Effective exchange of information about threats among multiple participants works like collective immunity: the more participants are involved in this process, the higher the probability of successfully resisting the attackers. We will tell you in the article about the culture of sharing such data and what are the main pitfalls of this area.
What is data exchange culture, and why is it needed?
It is worth exchanging information about threats for at least three reasons. Firstly, to save money, because it is cheaper to prevent an attack than to eliminate damage from it. Secondly, to be socially responsible: to fight together with other companies against a common enemy. Finally, thirdly, to have a good reputation. A company is trusted not only by customers but also by investors if it is conditionally safe.
To date, it is possible to distinguish several types of data shared by TI exchange participants:
- incidents — detailed information about attempted attacks and their success;
- threats and vulnerabilities — it often happens that attackers manage to take advantage of a vulnerability before it gets into known vulnerability databases;
- methods of vulnerability elimination, localization, or threat blocking;
- information on new adverse events in the information security world.
This data is exchanged in various ways. The first is through open-source feeds generated by the TI community members and some companies, open-source and proprietary platforms. This method’s advantages include free access to feeds, their large selection, and ease of use. However, there are also disadvantages: a large amount of irrelevant data and, consequently, the need to filter it, as well as the lack of context. The second way is to create and participate in specialized organizations. Their list is quite large: CERT, CSIRT, CIRC, CIRT, SIRT, IRT, IRC, SERT, ISAC, ISAO. We will tell you more about what they are below. The third way is to participate in specialized events, for example, FIRST CTI SIG Summit, SANS CTI Summit, Threat Intelligence Summit, Black Hat, Cyber Intelligence Asia.
The maturity degree of the cyber threat data exchange culture is a complex indicator that is directly or indirectly influenced by the specialized events number, the number of TI vendors, the activity, and the potential exchange participants’ involvement: the TI community members, private companies, and the state. The threat landscape, the activity, and attackers’ new methods sophistication also determine the response quality and the defenders’ qualifications.
Let’s figure out how the threat intelligence culture works taking for examples features of USA and Europe.
There are several TI data exchange programs in the USA, developed by the Cybersecurity and Infrastructure Security Agency (CISA).
- ISACs (Information Sharing and Analysis Center) — information exchange and analysis centers that are formed around a specific sector: finance, energy, industry, and so on. They were first created in 1998 by the US President’s decree to exchange information about cyber threats between owners and operators of critical infrastructures. In total, there are 25 such centers in the USA today.
- ISAOs (Information Sharing and Analysis Organization) — organizations focused primarily on protecting shared information. This is the so-called ISAC extension, which is not related to a specific industry: these organizations’ participants can unite on other grounds, for example, territorial.
- AIS (Automated Indicator Sharing) allows exchanging participants’ indicators in real-time. Private and public sector entities participate in AIS. All participants are guaranteed anonymity and the transmitted information confidentiality, and in addition, they are not subject to antitrust law, and federal and state laws.
There are similar organizations in Europe created by the European Union Agency for Cybersecurity (ENISA). European ISACs appeared later than American ones and used their experience, so there are some differences between them.
So, ISACs in the EU are not necessarily associated with any industry. Here are the building ISACs models in Europe that can be distinguished:
- ISACs within a single country are most often managed by the Computer Security Incident Response Team (CSIRT).
- Industry ISACs focus on organizations of a single, usually critical or vital, sector and are mostly supported by the sector itself or the government.
- International ISACs bring together key experts from all over the world, but there is often a trust issue between experts due to cultural differences and different approaches. Examples of international ISACs established in Europe: EU FI-ISAC (financial sector), EE-ISAC (energy sector).
TI data exchange structures are similar in most EU countries. There are ISACs that can be represented by Response Teams (CERT), CSIRT organizations, and others, and there are higher-level organizations to coordinate ISAC interaction.
The ISAC ecosystem development in Europe depends on the overall trust level between public and private entities. Therefore, it may be advisable to first start developing PPP structures (public-private partnership, a less formal organization compared to ISAC) for countries where there is a lack of trust, and then transform them into ISAC.
The initiative to create an ISAC can come from the government or the private sector (the government can play the intermediary role in this case). Regardless of the ISAC structure, interaction rules of the association’s members are necessary for flexible and effective cooperation, which describe the procedures for checking new community members among other things.
Cooperation takes place not only within ISAC but also between various organizations of this type. For example, the X-ISAC platform was created as a result of community collaboration. It is operated and maintained by the Computer Incident Response Center Luxembourg (CIRCL) and the MISP project.
Speaking about the cyber threats information exchange, it is impossible not to mention FIRST (the Forum of Incident Response and Security Teams). Its representatives have been almost continuously engaged in processing thousands of security vulnerabilities since this organization’s establishment in 1990. It would be unfair to relate FIRST to a certain country, because it is a large-scale international community, so we decided to devote a separate section to it.
FIRST names three components as its mission.
- Global Coordination — FIRST provides platforms, means and tools for incident responders.
- Global Language — FIRST supports initiatives to develop common data transfer means.
- Management — FIRST members do not work in isolation but are part of a larger system.
FIRST unites Computer Security Incident Response Teams (CERTs, CSIRTs), Product Security Incident Response Teams (PSIRTs), and independent security researchers.
We will focus on the response group types in more detail. The abbreviation CERT (computer emergency response team) is a registered trademark of Carnegie Mellon University. It was there that the first CERT team was formed by the US government order in 1988 to combat the so-called “Morris worm”. Today, this is how groups of experts are designated who are engaged in constant monitoring of information on the security threats’ emergence, their classification, and neutralization. Such teams can be either national or focused on a specific sector. Their main goal is to respond to new threats in a timely manner and report them to interested parties. CERT groups issue bulletins with aggregated information about threats to do this and recommendations for responding to them.
CSIRT (computer security incident response team) is another term for a computer incident response team. The difference is that it can be used without obtaining special permission. The Danish academic provider SURFnet created the first CSIRT team in Europe in 1992 called SURFnet – CSIRT.
In addition, other abbreviations are used in practice: IRT (Incident Response Team), CIRT (Computer Incident Response Team), SERT (Security Emergency Response Team). The main goal of CERTs, CSIRTs, ISACs, ISAOs, and other similar organizations is the same — to improve the information security landscape, while CERTs and CSIRTs’ main focus is on responding to information security incidents and only then on raising awareness of interested parties.
Trust between this process participants can be considered the foundation for the information exchange about cyber threats: the higher the level of trust, the more effective the interaction and cooperation.
There are several more problematic points in addition to the insufficient trust level:
- Lack of awareness — not all organizations understand the advantages and potential benefits of participating in the information exchange.
- Fear — many organizations believe that if they share information about an attack, it will damage their reputation.
- Insufficient funding — there is plenty of information, specialists are needed to analyze it, who in turn need money, and for this, a budget is needed.
- Lack of qualified specialists — both in the information security field and to support the exchange infrastructure.
It is possible to draw a parallel between the problem of the TI data exchange culture and the environmental problem (what? yes!). Targeted initiatives will not bring results. It is necessary that each link of the exchange is interested and active in achieving the goal, the exchange format should be agreed upon.
And of course, the most important thing is for the state and business to realize the scale of the risks associated with cyber threats and increase the volume of the information security development investments.