First in a series on ISACs and threat intelligence-sharing.
Call it safety in numbers. Over the past year, major industries in the hacker's bullseye -- retail and oil & gas -- have formed official cyberattack intelligence-sharing mechanisms, while the automobile industry and legal sector are currently mulling a similar road to defending themselves against attackers.
The White House, meanwhile, is creating a central coordinating agency to analyze and share information generated from the government and various information-sharing and analysis centers (ISACs) and intelligence-sharing organizations cropping up across various industries. Overall, there are some 18 ISACs under the National Council of ISACs umbrella, including the Defense Industrial Base (DIB) ISAC and the financial services (FS) ISAC, both considered the gold standards for industry intel-sharing groups.
It's all in the name of companies and government agencies gathering and sharing as much relevant and timely intelligence about new or ongoing cyberattacks as quickly as possible, to avoid major breaches, or to at least minimize the damage.
ISACs provide an official mechanism for sharing information about the latest cyberattacks and threats spotted targeting specific industries, for instance, and include databases of the threats and vulnerabilities for their members, as well as provide conferences and other ways for members to interact and share their experiences to better team up against cybercrime and cyber espionage actors. Among the industries with ISACs are aviation, emergency services, IT, maritime, nuclear energy, real estate, public transportation, and water utilities.
"2014 was the year of pipes for information-sharing," says Chris Blask, chair of the ICS-ISAC, the industrial control system/SCADA industry group. "We know what the pipes look like now, but a lot of the plumbing needs to still be done."
The emerging protocols for automating the process of intel-sharing from ingestion to action, Structured Threat Information eXpression, or STIX, a machine-readable language, and Trusted Automated eXchange of Indicator Information (TAXII), the protocol for transporting the information, were rolled into a software platform used by many ISACs called Soltra Edge, which was launched in December. The software platform basically gathers threat intelligence from various intelligence sources and presents it in a standard language and format that can be used by companies to take action to thwart the latest reported threat.
But even with this explosion in sharing of attack intelligence and a platform to ultimately automate the process of gathering intel, most companies today still swap stories and information the old-fashioned way, via email or face-to-face.
"The process isn't automated yet," says William Nelson, president and CEO of the FS-ISAC. "A lot of dialog in information-sharing is going back and forth, did anybody see this, and they raise their hand. We're trying to get more automated" versus using mainly email, for example, Nelson says.
More than half of organizations surveyed by the Ponemon Group last year say they receive their threat intel informally, via email, phone, or in-person meetings, a process fraught with inefficiency and inconsistency. Some 70% of them say intel actually expires within seconds or minutes, and more than 50% have gotten this information in days, weeks, or months, rendering much of it useless.
[For most organizations, intelligence-sharing remains mainly ad-hoc and informal -- and thus fraught with frustration and pitfalls, new report from Ponemon finds. Read Intelligence-Sharing Suffers Growing Pains.]
Richard Bejtlich, chief security strategist for FireEye, says most info-sharing indeed is person-to-person. "It's done in meetings or private mailing lists, and that sort of thing. Efforts made to date to facilitate computer-to-computer machine-readable [intel] have not worked very well," he says. So far, there's been no major shift in moving beyond "people congregating in conference rooms and sharing on mailing lists."
The trouble with much of the intel that ISACs share today is that it's often after the fact, notes Mike Davis, CTO at CounterTack, who has worked with the FS-ISAC as well as other ISACs. "They're usually late with their information. Most of the time, it's after something hits the news," he says.
But ISACs like the FS-ISAC are trying to change the game. Nearly 1,000 companies have downloaded Soltra Edge, according to Nelson. Soltra Edge is a joint venture of FS-ISAC and The Depository Trust & Clearing Corporation (DTCC), and includes STIX and TAXII for building interfaces to threat intelligence feeds, security information and event management (SIEM) systems, firewalls, IDS/IPS, anti-malware, and other products. But the automation piece--the plumbing, as Blask calls it-- is still a way's away from reality.
In the wake of an unprecedented wave of mega-breaches against big-box retailers, The Retail Industry Leaders Association (RILA) in May officially announced the launch of the Retail Cyber Intelligence Sharing Center (R-CISC), with the backing of Target and other major retailers. The oil and gas industry in June launched the Oil and Natural Gas ISAC (OSN-ISAC), and in July, the automobile industry announced plans to form an intelligence-sharing mechanism, possibly via an Auto-ISAC.
While retail and oil & natural gas have been hit with a wave of real-world attacks and threats, the auto industry is actually racing against real attacks, as security researchers over the past two years have demonstrated security weaknesses and potential attacks that could be used against the a new generation of cars outfitted with networking capabilities.
Meanwhile, all eyes are on the federal government's new forays here. President Obama last month signed an Executive Order (his second one on this topic) that promotes sharing of cyber threat information within the private sector as well as between the private sector and the government. The EO came on the heels of the unveiling of the new Cyber Threat Intelligence Integration Center (CTIIC), which will fall under the Office of the Director of National Intelligence, and will act as a central repository for cyber threat information for government agencies and private firms.
The CTIIC concept has been in discussion by the Obama administration for some time, dating back to when former cyber czar Howard Schmidt suggested the need for a centralized place for coordinating threat intel. The White House says the center will analyze and integrate already collected intel, rather than gathering new information. The EO also includes a shout-out to ISACs as "essential drivers of effective cybersecurity collaboration."
Even so, some ISACs are taking a wait-and-see approach to the feds' new role. "It's going to be interesting to see how that plays out and how DHS fits in with this new agency that's being stood up. It's going to be interesting to see how information and intel flows," says Deborah Kobza, executive director of the healthcare industry's NH-ISAC. "I'm not sure if another added layer of bureaucracy is needed."
Private industry traditionally has been skeptical of sharing intelligence with federal agencies and law enforcement. They've seen mainly a one-way relationship, where the feds or law enforcement agencies gladly take any intel from companies but don't reciprocate. But the FS-ISAC's Nelson says he's seen a marked improvement, with financial services getting more information out of the feds: "The government has been really good lately at getting things unclassified" and therefore accessible, he says. "We've seen a huge improvement in the last two- to three years in the amount of information shared in government, in quality and relevance … Three years ago, it was dated drivel. Now it's useful and relevant."
Whether the growth in intel-sharing groups in turn could backfire with information overload or redundancy of effort is unclear. The key, experts say, is that the various ISACs and groups continue to share outside their circles, which many already do today.
With the threat landscape expanding at a rapid clip, ISACs already face plenty of challenges today. "It has to be more than a couple of like-minded individuals who got together to have a beer and wax philosophical on their problems. [It requires] institutional trust with true sharing and without attribution," says Stu Solomon, vice president, general counsel and chief risk officer at iSIGHT Partners, who was a member of the FS-ISAC in his former role as a Bank of America executive.
"For any ISAC to work, there needs to be a high degree of trust and respect in members, and in the organization," says Solomon, who will speak at Interop next month about intelligence-sharing and gathering.
Knowing the right intel -- indicators of compromise, attack campaigns, and law enforcement activity, for example -- is the big question, he says. "What is the right content to share? That's a constant struggle" for ISACs, he says.
Read part 2 here: ISACs Demystified