The world’s increasing interconnectivity has given rise to greater efficiency and the easier exchange of data. However, as networks become borderless and institutions freely exchange data with partners, a data breach in one organisation’s network can now provide hackers with an avenue into multiple other companies.
Before any can respond, a chain reaction of breaches has already taken place. Furthermore, the major breaches of the past year including the attacks on the World Anti-Doping Agency and Yahoo! have proven that state-sponsored cyber espionage is no longer just a problem for governments. Today, any organisation that has sensitive information may become a target for a growing number of hacking groups, whether they be state-sponsored, activist or criminal.
Cybersecurity is often viewed as a costly and difficult task typically performed in isolation on an organisation-by-organisation basis. This has changed in recent years, and we are seeing a growing number of organisations collaborating across industry and competitive divides, sharing insight to protect their shared interest in the safety of their sectors.
Sharing is caring – but is it enough?
In recent years government legislation, including the Digital Economy bill currently passing through Parliament, has encouraged data sharing for security purposes between organisations. However, while the practice is growing, the sharing of threat intelligence and insight has been neglected. Few are currently in a position to effectively identify and share threat intelligence, partly as a result of a lack of regulatory standards to act as a guide.
In addition to this, in an environment where the political, reputational, and financial consequences of admitting to a breach can be severe, it is no surprise that most organisations choose to remain quiet about the threats they encounter.
Informal information sharing is already taking place to an extent behind closed doors, with partners exchanging data over email or through personal discussion on an ad-hoc basis. However, confidential, peer-to-peer networks shrink the pool of insight and make it almost impossible to coordinate large-scale responses across even larger user bases. What’s more, data classification legislation including the Data Protection Act and the upcoming European General Data Protection Regulation means that many sectors are limited in what can be shared, even through mandated channels. They are limited to one-way sharing, where one organisation can share intelligence with another but not vice-versa, as opposed to more useful bi-directional models.
Furthermore, both systems suffer from varying quality and usefulness of shared data, often leading to costly and unnecessary ‘circular reporting’, where the same unhelpful information, already known to some, is shared throughout a network without fresh insight being created.
As a result, many current collaborations and insights are of only limited use. This leads to poor response times, general unpreparedness and a lack of coordination once a threat has been detected.
United we stand: crowd-sourcing and community-building through cybersecurity sharing and research
Where ad-hoc and one-way data and intelligence sharing efforts have failed, information sharing within collaborative industry communities to sector-appropriate cybersecurity research will be a game-changer. In this context, intelligence sharing is happening in a community of similarly trained, like-minded and trusted individuals and organisations to tackle and enable defenses against industry-specific threats. Crowdsourcing has seen considerable success in both healthcare and law enforcement, and there is no reason why these advances cannot be repeated in cybersecurity.
For example, in 2013, the UK Government established the Defence Cyber Protection Partnership (DCPP), with the aim of boosting cybersecurity collaboration between the private and public sectors. It is a collaborative effort between the Ministry of Defence, the Department of Culture, Media and Sport, trade associations and the TechUK organisation, and enables officials to coordinate the nation’s response to emerging threats. The same information is available to participants in defence, commerce, innovation, and the civil service, boosting the chance of a successful threat response.
Information Sharing and Analysis Centers (ISACs), Information Sharing and Analysis Organisations (ISAOs) and communities of cybersecurity analysts work in a similar way, built on trust and the common desire for large-scale collaboration. Members agree on the rules and principles that govern community participation, including the level of anonymity and what data should be shared at what time. Shared goals and values as well as clear, agreed boundaries encourage initial collaboration, and as trust grows and working relationships expand, the collaboration occurs organically. It is in these dynamic, responsive relationships between like-minded experts where the value of these communities is demonstrated.
Participating in ISAC, ISAOs, and other sharing collectives ultimately enables a distributed defensive intelligence network that can more quickly identify and disrupt attacks across participants in that network. To that end, intelligence sharing can help organisations identify additional indicators, capabilities, and tactics that their adversaries may employ against their organisation. As an example, our research and reports on DCLeaks and FANCY BEAR activity against US Democratic Party organisations is a success case of shared intelligence. Following our post on DCLeaks as a Russian influence operation, the citizen journalism organisation Bellingcat reached out to us and shared data that indicated Bellingcat had come under sustained targeting by Russian threat actors. This allowed us to identify a 2015-2016 spear phishing campaign that is consistent with FANCY BEAR’s tactics, techniques, and procedures.
But it didn’t stop there. Using the small set of approximately one dozen shared FANCY BEAR indicators, we were able to identify hundreds of related indicators and several tactics associated with other FANCY BEAR operations. In turn, we shared all of this additional intelligence back out to various communities to inform and facilitate other organisations’ defenses that may come under FANCY BEAR attack. This demonstrates how shared intelligence and research can facilitate an organisation’s or sector’s defensive efforts.
Intelligence sharing also has implications for an organisation’s adversaries as well. Denying the adversary any degree of success and punishing them for each intrusion attempt, through information sharing and exposure, presents the adversary with cost/benefit decision point. Within the game of intelligence gain/loss, any time you can force the adversary to step away from the battle, lick their wounds, and ultimately abandon operations against your organisation because it’s no longer worth it, it is a success. Even though the adversary may just step away from an operation to retool their capabilities and infrastructure, the disruption to their operations made their cost of business higher. If done successfully over time, information sharing and research enables an organisation’s day-to-day defenses while also potentially reaching a tipping point with respect to the adversary’s perceived risk.
Safety in numbers
Collaboration enables better threat detection. It is often the case that once they start working together organisations find they have been fighting the same adversaries without even realising it.
Sharing intelligence with like-minded organisations and communities that seek to understand the same adversaries is an essential way to enrich companies’ understanding of common threats, and turning that into actionable insights to help counter the adversary in question.
With visibility over a longer period of time, collaborating organisations can piece together a more comprehensive profile of a given threat and gain a better understanding of enemy tactics without significant added time spend. Alongside the sharing of opensource and historical data, collaboration increases the available insight and intelligence, making known adversaries easier to spot and respond to.
Community collaboration also significantly reduces the costs involved in understanding an evolving threat landscape and helps participants gain insights that may not have been otherwise available to them, leading to faster and more targeted threat response.
There is a world of cybersecurity experts out there, but they are not yet a community. This is a blatant waste of potential. At a time of increasingly advanced threats, sharing relationships and collaborative communities are the best course of action to unite the efforts of security analysts and researchers across sectors.
As public and private industries become more interconnected and as cyber adversaries continue to collaborate, there is a clear need for cybersecurity experts to fight stealing with sharing. It is undeniable that industries are stronger and their data safer when they work together.