alphaspirit - Fotolia
Adam Rice and James Ringold
Published: 17 Apr 2015
On February 13, 2015, U.S. President Barack Obama issued another executive order with the goal of fostering partnerships between business and government agencies to promote the sharing of cybersecurity information on a voluntary basis. The executive order required the U.S. Department of Homeland Security to encourage the development of organizations for the purpose of sharing information and analysis relative to cybersecurity threats.
The mandate was also intended to encourage private sector businesses to collaborate within their respective industries, and with the federal government to enhance the understanding of threats across the United States, and promote real-time response to cybersecurity incidents.
While the executive order did not define the parameters of the cyber-risk and incident information sharing, it did stipulate that any collaboration should preserve the confidentiality of business and personal data as well as the privacy and civil liberties of individuals. What cyber-risk and incident information is critical for you to share among industry peers and the U.S. government? That remains an open question.
The critical intelligence and information necessary to defend against a cyberthreat or attack is a good place to start. This constitutes any risk and incident data relative to the tactics, techniques and procedures, or TTP, of the threat actors, as well as the systems and type of information they are targeting; it does not require the compromised data itself. The details of the targeted assets -- which likely contain confidential business data or personally identifiable information -- are necessary to perform a damage assessment and for notification purposes, but this information is not vital for helping others look for similar attacks on their systems and networks.
Bank on information sharing
This TTP information, also known as indicators of compromise (IOC), can enable other companies protecting similar data within their systems and networks to identify oncoming attacks and decide on a course of action. Threat actors often use similar techniques to attack financial institutions, for example. When incident, campaign and IOC data is received prior to an attack, it allows the targeted institution to mount the appropriate defenses and potentially see the attack as it unfolds.
The artifacts of a compromise are critical to allow peers to identify attacks that are happening across the industry. These artifacts include the file names and hash values of the executable content that comprise the malware dropper, exploitation tool, backdoor and other drivers, as well as the dynamic link libraries associated with the attack, so these artifacts can be input into detective and preventive controls. Registry and system artifacts are also important to enable searching for historical attacks that might not be currently in progress and other more hidden attacks. Any user accounts that are frequently “accessed” by the attackers, or passwords that are used for either encrypted files or user accounts, are also important artifacts to share. Identified threat actors who are targeting specific industries, such as financial services or retail, should be shared with peers and the U.S. Department of Homeland Security -- if the attacks can be attributed properly.
This shared information can help security analysts identify the attack, or prepare to defend against it with enhancement controls at the appropriate places within your network. Without this TTP information prior to an attack, you could be blind to a threat or security incident until it’s too late, and data is already leaving the network.
Catalog attack TTPs
When a new attack presents itself, it’s vital that you have the capability to properly detect it and begin cataloging the TTP information. Other companies can benefit from this type of data, and industries as a whole have more protection. Because many attacks begin with the same reconnaissance and delivery methods, collecting TTP information at the early stages of an event increases the probability that further detection will be successful, thus decreasing the damage that an attacker could cause.
The TTP information can be collected at all stages of a security incident. If your organization has developed a capable intelligence and malware response program, you should be able to determine these TTPs through your investigative processes, and further protect enterprise systems, networks and data if your initial detection capabilities are not successful.
Due to the value of intelligence information, numerous sources of TTPs and IOCs exist. Commercial technology providers, and consulting companies, are clamoring to provide the latest and greatest threat intelligence to mid- to large-size organizations.
Many of these service providers are spending significant development resources in the areas of threat intelligence research and information exchange platforms to try to capture the market and be the first to deliver an effective technology. A commercial marketplace for advanced threat protection based on malware analysis and threat management data collected from the cloud and physical appliances of Check Point Software Technologies, Cisco (Sourcefire), FireEye Inc., Fortinet Inc. and Palo Alto Networks Inc., among others, is starting to mature. Several commercial products -- FireEye Dynamic Threat Intelligence cloud, Palo Alto Networks’ WildFire and others -- attempt to take TTP information from all of their users and then claim that, through the power of the cloud, their research teams can analyze the data and cast a large blanket to protect all of their customers from potential threats in a similar fashion.
The information that these commercial providers are able to gather is limited currently to their customer bases and research capabilities. While this commercial “intel” is useful to deflect general threats and behaviors, much of this information depends on previously visible TTPs. The TTP databases can be used to identify attacks seen by other customers; however, these threat intelligence services still have difficulty in detecting unique attacks.
Defend against APTs
If your security team has the resources to perform its own intelligence and analysis, the resulting information will be much more valuable in detecting and preventing advanced persistent threats (APTs). This organically gathered TTP information is immediately relevant to your defenses. It can also be of great assistance to your industry peers, those in adjacent fields, and your supply chain.
Smaller organizations that do not have access to this type of shared intelligence information may have more difficulties in resolving security incidents and recovering from such attacks. These difficulties come from not knowing the TTPs of the threat actors. A lack of threat information also makes it hard to identify the systems that are within the scope of an attack.
Industry information sharing can assist greatly in the prevention, identification, containment and eradication of intruders. This type of threat and analysis information is usually more relevant and of greater value than attack indicators from other sources.
Industry peers should work together on sharing the proper information for a collective defense of the industry. Collaboration enables an incident response team to better focus tools and systems to detect early threats and increase the success of uncovering each phase of the attack. A company that misses this relevant information will have greater difficulty in identifying an APT. This difficulty identifying the attack in progress can lead to threat actors being persistent within a network for lengthy periods of time -- even years.
Verify information exchange
Information sharing can be performed through numerous methods. The process needs to ensure that the contributed information is authentic. For accuracy, the threat and incident information presented must be verifiable.
Each “member” of an information-sharing community also needs to be verified and to have a legitimate requirement to participate in it. Each community member must be able to trust the others to ensure a free exchange of information.
A number of industries such as financial services, healthcare, retail and IT have created information-sharing forums. All of these industries have already established a non-profit information sharing and analysis center (ISAC) as well as a framework to share threat intelligence information. Potential partners include the ISAC community, the U.S. government, law enforcement, third-party providers and academia. The services offered to members range from immediate access to alerts and machine-readable threat data to information sharing on criminal activities in underground forums and emergency threat analysis.
The main barrier to information sharing is trust among competitors and peers in the industry. Because industry peers sometimes engage in such a competitive environment, it can be difficult for the technology group to get their management and legal teams to agree to share information.
For information sharing to be truly successful, there needs to be a champion or some key sponsor organizations willing to put forth the necessary effort to ensure its success. These champions need to have the resources available to create the basis for the information exchange and allow their employees to help and support their industry peers. Often, larger enterprises already have sophisticated security programs, but they can help other companies that lack the same resources. The retail, financial and defense industries are three examples of industries that have been able to start the process of information sharing:
- Financial Services Information Sharing and Analysis Center
- Retail Cyber Intelligence Sharing Center
- Defense Security Information Exchange
Several industries have implemented a framework to allow for information sharing, and member organizations will benefit from this collective knowledge. Other industries should be looking to the leadership of the financial services, healthcare, retail, IT and defense industries to help them establish their own frameworks. These industries should work with adjacent industries and suppliers to ensure the expansion of information sharing where it is appropriate. The Retail Cyber Intelligence Sharing Center extended the functionality of its Retail ISAC in March to the Financial Services ISAC (FS-ISAC). The new R-CISC Intelligence Sharing Portal enables members to collaborate with law enforcement, government agencies and other industries.
As the U.S. government continues to roll out cybersecurity frameworks, executive orders and other initiatives in an attempt to standardize public-and-private cyber-risk and incident information sharing, security professionals need to act. The data gathered and analyzed from attacks against industry peers, and even against those in other industries, is of great value when it comes to defending your company against threat actors.
About the authors:
Adam Rice is the CISO of Cubic Corp. An InfoSec professional with 17 years of experience, he has served as CISO of Alliant Techsystems; CSO of a global telecommunications company; general manager and vice president of a managed security services business; director in several network consulting companies; and is a retired U.S. Army noncommissioned officer. He is also a regular contributor to several information security publications.
James Ringold is a director of threat and vulnerability management for a Fortune 100 retail company. He has worked in the aerospace and defense, electronic discovery and investigations and health insurance industries, performing technical evaluations and building various stages of information security programs. A former security architect, operations manager and incident responder, Ringold has focused on countermeasures and controls to detect and mitigate cyberintrusions throughout his 17-year career.