By Tom Gorup
The more information, the better. Right? In most cases, that is the truth. However, the way in which information is shared makes all the difference.
Companies don’t share cybersecurity information because they fear attacker retribution and legal recourse. They don’t want to cause further retaliation from an attacker or show so much transparency that they could possibly cause the legal department to get involved, or disclose potential entry points into their network.
In our industry, we are constantly one or two steps behind the hackers. Over the past several years, the prevailing sentiment is that coming together as a security community to better combat these attacks would make our jobs easier and allow our clients, and us, to sleep better at night. At the same time, this practice would provide security teams the breathing room to focus on higher-value activities, like detecting and researching anomalous behavior.
There have been quite a few sharing platforms released in the last few years to fill this need. In fact, the space has become saturated, but all ultimately lack an easy, automated method for data collection, sanitation and distribution. Some intelligence providers have even gone as far as to set up an SFTP server with a spreadsheet that is updated daily, but it is barely maintained through the purging of old, irrelevant data. We can do better than this.
We need to do better than this.
An anonymous sharing platform should be created, because an information-exchange program benefits users and does not expose them to more attacks or legal recourse. Being anonymous keeps shared information from being tethered to a company, which restricts their vulnerabilities from being directly discovered.
A vetting process is required for this to work. Allowing just anyone to have access puts all participants at risk. Even if users choose to remain anonymous, they need to be vetted so that attackers are not discovering insider information about reported attacks. Using a coalition or group like InfraGard (a partnership between the FBI and the private sector), would be an ideal vetting resource in this situation.
The industry as a whole should get together and craft an industry standard for sharing information. Companies are cautious about what they share, and rightfully so, but withholding too much information gives the entire community a blind spot. Establishing a standard—like including identified TTPs (tactics, techniques and procedures) of the attack—which is often non-existent in the information sharing process, would greatly assist others in early detection or in directly defending against the attack. Diving deeper, we should share what the emails looked like, headers, IP addresses, dropper types, and so on.
Coming together as an industry and providing a better method to share—and consume—cybersecurity information is a no brainer. We need to and can cooperate and be forward-thinking to better combat these attackers against us—and our clients.
What are your thoughts about industry efforts thus far? What would you do differently?
Tom Gorup is the Security Operations Leader at Rook Security, a global IT security solutions provider.