Second installment in a series on ISACs and threat intelligence-sharing.
The first clue of what was later exposed as the Carbanak international cybercrime ring targeting banks was a piece of intelligence shared within the financial services ISAC (FS-ISAC) in September: backdoor malware that was siphoning credentials from a banking application used in Eastern Europe.
The malware, which a US-based security firm shared with the FS-ISAC, last month was confirmed to be part of the Carbanak international attack campaign out of Eastern Europe that stole some $1 billion in two years from 100 different banks it hacked in nearly 30 countries, according to findings published by Kaspersky Lab.
"We did not know the extent of the breach or damage [in September], but that there was malicious activity. So there was no attribution, but there was a way to look for this malware," says Mike Davis, CTO at CounterTack, who is a member of the FS-ISAC.
This single malware alert ultimately tied to the now-infamous banking hack campaign demonstrates how banks and other vertical industries sometimes first learn of the latest threats hitting their sectors: a member of the ISAC community spots a piece of malware or a malicious IP address targeting it or another organization in the industry, and then shares that information with other members who then can block that IP address, scan for the malware, and apply other parameters to shore up their defenses against the threats.
But not all ISACs and related intel-sharing organizations operate the same way, or even share information in the same manner. Some ISACs are more effective in thwarting attacks than others, experts say. Their effectiveness often depends on the maturity and level of participation within those communities.
"One of the biggest criticisms about ISACs I hear across the intel community at large is that you get indicators without context, and that the volume [of information] is so high that … you don't know where to prioritize," says Stuart Solomon, vice president, general counsel and chief risk officer at iSIGHT Partners. "The way ISACs should go is to explain why something deserves more or less attention," and to also validate the information, he says.
So by alerting their members about new threats and attacks, do ISACs actually help prevent the spread of breaches and attack campaigns?
Another factor: not all members necessarily act on the intel. "You get an email with a bunch of file names and hashes. What do you do with it?" CounterTack's Davis says. Some organizations are able to sift through and use it, but not so much with others: "Some organizations get the information, but no one does anything with it," CounterTack's Davis says.
The key ingredient for a useful ISAC is providing context along with the indicators of compromise that get reported. Then members need the ability to anlayze and ingest the intelligence, and apply it to their security tools.
Take, for example, a malicious IP address that's reported targeting the financial services industry. In order to appropriately apply that information internally, an ISAC member would need accompanying details such as why it's malicious and which campaigns or malware it's associated with, for example, iSIGHT's Solomon says. It helps to know the timeframe of malicious activity associated with the IP address. "Has its perishability window closed? All of these items relate to context. Without context, it is just more noise."
Veterans And Rookies
The defense industrial base's intel-sharing organization, the Defense Security Information Exchange (DSIE), and the financial services industry's FS-ISAC are the most mature intel-sharing organizations and considered model mechanisms. The defense group, which began in 2008 as a small group of representatives from some of the largest defense contractors, spun out of the Network Security Information Exchange (NSIE), which was formed in 1991 as a subcommittee of the Network Security Telecommunication Advisory Committee (NSTAC). The FS-ISAC, meanwhile, dates back to 1999. Both groups experienced their share of growing pains in the early days, especially the initial hurdle of trusting your fellow members enough to freely swap intelligence with one another.
In contrast, there's the Industrial Control Systems (ICS) ISAC, formed in 2012 and a relative newbie in the ISAC world. That in part explains why hardly any of the in-the-trenches industrial facility members swap attack information. Chris Blask, chair of the ICS-ISAC, says it's mainly vendors and systems integrator members that share attack information in the ISAC, which offers an information-sharing platform via ThreatStream's service to its membership, along with Soltra Edge.
Blask explains that most industrial sites don't have a lot of information to share at this point--they may not know they've been attacked-- and if they do, many can't share it, anyway. "They have the worry that regulators are going to jump down their throat" if they share intel, he says. "Very few anywhere in the industrial space are really actively sharing information about what happens to them."
Even the FS-ISAC took a while to evolve into a true sharing organization. William Nelson, president and CEO of the FS-ISAC, which includes member institutions from across the globe, says banks at first didn't want to share information with their competitors. But all that is changing, especially as attackers continue to target the financial industry. In January, there were 450 instances where members shared information, amounting to tens of thousands of threat indicators, he says.
But the big turning point for the FS-ISAC came during the massive "Operation Ababil" DDoS attacks that hit North American banks in 2012 and 2013. Nelson says the financial services industry stepped up and teamed up: "They realized we needed to form response teams of victims, and share with others what they had gone through," he says. "The ROI was unbelievable," and one member of the community commented that when they were attacked, they were ready because of the FS-ISAC community's response teams and intel-sharing, he says.
A vendor member of the ISAC also provided some key intel to the banks targeted in the DDoS attacks: the command and control server instructions used by the DDOS botnet in the first level of the attack against bank networks. That gave the banks an early warning of the attack, says Jim Routh, CISO for Aetna Global Information Security, and a member of the FS-ISAC. "Each bank had to determine how to protect themselves from the level 2 and 3 [DDoS] attacks, but knowing when they were coming was a big help to manage resources so that first responders could get some rest and be prepared when the attacks came," Routh says.
The second level of the attack required making configuration changes to impede the attackers, he says. "So knowing when the attacks were coming was helpful for the banks to apply resources effectively to respond and minimize business impact," Routh says. Anti-DDoS service providers also had access to the intel via the ISAC, he says.
The DSIE, meanwhile, now has nearly 70 member companies. Unlike many ISACs, the DSIE doesn't anonymize or scrub the source of attack information. So a defense contractor who gets targeted in an attack campaign first shores up his defenses against the attack, and then posts the attack footprints with other members of the DSIE, and everyone knows who shared it.
"A tenet we often advocate is contacting your largest competitor and engaging with them in information-sharing. Because they are most likely being attacked by the same set of advanced adversaries, there's a wealth of potential intelligence," says Mike Gordon, vice chairman of the DSIE. "We might be fierce competitors outside of DSIE, but within the partnership, we agree that cyber is a team sport," says Gordon, who works for Lockheed Martin.
Analysts at various defense contractors are on a first-name basis. "Our Lockheed Martin analysts need to know Wayne's [Boline, chairman of the DSIE] analysts at Raytheon by name," Gordon says.
"Scrubbed" or anonymized information isn't as useful and is more difficult to use, he says. Analysts need to be able to jump on the phone with one another and get more context than just a malicious IP, he says.
The defense industrial base group prides itself in disseminating attack intel fast, too: “Within minutes of an indicator being found by one company, whether we knew it was successful or not, it's being shared with other companies” in the ISAO, says Jay Weinstein, a member of the DSIE board. "That’s what makes us unique. Other less-mature [ISACs] take weeks, days, and some are down to hours" to share intel, says Weinstein, who is responsible for network security at a top 10 defense contractor firm.
Members of the DSIE have discovered multiple zero-day attacks, and have shared those markers accordingly, members say.
Meantime, the healthcare industry's NH-ISAC in the past year has evolved into more intel-sharing activity. "A year ago, it was more of pushing out information" to the membership, says Deborah Kobza, executive director of the healthcare industry's NH-ISAC, whose membership includes private and public-sector health organizations, hospitals, medical device manufacturers, and health departments. But that has shifted dramatically, she says.
Anthem's massive data breach revealed last month put the NH-ISAC's intel-sharing capability into full gear. The NH-ISAC received indicators of compromise from what appeared to be the Anthem breach, which the ISAC confirmed with Anthem, and then pushed to members of the NH-ISAC as well as to other ISACs.
The "I" In ISAC
But in the end, it's not just about the ISAC itself. Members of these communities need to discerningly ingest and apply the intel they get. "The best intel is what you generate yourself," says an expert with experience in ISACs who requested anonymity.
There's also the potential for human error on the sharing end of the equation, notes Colby Derodeff, chief strategy officer at ThreatStream. An ISAC member could accidentally post a legitimate IP address rather than an illegitimate one, for example: "If you just take that data at face value and put it into a correlation engine and monitor all firewall and proxy logs … you're going to generate thousands of" false positives, he says.
"Having the ability to analyze intel prior to putting it into active monitoring mode is really important."
[Read the first installment in this series, Efforts To Team Up And Fight Off Hackers Intensify]