Information Sharing: Smart Move?Information Sharing: Smart Move?
A threat intelligence specialist explains the pros and cons.
November 27, 2020
If you share cybersecurity information, vulnerabilities, exposures, and solutions, are you creating more threats to your business? And if you don’t share it, will you miss something that you will regret in the future? The expansion of work from home users has accelerated the potential cybersecurity vulnerability issues. Who do you trust to share cybersecurity information with responsibly?
A few years ago, I wrote, “Go It Alone or Share Attack Data,” where I explored security information sharing. I wanted an update on the topic, so I turned to Neal Dennis, Threat Intelligence Specialist at Cyware, a provider of threat intelligence and cyber fusion solutions. Here’s an edited version of our conversation.
GA: What is an Information Sharing and Analysis Center (ISAC), and what are Information Sharing and Analysis Organizations (ISAO)?
ND: ISAC’s generally focus on critical industries and typically have more formalized information sharing and support ties with government organizations like the Department of Homeland Security. An ISAO is a more privatized sharing organization, not necessarily connected officially to government support initiatives, but can tie into sharing back to the government and isn’t necessarily industry-specific.
ISAC’s are also an older concept that focuses on specific industry verticals. ISAO’s are newer and provide an avenue for any vertical to officially create a mechanism to support information sharing. At the end of the day, the overall goals of both groups are usually the same, and many have started to create pathways to share and work together.
GA: Why do we need to share this information?
ND: Being involved in one or more of these organizations provide multiple benefits. First, you get the upfront advantage of not being alone in the cybersecurity battle. You can and should leverage your new peers to discuss security issues impacting your environment and to share and consume observables for inclusion in your own security stack to help develop a more proactive security posture.
Members can also leverage one another to develop best practices for their industry or sharing community. They can gain additional support during an incident or bounce ideas, and concerns off of a larger community that could help them research incidents more thoroughly. You would have access to a group that provides feedback on a whole host of issues, from risk and compliance to best practices for patch management.
Additionally, sharing communities aren’t just for incident responders or, conversely, senior leadership. A solid community can open communication pathways for an entire security organization across cyber and physical domains.
GA: Are attackers sharing information?
ND: Most definitely. We've seen threat actors specialize in key capabilities, like the delivery of malware to compromised systems or the creation and maintenance of a particular ransomware infrastructure. They look for assistance in exploiting new systems or selling off compromised information.
Many threat actors operate with similar business strategies we often see in any normal product-driven company. They barter, procure services, sell offerings, and, more importantly, look for ways to fill in gaps in their own capabilities. They do all this information sharing and swapping in very efficient manners.
GA: What is the value of information sharing? Is there a downside?
ND: If we want to ever move beyond a heavy response-driven security methodology across the board and into a more proactive posture, we need to share more information. We need to continue to drive towards more automation to support it. The true value of information sharing begins when you realize your own organization has a much larger sensor grid to rely on for awareness. By sharing information with your peers, you're working to more proactively support your community and make it more difficult for threat actors to target.
Sharing and consuming threat intelligence can help organizations determine trends impacting their industry verticals and as a team develop requirements for new tools and resources based on those trends. Sharing can also help make the community less desirable to threat actors by mitigating malicious campaigns across their sharing communities and their own networks sooner.
GA: Will sharing help with privacy concerns such as in a contact center?
ND: In the U.S., there are federal policies in place to help mitigate privacy concerns and what would constitute a breach. If the information shared ai deemed needed to help other organizations research or manage their investigations, there should be no privacy concerns.
The Cybersecurity Information Sharing Act of 2015 defines what can be shared by private entities with the Government. It’s a good guideline for what could be shared with members of a sharing community.
GA: Where does the National Council of Information Sharing and Analysis Center (NCI) fit into the picture?
ND: The NCI is a great resource for anyone in a specific industry vertical looking to get involved and develop cross-sharing partnerships with other ISACs. They also provide insights and standards for new ISACs. The ISAO community is a great supporter of ISAO startups and standards.
For those needing more consultative guidance, the Global Resilience Federation (GRF) specializes in building ISACs/ISAOs and CERTs. On top of helping create new sharing communities, members of the GRF are already able to share information across multiple sharing organizations.
