Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:00 PM
Connect Directly

Efforts To Team Up And Fight Off Hackers Intensify

New intelligence-sharing groups/ISACs emerge, software tools arrive and the White House adds a coordinating agency -- but not all of the necessary intel-sharing 'plumbing' is in place just yet.

First in a series on ISACs and threat intelligence-sharing.

Call it safety in numbers. Over the past year, major industries in the hacker's bullseye -- retail and oil & gas -- have formed official cyberattack intelligence-sharing mechanisms, while the automobile industry and legal sector are currently mulling a similar road to defending themselves against attackers.

The White House, meanwhile, is creating a central coordinating agency to analyze and share information generated from the government and various information-sharing and analysis centers (ISACs) and intelligence-sharing organizations cropping up across various industries. Overall, there are some 18 ISACs under the National Council of ISACs umbrella, including the Defense Industrial Base (DIB) ISAC and the financial services (FS) ISAC, both considered the gold standards for industry intel-sharing groups.

It's all in the name of companies and government agencies gathering and sharing as much relevant and timely intelligence about new or ongoing cyberattacks as quickly as possible, to avoid major breaches, or to at least minimize the damage.

ISACs provide an official mechanism for sharing information about the latest cyberattacks and threats spotted targeting specific industries, for instance, and include databases of the threats and vulnerabilities for their members, as well as provide conferences and other ways for members to interact and share their experiences to better team up against cybercrime and cyber espionage actors. Among the industries with ISACs are aviation, emergency services, IT, maritime, nuclear energy, real estate, public transportation, and water utilities.

"2014 was the year of pipes for information-sharing," says Chris Blask, chair of the ICS-ISAC, the industrial control system/SCADA industry group. "We know what the pipes look like now, but a lot of the plumbing needs to still be done."

The emerging protocols for automating the process of intel-sharing from ingestion to action, Structured Threat Information eXpression, or STIX, a machine-readable language, and Trusted Automated eXchange of Indicator Information (TAXII), the protocol for transporting the information, were rolled into a software platform used by many ISACs called Soltra Edge, which was launched in December. The software platform basically gathers threat intelligence from various intelligence sources and presents it in a standard language and format that can be used by companies to take action to thwart the latest reported threat.

But even with this explosion in sharing of attack intelligence and a platform to ultimately automate the process of gathering intel, most companies today still swap stories and information the old-fashioned way, via email or face-to-face.

"The process isn't automated yet," says William Nelson, president and CEO of the FS-ISAC. "A lot of dialog in information-sharing is going back and forth, did anybody see this, and they raise their hand. We're trying to get more automated" versus using mainly email, for example, Nelson says.

More than half of organizations surveyed by the Ponemon Group last year say they receive their threat intel informally, via email, phone, or in-person meetings, a process fraught with inefficiency and  inconsistency. Some 70% of them say intel actually expires within seconds or minutes, and more than 50% have gotten this information in days, weeks, or months, rendering much of it useless.

[For most organizations, intelligence-sharing remains mainly ad-hoc and informal -- and thus fraught with frustration and pitfalls, new report from Ponemon finds. Read Intelligence-Sharing Suffers Growing Pains.]

Richard Bejtlich, chief security strategist for FireEye, says most info-sharing indeed is person-to-person. "It's done in meetings or private mailing lists, and that sort of thing. Efforts made to date to facilitate computer-to-computer machine-readable [intel] have not worked very well," he says. So far, there's been no major shift in moving beyond "people congregating in conference rooms and sharing on mailing lists."

The trouble with much of the intel that ISACs share today is that it's often after the fact, notes Mike Davis, CTO at CounterTack, who has worked with the FS-ISAC as well as other ISACs. "They're usually late with their information. Most of the time, it's after something hits the news," he says.

But ISACs like the FS-ISAC are trying to change the game. Nearly 1,000 companies have downloaded Soltra Edge, according to Nelson. Soltra Edge is a joint venture of FS-ISAC and The Depository Trust & Clearing Corporation (DTCC), and includes STIX and TAXII for building interfaces to threat intelligence feeds, security information and event management (SIEM) systems, firewalls, IDS/IPS, anti-malware, and other products. But the automation piece--the plumbing, as Blask calls it-- is still a way's away from reality.

New Additions

In the wake of an unprecedented wave of mega-breaches against big-box retailers, The Retail Industry Leaders Association (RILA) in May officially announced the launch of the Retail Cyber Intelligence Sharing Center (R-CISC), with the backing of Target and other major retailers. The oil and gas industry in June launched the Oil and Natural Gas ISAC (OSN-ISAC), and in July, the automobile industry announced plans to form an intelligence-sharing mechanism, possibly via an Auto-ISAC.

While retail and oil & natural gas have been hit with a wave of real-world attacks and threats, the auto industry is actually racing against real attacks, as security researchers over the past two years have demonstrated security weaknesses and potential attacks that could be used against the a new generation of cars outfitted with networking capabilities. 

Meanwhile, all eyes are on the federal government's new forays here. President Obama last month signed an Executive Order (his second one on this topic) that promotes sharing of cyber threat information within the private sector as well as between the private sector and the government. The EO came on the heels of the unveiling of the new Cyber Threat Intelligence Integration Center (CTIIC), which will fall under the Office of the Director of National Intelligence, and will act as a central repository for cyber threat information for government agencies and private firms. 

The CTIIC concept has been in discussion by the Obama administration for some time, dating back to when former cyber czar Howard Schmidt suggested the need for a centralized place for coordinating threat intel. The White House says the center will analyze and integrate already collected intel, rather than gathering new information. The EO also includes a shout-out to ISACs as "essential drivers of effective cybersecurity collaboration."

Even so, some ISACs are taking a wait-and-see approach to the feds' new role. "It's going to be interesting to see how that plays out and how DHS fits in with this new agency that's being stood up. It's going to be interesting to see how information and intel flows," says Deborah Kobza, executive director of the healthcare industry's NH-ISAC. "I'm not sure if another added layer of bureaucracy is needed."

Private industry traditionally has been skeptical of sharing intelligence with federal agencies and law enforcement. They've seen mainly a one-way relationship, where the feds or law enforcement agencies gladly take any intel from companies but don't reciprocate. But the FS-ISAC's Nelson says he's seen a marked improvement, with financial services getting more information out of the feds: "The government has been really good lately at getting things unclassified" and therefore accessible, he says. "We've seen a huge improvement in the last two- to three years in the amount of information shared in government, in quality and relevance … Three years ago, it was dated drivel. Now it's useful and relevant."

Whether the growth in intel-sharing groups in turn could backfire with information overload or redundancy of effort is unclear. The key, experts say, is that the various ISACs and groups continue to share outside their circles, which many already do today.

With the threat landscape expanding at a rapid clip, ISACs already face plenty of challenges today. "It has to be more than a couple of like-minded individuals who got together to have a beer and wax philosophical on their problems. [It requires] institutional trust with true sharing and without attribution," says Stu Solomon, vice president, general counsel and chief risk officer at iSIGHT Partners, who was a member of the FS-ISAC in his former role as a Bank of America executive.

"For any ISAC to work, there needs to be a high degree of trust and respect in members, and in the organization," says Solomon, who will speak at Interop next month about intelligence-sharing and gathering.

Knowing the right intel -- indicators of compromise, attack campaigns, and law enforcement activity, for example -- is the big question, he says. "What is the right content to share? That's a constant struggle" for ISACs, he says.

Read part 2 here: ISACs Demystified

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
3/10/2015 | 2:28:03 AM
Anthem is a great example of this.  The signs of the Anthem compromise were there many months before Anthem itself noticed anything.  Had there been greater communication, something could have been done a lot sooner.

User Rank: Apprentice
3/9/2015 | 6:14:40 PM
This is still the road to nowhere
ISACs can't work until the affected industries figure out how to shield themselves from competetive disadvantage as a result of revealing their vulnerabilities and the government gives them a legal get  out of jail card that frees them from liabililty (opening the kimono is great for cyber situational awareness but the tort lawyer's bar will have a field day with this ammunition).
Drew Conry-Murray
Drew Conry-Murray,
User Rank: Ninja
3/9/2015 | 2:33:18 PM
Will they pay attention?
I'm all for more information-sharing across industry sectors, but unless executives go beyond giving lip service about taking security seriously, I don't know how effective these programs will be.

My hope is that if these sharing services can provide some specifics (hey, our PoS systems just got hit, better go check yours), maybe they can reduce the severity of a breach, but a lack of information about threats and risks is not really the problem.
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Tor Weaponized to Steal Bitcoin
Dark Reading Staff 10/18/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-22
The Artificial Intelligence theme before 1.2.4 for WordPress has XSS because Genericons HTML files are unnecessarily placed under the web root.
PUBLISHED: 2019-10-22
In FusionPBX up to 4.5.7, the file app\messages\messages_thread.php uses an unsanitized "contact_uuid" variable coming from the URL, which is reflected on 3 occasions in HTML, leading to XSS.
PUBLISHED: 2019-10-22
In FusionPBX up to 4.5.7, the file app\contacts\contact_addresses.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.
PUBLISHED: 2019-10-22
In FusionPBX up to 4.5.7, the file app\contacts\contact_edit.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS.
PUBLISHED: 2019-10-22
The freshmail-newsletter plugin before 1.6 for WordPress has shortcode.php SQL Injection via the 'FM_form id=' substring.