned by law enforcement from criminal, counter intelligence and terrorism investigations is collected, acted upon and disseminated by the National Criminal Investigative Joint Task Force (NCI-JTF).
On the industry side, information necessary for critical infrastructure protection is processed through ISACs, as well as a number of regional, sector and governmental coordinating councils. State and local governments, for example, share threat intelligence and best practice information through the Multi-State ISAC and a network of fusion centers that help bring intelligence and law enforcement together. In addition, government agencies and critical infrastructure owners sit in a massive operations center, the National Cybersecurity and Communications Integration Center (NCCIC or “N-Kick”), which monitors for threats.
When it works, the large web of information sharing channels works well. Reports on attacks get reported up through channels such as the US-CERT and the NCI-JTF and information on the threats -- such as indicators of compromise (IOCs) -- get transmitted back down to members.
“If a company sees something new they want others to know about, my first phone call is to the NCI-JTF, because I knew from there it would get to all the government parts,” says Phyllis Schneck, chief technology officer of McAfee’s global public sector group, who served for eight years as chairman of InfraGard’s national board of directors. “From there it gets to all the private industry pieces and even the intelligence community.”
However, these groups have their own mandates and, in many cases, hurdles to overcome before sharing information. Law enforcement agencies, for example, will not share information and warn a victim of a possible attack, if it might threaten the eventual prosecution of a suspect.
“It’s a challenge on the operational side to advise the victim that they may be a victim, even though an attack has not taken place,” Pete Cordero, assistant section chief with the FBI’s Cyber Criminals Section, told attendees at the RSA Conference 2012 earlier this year. “Especially when going to the victim may cause a problem in our ongoing operation to collect enough evidence to prosecute these individuals, beyond a reasonable doubt.”
While InfraGard, a sharing program run with the FBI, is a good place for any business to cut its teeth in the cyberthreat arena, it continues to be criticized for being a one-way street. Companies will report incidents to law enforcement, but actionable intelligence about those incidents rarely comes back down through InfraGard to its approximately 48,000 members.
"InfraGard ends up being, not so much an information sharing organization, as a relationship-building organization," says McAfee's Schneck.
Breaking down barriers
In some ways, the Heartland breach demonstrates the failings of early information sharing efforts, says South. Starting in late 2007, hacker Albert Gonzalez breached the company’s network using an SQL injection attack and, using that access, stole information on more than 130 million credit card accounts the following year. Other payment card processors had seen the techniques that criminals like Gonzalez used to breach Heartland’s system, he says.
“The indicators of the malware and attacks were available in the community, because other people had seen them, but they had no mechanism and no arena to share that information,” South says.
Such problems are being repaired, albeit slowly.
The Multi-State Information Sharing and Analysis Center (MS-ISAC) is a key success. Established in 2003, the association now includes all 50 states, three U.S. territories and 144 major local governments, including every state’s capitol. The MS-ISAC now has a person sitting on the floor of NCCIC. While the group originally focused on disseminating terrorism threat data and infrastructure protection information, cyberthreat sharing has become a major focus of the group as well.
“If there is a credible threat to a bridge, you need to do your analysis as to the risk consequences of that bridge being destroyed,” says William Pelgrin, founder and chairman of the MS-ISAC. “You look at the human consequences, the financial consequences. It is very important to know what the cyber consequences would be. The light bulb goes on when you realize how much telecommunications are running under those bridges.”
The destruction of the Twin Towers on 9-11 also led to the disruption of telecommunications, he says.
It took a long time for the MS-ISAC to break through companies’ barriers to sharing sensitive information, says Pelgrin. When he started the group, he had trouble getting companies to volunteer attack information. Initially, very few people shared information.
“A lot of times people didn’t share, not because they didn’t want to share, but for fear of blame or fear of impact on their intellectual property, which are real problems,” says Pelgrin.
Members develop trust over time, but another key to success, however, is to form smaller groups to help unserved portions of the membership to get their intelligence out and better information back.
The Payments Processing Information Sharing Council (PPISC) is one example of such a group. Another example: After helping to establish the MS-ISAC, Pelgrin brought a variety of law enforcement groups together to cooperate in criminal investigations. The new organization, the Cyber Threat Intelligence Coordinating Group (CTICG), identifies potential investigations on which different law enforcement agencies can collaborate.
In a recent case spearheaded by the CTICG, a single report of stolen information from a local college led to a massive investigation that discovered a group of hackers using the Qakbot attack tool to steal data and store it on four FTP servers, including one outside the U.S. Organizations in more than 17 states were found to be victims, Pelgrin says.
“We would not have been able to figure this out without the information sharing,” Pelgrin says.
The case underscores that the point of information sharing is to be able to take action, he adds.
“Information sharing as a goal does not work, information sharing needs to lead to an action,” he says. “If we all sit around the table and say, ‘The train is coming down the track, but you can’t tell anyone about it,’ I don’t want to know.”
The U.S. government has seen that focused groups can be more effective and wants to support companies that self-organize as suits their needs. During a panel discussion on information sharing at the RSA Conference 2012, Lee Rock, acting director of DHS's US-CERT, assured such groups that the government would not interfere.
“We want to make sure the entities that have self-organized in the private sector … that we are collaborating and talking with them and not trying to dictate to them how to do their jobs,” Rock told attendees. “It is critically important, as there is no single entity that has the solution.”
In late April, health care firms banded together to find their own solution. While there is an information sharing and analysis center (ISAC) for the government's health care agencies, it does not represent the health care industry.
Moreover, the ISAC model would not work well in the health care industry, says Dan Nutkis, CEO of HITRUST , which was formed five years ago to share information about security and compliance requirements in the industry. With some 400,000 organizations, including many single-doctor practices, health care companies range from the very small to very large.
"What we learned was that only a small percentage was capable of consuming the type of information we were disseminating," Nutkis says. "You can't have an ISAC if you are only supporting five percent of your industry."
In April, HITRUST announced it would create its own initiative for getting threat information to its entire membership. Known as the Cybersecurity Incident Response and Coordination Center, the group will communicate threat data to health care companies and up to the U.S. Department of Health and Human Services.
"Before it was like drinking through a fire hose," says Roy Mellinger, chief information security officer for health care provider WellPoint. "Now, we can get information that is very tailored to our needs."
With the small groups cropping up to fill the voids in information sharing, companies have more choices than ever before for gaining intelligence on what threats may come knocking on their firewall. And if firms find that attending InfraGard and joining an ISAC do not fit their needs, they can work with their own industry to create a group.
“On all fronts there are improvements that are occurring,” says the MS-ISAC’s Pelgrin. “It is easy to say that things aren’t working, but I think we have an obligation to make them work.”
At 8:30 every morning, a who’s who of the U.S. government cyberworld meet on a conference call to take stock of the online threats of the last 24 hours.
The so-called “8:30 Sync Meeting” brings together representatives from the top six agencies focusing on cyberoperations for the U.S. government: The National Security Agency’s Threat Operations Center (NTOC), the Department of Defense’s Cyber Command (USCYBERCOM) and Cyber Crime Center (DC3), the U.S. Department of Homeland Security’s Computer Emergency Readiness Team (US-CERT), the Federal Bureau of Investigation’s National Cyber Investigative Joint Task Force (NCI-JTF) and the Intelligence Community’s Incident Response Center (IC-IRC), part of the Office of the Director of National Intelligence (ODNI).
Sharing top-secret information is against the cultural grain of many of the groups but they are working to overcome those barriers.
“We operate at the top-secret level," said Mary Robidoux, chief of technology, development and support for NTOC. "It is a big push for us to identify actionable information that we can push into the [lower] secret level and to allow the other centers to use the information."
In a panel presentation at the RSA Conference 2012 earlier this year, the NSA's Robidoux and representatives from the three other major agencies discussed the difficulties in sharing information, but also shared recent successes.
The focus is to create an operational picture of what is going on in cyberspace, says Major General David Lacquement, J-3 director of operations at the USCYBERCOM. "Ideally, we are able to identify a threat, develop a mitigation scheme and put it in place before the enemy employs the threat against our network," he says.
A major focus on sharing on the part of the military is to help protect the companies that provide services and goods to the military. Called the Defense Industrial Base (DIB), the group of companies share information through the Defense Industrial Base Collaborative Information Sharing Environment (DCISE), a program run by the DOD’s Cyber Crime Center (DC3). Getting information to the companies on attacks without compromising the identity of the victim, the source of signals intelligence (sigint) or an on-going law enforcement investigation is difficult, says Lacquement.
"At the federal government level, I have been pleasantly surprise with both the sigint and LECI (law enforcement confidential informant) data," he says. "The level of sharing in cyber threats has increased significantly over the last two years as has the increased understanding of the value of that sharing."
In addition, the U.S. Department of Homeland Security has created the Joint Cybersecurity Services Pilot to protect those same companies by getting threat information and indicators of compromise to the Internet service providers on which defense companies rely.
About the author:
Robert Lemos is an award-winning technology journalist, who has reported on computer security and cybercrime for 15 years. He currently writes for several publications focused on information security issues. Send comments on this article to firstname.lastname@example.org.