We’ve all heard about the White House’s executive order on cybersecurity and consumer protection on February 13th, the details of which are not the focus here. CEOs took time out of their busy schedules to come together and declare that collaboration is a key factor of successful security measures. CEO of Amex, Kenneth Chenault, hit the nail on the head for me:
“In the context of collaboration, I really think that information sharing may be the single, highest impact, lowest cost, and fastest way to implement capabilities we have at hand as a nation, to accelerate our overall defense from the many varied and increasing threats that we are facing every second.”
This powerful statement preaches the practice of sharing and collaborating our capabilities and methods as opposed to only common indicators. While high level partnerships help defend against cyber attacks, Chenault points out that real collaboration can also dramatically enhance organizations and agencies’ capabilities.
It’s no secret that attackers are big on sharing and collaborating on a vast variety of information; ranging from compromised emails and fake IDs, to credit card numbers, viruses, exploits, and machines that reproduce different malware signatures (e.g. the Zeus factory).
The highest level of sophisticated sharing is exemplified in the Metasploit project, a sort of Wikipedia for hackers. This impressive piece of work brings skilled individuals together from a variety of fields (e.g. payload, infrastructure, and exploit creation) to share their capabilities. Ultimately, this knowledge hub equips even the least experienced hackers with sophisticated hacking tools. Is it really that complicated for us, the defenders, achieve the same level of sharing?
What We Don’t DoLet’s face it, most of us only share four basic components: IP, DNS, MD5 and URL. These are hardly patterns and not even close to capabilities.
If a new hire joined your company eager to become a cyberdefender, what would you do?
Would you explain that IP ‘188.8.131.52’ is bad or that it is linked to multiple DNS names, making it seem a bit fishy? What about explaining that your whitelist can be extended using the top 1000 Alexa list? These are quite simple examples, however we don’t even share this information in an efficient way. Sharing this type of information as well as many other more comprehensive patterns and capabilities with others in the right context can be a great way to start moving in the right direction.
Nonetheless, if we are not yet sharing our capabilities, the least we can do is share information about the attackers and their modus operandi. This way, defenders can draw their own conclusions regarding customized security measures. A few standards have already begun attempting to meet this challenge. For example, STIX is a great tool that stores each indicator in a structured way so security appliances can extract information and use it for automatic prevention. STIX also allows you to share attackers’ modus operandi, though they are written in an unstructured manner. For example, fields such as TTP or “Course of Action” are often written in free text, inhibiting defenders from quickly digesting thousands of new insights from their colleagues and enriching their own set of capabilities.
“I have to be absolutely clear that I state: I am not talking about sharing the actual content that I’m here to protect. It is sharing what I am learning about people trying to get to that content that I’m trying to keep out.” Bernard J. Tyson, Chairman and CEO, Kaiser Permanente
We are facing a growing number of new techniques and tools that are used in malicious attacks. When a new technique is invented, it spreads like wildfire throughout the hacking community. As a result, new challenges constantly pop up from every angle. As defenders, we should do the same. One defender may discover a new insight on an attack or invent a method of detecting a malicious software behavior, then share those capabilities among fellow defenders at the same speed that attackers are currently sharing. And hey, we might even find it easier to face regulators by sharing agnostic capabilities and not privacy related indicators.
Latest posts by Guy Wertheim (see all)
- Black Hat 2015: Could There Be Another CISCO, Michael Lynn Holy Grail Vulnerability Disclosure? - August 7, 2015
- Facebook’s ThreatExchange: Who Owns Your Data? - April 14, 2015
- Sharing Capabilities: Amex CEO Sketches the Future of Cybersecurity Collaboration - February 26, 2015