Analytics

3/12/2015
08:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

ISACs Demystified

How some intelligence-sharing organizations operate in the face of today's threat landscape.

Second installment in a series on ISACs and threat intelligence-sharing.

The first clue of what was later exposed as the Carbanak international cybercrime ring targeting banks was a piece of intelligence shared within the financial services ISAC (FS-ISAC) in September: backdoor malware that was siphoning credentials from a banking application used in Eastern Europe.

The malware, which a US-based security firm shared with the FS-ISAC, last month was confirmed to be part of the Carbanak international attack campaign out of Eastern Europe that stole some $1 billion in two years from 100 different banks it hacked in nearly 30 countries, according to findings published by Kaspersky Lab.

"We did not know the extent of the breach or damage [in September], but that there was malicious activity. So there was no attribution, but there was a way to look for this malware," says Mike Davis, CTO at CounterTack, who is a member of the FS-ISAC.

This single malware alert ultimately tied to the now-infamous banking hack campaign demonstrates how banks and other vertical industries sometimes first learn of the latest threats hitting their sectors: a member of the ISAC community spots a piece of malware or a malicious IP address targeting it or another organization in the industry, and then shares that information with other members who then can block that IP address, scan for the malware, and apply other parameters to shore up their defenses against the threats.

But not all ISACs and related intel-sharing organizations operate the same way, or even share information in the same manner. Some ISACs are more effective in thwarting attacks than others, experts say. Their effectiveness often depends on the maturity and level of participation within those communities.

"One of the biggest criticisms about ISACs I hear across the intel community at large is that you get indicators without context, and that the volume [of information] is so high that … you don't know where to prioritize," says Stuart Solomon, vice president, general counsel and chief risk officer at iSIGHT Partners. "The way ISACs should go is to explain why something deserves more or less attention," and to also validate the information, he says.

So by alerting their members about new threats and attacks, do ISACs actually help prevent the spread of breaches and attack campaigns?

"It depends on the quality and actionability of the information," says Solomon, who is scheduled to speak at Interop next month about intelligence-sharing and gathering.

Another factor: not all members necessarily act on the intel. "You get an email with a bunch of file names and hashes. What do you do with it?" CounterTack's Davis says. Some organizations are able to sift through and use it, but not so much with others:  "Some organizations get the information, but no one does anything with it," CounterTack's Davis says.

The key ingredient for a useful ISAC is providing context along with the indicators of compromise that get reported. Then members need the ability to anlayze and ingest the intelligence, and apply it to their security tools.

Take, for example, a malicious IP address that's reported targeting the financial services industry. In order to appropriately apply that information internally, an ISAC member would need accompanying details such as why it's malicious and which campaigns or malware it's associated with, for example, iSIGHT's Solomon says. It helps to know the timeframe of malicious activity associated with the IP address. "Has its perishability window closed? All of these items relate to context. Without context, it is just more noise."

Veterans And Rookies

The defense industrial base's intel-sharing organization, the Defense Security Information Exchange (DSIE), and the financial services industry's FS-ISAC are the most mature intel-sharing organizations and considered model mechanisms. The defense group, which began in 2008 as a small group of representatives from some of the largest defense contractors, spun out of the Network Security Information Exchange (NSIE), which was formed in 1991 as a subcommittee of the Network Security Telecommunication Advisory Committee (NSTAC). The FS-ISAC, meanwhile, dates back to 1999. Both groups experienced their share of growing pains in the early days, especially the initial hurdle of trusting your fellow members enough to freely swap intelligence with one another.

In contrast, there's the Industrial Control Systems (ICS) ISAC, formed in 2012 and a relative newbie in the ISAC world. That in part explains why hardly any of the in-the-trenches industrial facility members swap attack information. Chris Blask, chair of the ICS-ISAC, says it's mainly vendors and systems integrator members that share attack information in the ISAC, which offers an information-sharing platform via ThreatStream's service to its membership, along with Soltra Edge.

Blask explains that most industrial sites don't have a lot of information to share at this point--they may not know they've been attacked-- and if they do, many can't share it, anyway. "They have the worry that regulators are going to jump down their throat" if they share intel, he says. "Very few anywhere in the industrial space are really actively sharing information about what happens to them."

Even the FS-ISAC took a while to evolve into a true sharing organization. William Nelson, president and CEO of the FS-ISAC, which includes member institutions from across the globe, says banks at first didn't want to share information with their competitors. But all that is changing, especially as attackers continue to target the financial industry. In January, there were 450 instances where members shared information, amounting to tens of thousands of threat indicators, he says.

But the big turning point for the FS-ISAC came during the massive "Operation Ababil" DDoS attacks that hit North American banks in 2012 and 2013. Nelson says the financial services industry stepped up and teamed up: "They realized we needed to form response teams of victims, and share with others what they had gone through," he says. "The ROI was unbelievable," and one member of the community commented that when they were attacked, they were ready because of the FS-ISAC community's response teams and intel-sharing, he says.

A vendor member of the ISAC also provided some key intel to the banks targeted in the DDoS attacks: the command and control server instructions used by the DDOS botnet in the first level of the attack against bank networks. That gave the banks an early warning of the attack, says Jim Routh, CISO for Aetna Global Information Security, and a member of the FS-ISAC. "Each bank had to determine how to protect themselves from the level 2 and 3 [DDoS] attacks, but knowing when they were coming was a big help to manage resources so that first responders could get some rest and be prepared when the attacks came," Routh says.

The second level of the attack required making configuration changes to impede the attackers, he says. "So knowing when the attacks were coming was helpful for the banks to apply resources effectively to respond and minimize business impact," Routh says. Anti-DDoS service providers also had access to the intel via the ISAC, he says.

The DSIE, meanwhile, now has nearly 70 member companies. Unlike many ISACs, the DSIE doesn't anonymize or scrub the source of attack information. So a defense contractor who gets targeted in an attack campaign first shores up his defenses against the attack, and then posts the attack footprints with other members of the DSIE, and everyone knows who shared it.

"A tenet we often advocate is contacting your largest competitor and engaging with them in information-sharing. Because they are most likely being attacked by the same set of advanced adversaries, there's a wealth of potential intelligence," says Mike Gordon, vice chairman of the DSIE. "We might be fierce competitors outside of DSIE, but within the partnership, we agree that cyber is a team sport," says Gordon, who works for Lockheed Martin.

Analysts at various defense contractors are on a first-name basis. "Our Lockheed Martin analysts need to know Wayne's [Boline, chairman of the DSIE] analysts at Raytheon by name," Gordon says.

"Scrubbed" or anonymized information isn't as useful and is more difficult to use, he says. Analysts need to be able to jump on the phone with one another and get more context than just a malicious IP, he says.

The defense industrial base group prides itself in disseminating attack intel fast, too:  “Within minutes of an indicator being found by one company, whether we knew it was successful or not, it's being shared with other companies” in the ISAO, says Jay Weinstein, a member of the DSIE board. "That’s what makes us unique. Other less-mature [ISACs] take weeks, days, and some are down to hours" to share intel, says Weinstein, who is responsible for network security at a top 10 defense contractor firm. 

Members of the DSIE have discovered multiple zero-day attacks, and have shared those markers accordingly, members say.

Meantime, the healthcare industry's NH-ISAC in the past year has evolved into more intel-sharing activity. "A year ago, it was more of pushing out information" to the membership, says Deborah Kobza, executive director of the healthcare industry's NH-ISAC, whose membership includes private and public-sector health organizations, hospitals, medical device manufacturers, and health departments. But that has shifted dramatically, she says.

Anthem's massive data breach revealed last month put the NH-ISAC's intel-sharing capability into full gear. The NH-ISAC received indicators of compromise from what appeared to be the Anthem breach, which the ISAC confirmed with Anthem, and then pushed to members of the NH-ISAC as well as to other ISACs.

The "I" In ISAC

But in the end, it's not just about the ISAC itself. Members of these communities need to discerningly ingest and apply the intel they get. "The best intel is what you generate yourself," says an expert with experience in ISACs who requested anonymity.  

There's also the potential for human error on the sharing end of the equation, notes Colby Derodeff, chief strategy officer at ThreatStream. An ISAC member could accidentally post a legitimate IP address rather than an illegitimate one, for example: "If you just take that data at face value and put it into a correlation engine and monitor all firewall and proxy logs … you're going to generate thousands of" false positives, he says.

"Having the ability to analyze intel prior to putting it into active monitoring mode is really important."

[Read the first installment in this seriesEfforts To Team Up And Fight Off Hackers Intensify]

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jamieinmontreal
50%
50%
jamieinmontreal,
User Rank: Strategist
3/26/2015 | 9:30:08 AM
redefining boundaries and walls....
I commented earlier on this thread about the need for some Gov led action in regards to forcing cyber threat information sharing among private entities and governments.    I read on the way in to work this morning that a bill introduced on Tuesday "Protecting Cyber Networks Act" will "make it easier for companies to share information about cybersecurity threats with the government, without the fear of being sued."

The proposed bill would create an environment for private to private and private to government sharing of threats where the private organisations are indemnified and held free from harm in regards to the threats they are sharing.

However, there is no onus placed on anyone to actually do anything about the sharing of such information.   As such there are a few questions that are raised regarding intent and effect.
  • Is this a pre-cursor to a more heavy handed approach where info sharing will be mandated in the event of breach?
  • Bad guys share information more readily - there is less concern about loss of IP on the "dark side".   Will private corporations actuall share info that could expose them, or other organisations to risk?
  • Will the scrubbing of intel make it less useful?

In the article spawning this comment DSIE Vice Chairman Mike Gordon states pretty clearly that scrubbed info is less useful than un-scrubbed.   The bill seems to propose a sanitised version of what DSIE is already trying to achieve - trying to clean and scrub (a human task which may or may not end up being automated) could result in the creation of a lot more bad data which exacerbates the initial problem of too much stuff to analyse.  

I would still contend that culturally the fear of losing protection of our info is still greater than the fear of that same private data actually being corrupted.   Either the balance of fear will need to change or legislative action will need to be taken to enforce sharing of relevant useful info.

 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/13/2015 | 1:04:37 PM
Re: Seems like we're redefining boundaries and walls?
I like your idea, if the company breached once there has to be mandate to make sure there is a proper team in place and their policy and procedures are under review and they get a grading out of that, how we do it for the restaurants in US currently. That will make most of us secure I would think.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/13/2015 | 1:01:36 PM
Re: Understanding who to share with
DIB-ISAC (an acronym for Defense Industrial Base-ISAC was created to address an all hazards approach to securing the DIB Supply Chain. accordign to wikia.com/wiki/DIB-ISAC
Defense Security Information Exchange (DSIE) from whitehouse.gov
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/13/2015 | 12:57:11 PM
Re: Understanding who to share with
Obviously it is not easy not to get confused. :Thank you for clarifying that, DSIE_Membership :--))
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/13/2015 | 12:54:01 PM
Prioritization
Obviously we can not address everything at the same time, it is good idea to do prioritization with explanation, that is how it works with all the businesses if you want to get things done
jamieinmontreal
50%
50%
jamieinmontreal,
User Rank: Strategist
3/13/2015 | 11:08:46 AM
Seems like we're redefining boundaries and walls?
Each ISAC needs to operate in an environment of full trust and coopoeration with each other, a primary reason hackers were (and are) so successful is that they share their info and techniques.   They do so in an environment that has become ever more professional and corporate - while the hacking charter isn't exactly geared towards "good" the ability and willingness for them to network and share info is something that most corporations would give their eye teeth to have internally.

The white hats (in this case each company affiliated to an industry ISAC) have more to lose than the hackers, hence the reason they're being hacked in the first place.   Some of the items highlighted here are alarming in their short-sightedness such as incomplete, non-contextualised information being shared, inaction on the part of recipients with regard to info provided.

Perhaps the focus of the ISAC is wrong? Instead of trying to share threat identification markers (usually post breach) why aren't they searching for their own vulnerabilities and sharing that info... oh yeah, competiive advantage can't be undermined, right...? In other words a distinct absence of trust.

I'd suggest that any company that has been breached and has lost protected information should be compelled by federal law to set up a vulnerability analysis team (or hire one) and have their results shared with ISACs in their own and other industries for the following 5 years.

How quickly would companies tighten up on security measures in the face of having to consistently air their dirty laundry for the next 20 quarters?
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
3/13/2015 | 10:04:32 AM
Re: Understanding who to share with
Thanks, @DSIE_Membership, for noting that the DSIE and the DIB-ISAC are separate organizations.  
DSIE_Membership
100%
0%
DSIE_Membership,
User Rank: Apprentice
3/13/2015 | 9:00:10 AM
Understanding who to share with
It's easy to get confused as you look for your company's fit amongst the various information sharing organizations such as ISACs and ISAOs. The reality is that almost anyone can start an information sharing organization so it's very important that companies and individuals understand the scope of the sharing team.  Is the scope Regional / National / Global? Is the scope sector specific or cross industry?  How long this group existed and how trusted is the group in the cyber community?  If you would like more information on DSIE please feel send an email to membership at dsie . net

Please note: While the DIB-ISAO/DSIE are referred to in this article as the Defense industrial base ISAC we are NOT affiliated with the new startup organization known the "DIB-ISAC".
Cybersecurity's 'Broken' Hiring Process
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/11/2017
Ransomware Grabs Headlines but BEC May Be a Bigger Threat
Marc Wilczek, Digital Strategist & CIO Advisor,  10/12/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Search Cybersecuruty and you will get unicorn.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.