06:00 PM
Connect Directly

Efforts To Team Up And Fight Off Hackers Intensify

New intelligence-sharing groups/ISACs emerge, software tools arrive and the White House adds a coordinating agency -- but not all of the necessary intel-sharing 'plumbing' is in place just yet.

First in a series on ISACs and threat intelligence-sharing.

Call it safety in numbers. Over the past year, major industries in the hacker's bullseye -- retail and oil & gas -- have formed official cyberattack intelligence-sharing mechanisms, while the automobile industry and legal sector are currently mulling a similar road to defending themselves against attackers.

The White House, meanwhile, is creating a central coordinating agency to analyze and share information generated from the government and various information-sharing and analysis centers (ISACs) and intelligence-sharing organizations cropping up across various industries. Overall, there are some 18 ISACs under the National Council of ISACs umbrella, including the Defense Industrial Base (DIB) ISAC and the financial services (FS) ISAC, both considered the gold standards for industry intel-sharing groups.

It's all in the name of companies and government agencies gathering and sharing as much relevant and timely intelligence about new or ongoing cyberattacks as quickly as possible, to avoid major breaches, or to at least minimize the damage.

ISACs provide an official mechanism for sharing information about the latest cyberattacks and threats spotted targeting specific industries, for instance, and include databases of the threats and vulnerabilities for their members, as well as provide conferences and other ways for members to interact and share their experiences to better team up against cybercrime and cyber espionage actors. Among the industries with ISACs are aviation, emergency services, IT, maritime, nuclear energy, real estate, public transportation, and water utilities.

"2014 was the year of pipes for information-sharing," says Chris Blask, chair of the ICS-ISAC, the industrial control system/SCADA industry group. "We know what the pipes look like now, but a lot of the plumbing needs to still be done."

The emerging protocols for automating the process of intel-sharing from ingestion to action, Structured Threat Information eXpression, or STIX, a machine-readable language, and Trusted Automated eXchange of Indicator Information (TAXII), the protocol for transporting the information, were rolled into a software platform used by many ISACs called Soltra Edge, which was launched in December. The software platform basically gathers threat intelligence from various intelligence sources and presents it in a standard language and format that can be used by companies to take action to thwart the latest reported threat.

But even with this explosion in sharing of attack intelligence and a platform to ultimately automate the process of gathering intel, most companies today still swap stories and information the old-fashioned way, via email or face-to-face.

"The process isn't automated yet," says William Nelson, president and CEO of the FS-ISAC. "A lot of dialog in information-sharing is going back and forth, did anybody see this, and they raise their hand. We're trying to get more automated" versus using mainly email, for example, Nelson says.

More than half of organizations surveyed by the Ponemon Group last year say they receive their threat intel informally, via email, phone, or in-person meetings, a process fraught with inefficiency and  inconsistency. Some 70% of them say intel actually expires within seconds or minutes, and more than 50% have gotten this information in days, weeks, or months, rendering much of it useless.

[For most organizations, intelligence-sharing remains mainly ad-hoc and informal -- and thus fraught with frustration and pitfalls, new report from Ponemon finds. Read Intelligence-Sharing Suffers Growing Pains.]

Richard Bejtlich, chief security strategist for FireEye, says most info-sharing indeed is person-to-person. "It's done in meetings or private mailing lists, and that sort of thing. Efforts made to date to facilitate computer-to-computer machine-readable [intel] have not worked very well," he says. So far, there's been no major shift in moving beyond "people congregating in conference rooms and sharing on mailing lists."

The trouble with much of the intel that ISACs share today is that it's often after the fact, notes Mike Davis, CTO at CounterTack, who has worked with the FS-ISAC as well as other ISACs. "They're usually late with their information. Most of the time, it's after something hits the news," he says.

But ISACs like the FS-ISAC are trying to change the game. Nearly 1,000 companies have downloaded Soltra Edge, according to Nelson. Soltra Edge is a joint venture of FS-ISAC and The Depository Trust & Clearing Corporation (DTCC), and includes STIX and TAXII for building interfaces to threat intelligence feeds, security information and event management (SIEM) systems, firewalls, IDS/IPS, anti-malware, and other products. But the automation piece--the plumbing, as Blask calls it-- is still a way's away from reality.

New Additions

In the wake of an unprecedented wave of mega-breaches against big-box retailers, The Retail Industry Leaders Association (RILA) in May officially announced the launch of the Retail Cyber Intelligence Sharing Center (R-CISC), with the backing of Target and other major retailers. The oil and gas industry in June launched the Oil and Natural Gas ISAC (OSN-ISAC), and in July, the automobile industry announced plans to form an intelligence-sharing mechanism, possibly via an Auto-ISAC.

While retail and oil & natural gas have been hit with a wave of real-world attacks and threats, the auto industry is actually racing against real attacks, as security researchers over the past two years have demonstrated security weaknesses and potential attacks that could be used against the a new generation of cars outfitted with networking capabilities. 

Meanwhile, all eyes are on the federal government's new forays here. President Obama last month signed an Executive Order (his second one on this topic) that promotes sharing of cyber threat information within the private sector as well as between the private sector and the government. The EO came on the heels of the unveiling of the new Cyber Threat Intelligence Integration Center (CTIIC), which will fall under the Office of the Director of National Intelligence, and will act as a central repository for cyber threat information for government agencies and private firms. 

The CTIIC concept has been in discussion by the Obama administration for some time, dating back to when former cyber czar Howard Schmidt suggested the need for a centralized place for coordinating threat intel. The White House says the center will analyze and integrate already collected intel, rather than gathering new information. The EO also includes a shout-out to ISACs as "essential drivers of effective cybersecurity collaboration."

Even so, some ISACs are taking a wait-and-see approach to the feds' new role. "It's going to be interesting to see how that plays out and how DHS fits in with this new agency that's being stood up. It's going to be interesting to see how information and intel flows," says Deborah Kobza, executive director of the healthcare industry's NH-ISAC. "I'm not sure if another added layer of bureaucracy is needed."

Private industry traditionally has been skeptical of sharing intelligence with federal agencies and law enforcement. They've seen mainly a one-way relationship, where the feds or law enforcement agencies gladly take any intel from companies but don't reciprocate. But the FS-ISAC's Nelson says he's seen a marked improvement, with financial services getting more information out of the feds: "The government has been really good lately at getting things unclassified" and therefore accessible, he says. "We've seen a huge improvement in the last two- to three years in the amount of information shared in government, in quality and relevance … Three years ago, it was dated drivel. Now it's useful and relevant."

Whether the growth in intel-sharing groups in turn could backfire with information overload or redundancy of effort is unclear. The key, experts say, is that the various ISACs and groups continue to share outside their circles, which many already do today.

With the threat landscape expanding at a rapid clip, ISACs already face plenty of challenges today. "It has to be more than a couple of like-minded individuals who got together to have a beer and wax philosophical on their problems. [It requires] institutional trust with true sharing and without attribution," says Stu Solomon, vice president, general counsel and chief risk officer at iSIGHT Partners, who was a member of the FS-ISAC in his former role as a Bank of America executive.

"For any ISAC to work, there needs to be a high degree of trust and respect in members, and in the organization," says Solomon, who will speak at Interop next month about intelligence-sharing and gathering.

Knowing the right intel -- indicators of compromise, attack campaigns, and law enforcement activity, for example -- is the big question, he says. "What is the right content to share? That's a constant struggle" for ISACs, he says.

Read part 2 here: ISACs Demystified

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
3/10/2015 | 2:28:03 AM
Anthem is a great example of this.  The signs of the Anthem compromise were there many months before Anthem itself noticed anything.  Had there been greater communication, something could have been done a lot sooner.
User Rank: Apprentice
3/9/2015 | 6:14:40 PM
This is still the road to nowhere
ISACs can't work until the affected industries figure out how to shield themselves from competetive disadvantage as a result of revealing their vulnerabilities and the government gives them a legal get  out of jail card that frees them from liabililty (opening the kimono is great for cyber situational awareness but the tort lawyer's bar will have a field day with this ammunition).
Drew Conry-Murray
Drew Conry-Murray,
User Rank: Ninja
3/9/2015 | 2:33:18 PM
Will they pay attention?
I'm all for more information-sharing across industry sectors, but unless executives go beyond giving lip service about taking security seriously, I don't know how effective these programs will be.

My hope is that if these sharing services can provide some specifics (hey, our PoS systems just got hit, better go check yours), maybe they can reduce the severity of a breach, but a lack of information about threats and risks is not really the problem.
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
New Mirai Version Targets Business IoT Devices
Dark Reading Staff 3/19/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Reading Schneier's Friday Squid Blog again?
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version that could allow a malicious user with local access to execute code with administrative privileges.
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.