Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:30 PM
Connect Directly

ISACs Demystified

How some intelligence-sharing organizations operate in the face of today's threat landscape.

Second installment in a series on ISACs and threat intelligence-sharing.

The first clue of what was later exposed as the Carbanak international cybercrime ring targeting banks was a piece of intelligence shared within the financial services ISAC (FS-ISAC) in September: backdoor malware that was siphoning credentials from a banking application used in Eastern Europe.

The malware, which a US-based security firm shared with the FS-ISAC, last month was confirmed to be part of the Carbanak international attack campaign out of Eastern Europe that stole some $1 billion in two years from 100 different banks it hacked in nearly 30 countries, according to findings published by Kaspersky Lab.

"We did not know the extent of the breach or damage [in September], but that there was malicious activity. So there was no attribution, but there was a way to look for this malware," says Mike Davis, CTO at CounterTack, who is a member of the FS-ISAC.

This single malware alert ultimately tied to the now-infamous banking hack campaign demonstrates how banks and other vertical industries sometimes first learn of the latest threats hitting their sectors: a member of the ISAC community spots a piece of malware or a malicious IP address targeting it or another organization in the industry, and then shares that information with other members who then can block that IP address, scan for the malware, and apply other parameters to shore up their defenses against the threats.

But not all ISACs and related intel-sharing organizations operate the same way, or even share information in the same manner. Some ISACs are more effective in thwarting attacks than others, experts say. Their effectiveness often depends on the maturity and level of participation within those communities.

"One of the biggest criticisms about ISACs I hear across the intel community at large is that you get indicators without context, and that the volume [of information] is so high that … you don't know where to prioritize," says Stuart Solomon, vice president, general counsel and chief risk officer at iSIGHT Partners. "The way ISACs should go is to explain why something deserves more or less attention," and to also validate the information, he says.

So by alerting their members about new threats and attacks, do ISACs actually help prevent the spread of breaches and attack campaigns?

"It depends on the quality and actionability of the information," says Solomon, who is scheduled to speak at Interop next month about intelligence-sharing and gathering.

Another factor: not all members necessarily act on the intel. "You get an email with a bunch of file names and hashes. What do you do with it?" CounterTack's Davis says. Some organizations are able to sift through and use it, but not so much with others:  "Some organizations get the information, but no one does anything with it," CounterTack's Davis says.

The key ingredient for a useful ISAC is providing context along with the indicators of compromise that get reported. Then members need the ability to anlayze and ingest the intelligence, and apply it to their security tools.

Take, for example, a malicious IP address that's reported targeting the financial services industry. In order to appropriately apply that information internally, an ISAC member would need accompanying details such as why it's malicious and which campaigns or malware it's associated with, for example, iSIGHT's Solomon says. It helps to know the timeframe of malicious activity associated with the IP address. "Has its perishability window closed? All of these items relate to context. Without context, it is just more noise."

Veterans And Rookies

The defense industrial base's intel-sharing organization, the Defense Security Information Exchange (DSIE), and the financial services industry's FS-ISAC are the most mature intel-sharing organizations and considered model mechanisms. The defense group, which began in 2008 as a small group of representatives from some of the largest defense contractors, spun out of the Network Security Information Exchange (NSIE), which was formed in 1991 as a subcommittee of the Network Security Telecommunication Advisory Committee (NSTAC). The FS-ISAC, meanwhile, dates back to 1999. Both groups experienced their share of growing pains in the early days, especially the initial hurdle of trusting your fellow members enough to freely swap intelligence with one another.

In contrast, there's the Industrial Control Systems (ICS) ISAC, formed in 2012 and a relative newbie in the ISAC world. That in part explains why hardly any of the in-the-trenches industrial facility members swap attack information. Chris Blask, chair of the ICS-ISAC, says it's mainly vendors and systems integrator members that share attack information in the ISAC, which offers an information-sharing platform via ThreatStream's service to its membership, along with Soltra Edge.

Blask explains that most industrial sites don't have a lot of information to share at this point--they may not know they've been attacked-- and if they do, many can't share it, anyway. "They have the worry that regulators are going to jump down their throat" if they share intel, he says. "Very few anywhere in the industrial space are really actively sharing information about what happens to them."

Even the FS-ISAC took a while to evolve into a true sharing organization. William Nelson, president and CEO of the FS-ISAC, which includes member institutions from across the globe, says banks at first didn't want to share information with their competitors. But all that is changing, especially as attackers continue to target the financial industry. In January, there were 450 instances where members shared information, amounting to tens of thousands of threat indicators, he says.

But the big turning point for the FS-ISAC came during the massive "Operation Ababil" DDoS attacks that hit North American banks in 2012 and 2013. Nelson says the financial services industry stepped up and teamed up: "They realized we needed to form response teams of victims, and share with others what they had gone through," he says. "The ROI was unbelievable," and one member of the community commented that when they were attacked, they were ready because of the FS-ISAC community's response teams and intel-sharing, he says.

A vendor member of the ISAC also provided some key intel to the banks targeted in the DDoS attacks: the command and control server instructions used by the DDOS botnet in the first level of the attack against bank networks. That gave the banks an early warning of the attack, says Jim Routh, CISO for Aetna Global Information Security, and a member of the FS-ISAC. "Each bank had to determine how to protect themselves from the level 2 and 3 [DDoS] attacks, but knowing when they were coming was a big help to manage resources so that first responders could get some rest and be prepared when the attacks came," Routh says.

The second level of the attack required making configuration changes to impede the attackers, he says. "So knowing when the attacks were coming was helpful for the banks to apply resources effectively to respond and minimize business impact," Routh says. Anti-DDoS service providers also had access to the intel via the ISAC, he says.

The DSIE, meanwhile, now has nearly 70 member companies. Unlike many ISACs, the DSIE doesn't anonymize or scrub the source of attack information. So a defense contractor who gets targeted in an attack campaign first shores up his defenses against the attack, and then posts the attack footprints with other members of the DSIE, and everyone knows who shared it.

"A tenet we often advocate is contacting your largest competitor and engaging with them in information-sharing. Because they are most likely being attacked by the same set of advanced adversaries, there's a wealth of potential intelligence," says Mike Gordon, vice chairman of the DSIE. "We might be fierce competitors outside of DSIE, but within the partnership, we agree that cyber is a team sport," says Gordon, who works for Lockheed Martin.

Analysts at various defense contractors are on a first-name basis. "Our Lockheed Martin analysts need to know Wayne's [Boline, chairman of the DSIE] analysts at Raytheon by name," Gordon says.

"Scrubbed" or anonymized information isn't as useful and is more difficult to use, he says. Analysts need to be able to jump on the phone with one another and get more context than just a malicious IP, he says.

The defense industrial base group prides itself in disseminating attack intel fast, too:  “Within minutes of an indicator being found by one company, whether we knew it was successful or not, it's being shared with other companies” in the ISAO, says Jay Weinstein, a member of the DSIE board. "That’s what makes us unique. Other less-mature [ISACs] take weeks, days, and some are down to hours" to share intel, says Weinstein, who is responsible for network security at a top 10 defense contractor firm. 

Members of the DSIE have discovered multiple zero-day attacks, and have shared those markers accordingly, members say.

Meantime, the healthcare industry's NH-ISAC in the past year has evolved into more intel-sharing activity. "A year ago, it was more of pushing out information" to the membership, says Deborah Kobza, executive director of the healthcare industry's NH-ISAC, whose membership includes private and public-sector health organizations, hospitals, medical device manufacturers, and health departments. But that has shifted dramatically, she says.

Anthem's massive data breach revealed last month put the NH-ISAC's intel-sharing capability into full gear. The NH-ISAC received indicators of compromise from what appeared to be the Anthem breach, which the ISAC confirmed with Anthem, and then pushed to members of the NH-ISAC as well as to other ISACs.

The "I" In ISAC

But in the end, it's not just about the ISAC itself. Members of these communities need to discerningly ingest and apply the intel they get. "The best intel is what you generate yourself," says an expert with experience in ISACs who requested anonymity.  

There's also the potential for human error on the sharing end of the equation, notes Colby Derodeff, chief strategy officer at ThreatStream. An ISAC member could accidentally post a legitimate IP address rather than an illegitimate one, for example: "If you just take that data at face value and put it into a correlation engine and monitor all firewall and proxy logs … you're going to generate thousands of" false positives, he says.

"Having the ability to analyze intel prior to putting it into active monitoring mode is really important."

[Read the first installment in this seriesEfforts To Team Up And Fight Off Hackers Intensify]


Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
3/26/2015 | 9:30:08 AM
redefining boundaries and walls....
I commented earlier on this thread about the need for some Gov led action in regards to forcing cyber threat information sharing among private entities and governments.    I read on the way in to work this morning that a bill introduced on Tuesday "Protecting Cyber Networks Act" will "make it easier for companies to share information about cybersecurity threats with the government, without the fear of being sued."

The proposed bill would create an environment for private to private and private to government sharing of threats where the private organisations are indemnified and held free from harm in regards to the threats they are sharing.

However, there is no onus placed on anyone to actually do anything about the sharing of such information.   As such there are a few questions that are raised regarding intent and effect.
  • Is this a pre-cursor to a more heavy handed approach where info sharing will be mandated in the event of breach?
  • Bad guys share information more readily - there is less concern about loss of IP on the "dark side".   Will private corporations actuall share info that could expose them, or other organisations to risk?
  • Will the scrubbing of intel make it less useful?

In the article spawning this comment DSIE Vice Chairman Mike Gordon states pretty clearly that scrubbed info is less useful than un-scrubbed.   The bill seems to propose a sanitised version of what DSIE is already trying to achieve - trying to clean and scrub (a human task which may or may not end up being automated) could result in the creation of a lot more bad data which exacerbates the initial problem of too much stuff to analyse.  

I would still contend that culturally the fear of losing protection of our info is still greater than the fear of that same private data actually being corrupted.   Either the balance of fear will need to change or legislative action will need to be taken to enforce sharing of relevant useful info.

User Rank: Ninja
3/13/2015 | 1:04:37 PM
Re: Seems like we're redefining boundaries and walls?
I like your idea, if the company breached once there has to be mandate to make sure there is a proper team in place and their policy and procedures are under review and they get a grading out of that, how we do it for the restaurants in US currently. That will make most of us secure I would think.
User Rank: Ninja
3/13/2015 | 1:01:36 PM
Re: Understanding who to share with
DIB-ISAC (an acronym for Defense Industrial Base-ISAC was created to address an all hazards approach to securing the DIB Supply Chain. accordign to wikia.com/wiki/DIB-ISAC
Defense Security Information Exchange (DSIE) from whitehouse.gov
User Rank: Ninja
3/13/2015 | 12:57:11 PM
Re: Understanding who to share with
Obviously it is not easy not to get confused. :Thank you for clarifying that, DSIE_Membership :--))
User Rank: Ninja
3/13/2015 | 12:54:01 PM
Obviously we can not address everything at the same time, it is good idea to do prioritization with explanation, that is how it works with all the businesses if you want to get things done
User Rank: Strategist
3/13/2015 | 11:08:46 AM
Seems like we're redefining boundaries and walls?
Each ISAC needs to operate in an environment of full trust and coopoeration with each other, a primary reason hackers were (and are) so successful is that they share their info and techniques.   They do so in an environment that has become ever more professional and corporate - while the hacking charter isn't exactly geared towards "good" the ability and willingness for them to network and share info is something that most corporations would give their eye teeth to have internally.

The white hats (in this case each company affiliated to an industry ISAC) have more to lose than the hackers, hence the reason they're being hacked in the first place.   Some of the items highlighted here are alarming in their short-sightedness such as incomplete, non-contextualised information being shared, inaction on the part of recipients with regard to info provided.

Perhaps the focus of the ISAC is wrong? Instead of trying to share threat identification markers (usually post breach) why aren't they searching for their own vulnerabilities and sharing that info... oh yeah, competiive advantage can't be undermined, right...? In other words a distinct absence of trust.

I'd suggest that any company that has been breached and has lost protected information should be compelled by federal law to set up a vulnerability analysis team (or hire one) and have their results shared with ISACs in their own and other industries for the following 5 years.

How quickly would companies tighten up on security measures in the face of having to consistently air their dirty laundry for the next 20 quarters?
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
3/13/2015 | 10:04:32 AM
Re: Understanding who to share with
Thanks, @DSIE_Membership, for noting that the DSIE and the DIB-ISAC are separate organizations.  
User Rank: Apprentice
3/13/2015 | 9:00:10 AM
Understanding who to share with
It's easy to get confused as you look for your company's fit amongst the various information sharing organizations such as ISACs and ISAOs. The reality is that almost anyone can start an information sharing organization so it's very important that companies and individuals understand the scope of the sharing team.  Is the scope Regional / National / Global? Is the scope sector specific or cross industry?  How long this group existed and how trusted is the group in the cyber community?  If you would like more information on DSIE please feel send an email to membership at dsie . net

Please note: While the DIB-ISAO/DSIE are referred to in this article as the Defense industrial base ISAC we are NOT affiliated with the new startup organization known the "DIB-ISAC".
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-14
An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate escaping allowed XSS attacks using the logo parameter of the default templates on error page
PUBLISHED: 2021-04-14
An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate filters on module layout settings could lead to an LFI.
PUBLISHED: 2021-04-14
Command Injection in TOTOLINK X5000R router with firmware v9.1.0u.6118_B20201102, and TOTOLINK A720R router with firmware v4.1.5cu.470_B20200911 allows remote attackers to execute arbitrary OS commands by sending a modified HTTP request. This occurs because the function executes glibc's system funct...
PUBLISHED: 2021-04-14
An issue was discovered in the /api/connector endpoint handler in Yubico yubihsm-connector before 3.0.1 (in YubiHSM SDK before 2021.04). The handler did not validate the length of the request, which can lead to a state where yubihsm-connector becomes stuck in a loop waiting for the YubiHSM to send i...
PUBLISHED: 2021-04-14
AjaxSearchPro before 4.20.8 allows Deserialization of Untrusted Data (in the import database feature of the administration panel), leading to Remote Code execution.