Threat actors share intelligence in underground forums all the time, yet many security professionals remain tight-lipped.
Why are the bad guys so much more willing to collaborate than the good guys? There seems to be a double standard when it comes to reporting breaches and sharing information.
According to a 2018 report from security company Thycotic, 84 percent of respondents wanted to be notified immediately if a company they worked with had experienced a breach. But only 37 percent said they would satisfy that expectation if their own organization’s data were compromised.
Five Ways to Improve Collaboration Among Security Professionals
What is part of the reason security practitioners withhold information about a breach? This is often due to legal obligation — either because of limits defined by their incident response plan or because it’s too closely tied to proprietary data. However, threat intelligence is a broad category of information, much of which can be shared to benefit the larger security community.
“Historically [the transfer of threat intelligence] has been only from ethical hacker to industry,” said Joseph Carson, chief security scientist at Thycotic, to SecurityIntelligence. “Security professionals should not be victimized for finding security flaws, and defenders should have the ability to share successes and not always failures.”
Many experts in the industry have offered some insight to help the larger community understand how to improve information-sharing for collective benefit.
Here are five tips to promote collaboration and continuous learning:
1. Develop Trusted Working Groups
Partners and suppliers will often have a more mature cyber defense organization and tools in place that can be leveraged to help secure their own business.
According to Scott Sanders, CEO at software company 5nine Software, partners and suppliers who have login credentials to access corporate networks can compromise an enterprise network even without attacking directly.
“Security leaders who dialogue collaboratively with their partner networks will have relatively greater success combating these threats,” Sanders said to SecurityIntelligence.
Before engaging in these working groups, it’s essential that people understand the terms and conditions associated with the communities with which they are sharing information and intelligence.
“This is true for the sharing of IoCs [indicators of compromise], IoAs [indicators of attack], artifacts — hashes, binaries, .exes, .dlls — and zero-days,” said Will Gragido, director of advanced threat protection at software company Digital Guardian, to SecurityIntelligence.
It’s likely that the most effective way to collaborate is by developing trusted working groups.
“Working groups consisting of ‘trusted’ individuals are key to analyzing a current threat. Many times, these groups consist of competitors, government or law enforcement and service providers,” said Brian Bartholomew, principal security researcher at security company Kaspersky Lab, to SecurityIntelligence.
Bartholomew used the analogy of a pie, suggesting that each member of the working group has a unique slice of visibility when looking at a specific problem. When combined with other “slices,” the larger picture becomes more evident.
2. Build Community Threat Exchanges
Threat exchanges have become a popular and valuable way for multiple people to share and collaborate on treating a threat. The difference here, said Bartholomew, is mostly quantity of information shared, as well as a level of anonymity. Those who have suffered a breach often have some reluctance when it comes to sharing, but lessons learned don’t have to be rich with detail or proprietary information.
“What about lessons regarding controls that worked and the threat actions they defeated? Or where there was a successful intrusion, but consequences were mitigated through backup [and] recovery technology and procedures, a data-loss prevention solution, strong analysis or alternate business processes?” wrote Matt Shabat, U.S. strategy manager at security company Glasswall, and Dan Medina, director of strategic and technical engagements at Glasswall, to SecurityIntelligence.
Defenders need to establish a way to broadly and quickly distribute information on what defensive tactics, techniques and procedures (TTPs) are working, again mapping to threat actor TTPs, according to Shabat and Medina.
“Collectively, we often focus on incidents that had significant consequences — where security controls failed or were never in place,” Shabat and Medina wrote.
3. Treat Threats Together
By focusing on sharing non-proprietary information, the community can come together and orchestrate improved security solutions.
“Industry collaboration is critical in cybersecurity. From a cybersecurity researcher’s perspective, I believe sharing information leads to winning, as rapid sharing of threat intelligence can help stop dangerous cyberthreats from causing significant damage,” said Yury Namestnikov, security researcher on the global research and analysis team at Kaspersky Lab, to SecurityIntelligence.
To better aid the cybersecurity community in its ability to detect cyberthreats, the sharing of information should be as precise as possible. Namestnikov used the example of last year’s ExPetr/NotPetya malware outbreak, which had the cybersecurity community on its toes. Researchers initially believed it was ransomware like WannaCry. However, further analysis revealed that it was actually a wiper. Pieces of the puzzle came together for the community when researchers shared more information.
Collaboration can also improve within the cybersecurity community as more professionals contribute to industry events by sharing their best practices and case studies in public blogs or by speaking at conferences and other events.
“Events such as the Security Analyst Summit, RSA [Conference], Black Hat and Virus Bulletin allow information security professionals to gather together and discuss the latest topics,” Namestnikov said. “During these days, we learn from each other, providing feedback and support along the way. Don’t be hesitant to submit best practices or case studies because it can aid in the greater purpose of collaboration.”
4. Establish Cybersecurity Costs
So much of the success of the security industry relies on the ability to be proactive in preparing for attacks, as well as the ability to detect and respond to threats. Security professionals need to be able to share a better understanding of the range of cybersecurity costs within the organization as well as with executives and their boards.
Shabat and Medina said the establishment of a common cost would allow better risk avoidance, acceptance, mitigation and transfer-investment decisions economy-wide and among individual organizations.
“The establishment of these common costing data will give organizations — and, importantly, their information security professionals — the ability to clearly and quantitatively articulate risk to decision makers and executives,” Shabat and Medina wrote.
5. Join the Revolution
The industry needs to come together and recognize that cyber risk is no different from any other form of risk that businesses already quantify. They must embrace a standard for how they approach the risk discussion.
“Three thousand, one hundred leading thinkers in risk and security are already leading this charge — they’ve adopted FAIR [Factor Analysis of Information Risk] as the standard for quantifying cyber risk, translating it into business terms,” said Nick Sanna, CEO at software company RiskLens, to SecurityIntelligence. “With 30 percent of the Fortune 100, hundreds of leading CISOs [chief information security officers] and thousands of security and risk practitioners moving in this direction — we would be well served to join the revolution.”
Much like the way a distributed vaccine can secure the health of a population, sharing threat intelligence and defense strategies can help to establish a safer digital future for everyone.