Recognizing and Combating Cybercrime: The Benefits of Information Sharing
Scott Goodwin Senior IT Security Analyst
Christopher Barretto Senior IT Auditor
9 July 2018
Cybercrime can come in many forms, from sophisticated attacks against a carefully chosen target to simple crimes of opportunity. It seems as if all networked devices are subject to endless probing and prodding from faceless criminals acting over the internet. Advanced, persistent threats may use highly technical methods for compromising a particular technology or individual, but the majority of cybercriminals are akin to thieves feeling around in the dark for an unlocked door. No matter the techniques used to commit the crime, the cybercriminal will almost always leave behind some form of digital evidence. Elements like IP addresses, domain names, malware signatures, and filenames are often written to log files in the wake of an attack. But what good is this information after the fact?
The problem is that most organizations are only considering internal sources of information when investigating an incident. Further, whatever is actually learned about the crime, or the attacker, rarely leaves the organization’s boundaries. However, consider that businesses in a given industry tend to use similar technologies and business structures. This means that information gathered from one incident in a given industry may be truly relevant to
other businesses in that same sector. In an attempt to prevent the propagation of cybercrime across vulnerable organizations in a given industry, non-profit Information Sharing and Analysis Centers (ISAC) are being created across many industry verticals. Examples include FS-SAC (financial services), MS-ISAC (local governments), and REN-ISAC (research and education industries), as well as several others related to critical infrastructure services.
Membership to one of these information sharing programs grants the organization access to real-time alerts regarding current and emerging threats that are relevant to their industry. Organizations can receive alerts that
contain not only narrative information regarding vulnerabilities and the types of attacks used to exploit them, but real data gathered from these information security incidents that can be used to mitigate similar attacks in their own organizations. For example, a given ISAC alert may contain a list of domain names which are used by a new class of malware targeting a specific web application that is regularly used across a given industry. These domain
names can then be blacklisted at the network perimeter to reject all communication, thus mitigating at least this class of malicious cybercrime before it occurs.
These ISACs are entirely reliant on industry participation to share the information that is used to analyze emerging trends in cybercrime. Multiple mechanisms can be used to share and receive data, based on how involved an organization wants to be in preventing further cybercrime in their industry. Simple email messages can be used to submit threat indicator and incident information to the ISAC, as well as receive alerts from the ISAC. However, to maximize the effectiveness of these programs, ISACs will often publish real-time feeds which are constantly updated with fresh cybercrime information. Organizations can then subscribe to these feeds, organize and ingest the data as they see fit, and act on the relevant indicators. This type of automated sharing is gaining traction since the Department of Homeland Security (DHS) created the Automated Indicator Sharing (AIS) program which seeks to share indicators of cybercrime between the government and private sectors.
Under increasing pressure from the private sector for access to cyber threat information held by the Federal Government, former President Barack Obama signed the Cybersecurity Act of 2015. This was an executive order that “certified the operability of AIS in March 2016 and released guidance to help private sector entities share cyber threat indicators with the Federal Government.’” Since then, DHS works with private organizations all around the United States, including OCD Tech, to share data related to imminent and ongoing cyber threats. Conversely, the program allows participating entities to share their own data, rather than just consuming what is provided by DHS.
Via machine-to-machine communication protocols developed specifically for sharing threat information at machine speed, such as STIX and TAXII, DHS is able to share specific types of information to the private domain. Within this program, DHS deploys a tier level approach to the types of data that can be shared with external organizations and ensures that no sensitive organizational information is inadvertently shared. The AIS platform is leveraged by the ISACs noted previously, in order to provide this threat intelligence to a larger industrial base.
In closing, ISACs allow organizations to focus on closing known attack vectors, rather than waiting to respond to the next incident. Don’t let the valuable information gained during attacks across an entire industry go to waste.
Enroll in an ISAC that is relevant to your organization and begin receiving actionable information from your industry peers. Consider engaging in active information sharing, in order to maximize the effectiveness of these programs. Otherwise, cyberattacks that may be preventable can affect the entire industry, rather than just a single organization.