How ISACs, ISAOs, and their members use ThreatConnect’s threat intelligence sharing platform effectively to share threat Information
For those who read “share the love” and hoped this was a post about reggae music, and its rhythmic message of peace, love, and unity, my apologies. This post is actually about the smooth sound and power of cybersecurity information sharing – how ISACs and ISAOs, and their members, share threat information. One could draw similarities from the motif – social empowerment and movement through collaboration – so please imagine Bob Marley serenading this to you.
Like any paradigm shift, “sharing the love” in cybersecurity (collaboration and information sharing of threat intelligence) is complex and multi-faceted. It takes a lot of time, resources and experimentation. Yet, this is something our adversaries have already embraced. The 2015 Verizon DBIR reported that over 40% of attacks hit a second organization within an hour, and in 2016 discovered that in most industries, three quarters of incidents and breaches actually occur in three patterns. This suggests that our adversaries “share the love,” and also illuminates that these threat actors are leveraging similar tactics, techniques and procedures (TTPs) to exploit organizations in the same industry.
What have we done to combat this?
In 1998, the Presidential Decision Directive-63 (PDD-63) established the creation of critical infrastructure, sector-specific organizations to share information about threats and vulnerabilities through Information Sharing and Analysis Centers (ISACs). ISACs collect, analyze, and disseminate actionable threat information to their members to increase sector-wide situational awareness. ISACs work closely with Department of Homeland Security’s Cyber Information Sharing and Collaboration Program (CISCP), which came out of the National Cybersecurity and Communications Integration Center (NCCIC). Like ISACs, the purpose of Information Sharing and Analysis Organizations (ISAOs) is to gather, analyze and disseminate cyber threat information, but unlike ISACs, ISAOs are non-sector affiliated. Then in 2015, the Obama Administration issued Executive Order 13691 – Promoting Private Sector Cybersecurity Information Sharing – which calls for the development of ISAOs in order to promote better cybersecurity information sharing between the private sector and government, and enhance collaboration and information sharing across the private sector (DHS, 2016)
This sharing of threat information is a change in ideology and thus, has created a labyrinth of challenges for many organizations and industries. ISACs and ISAOs not only have to hunt and cultivate relevant threat intelligence for their members, they also have to build portals and a means to disseminate the data; methods to share it securely; educate members on how to use the data efficiently; and incentivize members to share that data back into the community.
However, not all ISAC and ISAO industry members are the same. Each member has different stakeholders, practices, processes, business models and focus on cybersecurity. While members in the same industry may share similar vulnerabilities, threats, campaigns, and adversaries, each member has a different level of threat intelligence maturity. Many, if not most members, don’t yet have the resources or capabilities to collaborate on threat data or proactively produce threat intelligence to share back into the community. For most, it is hard enough to manage the complexity of cybersecurity internally, so to think about it on a larger scale across sectors is even more daunting. Bottom line: embracing the reggae philosophy in threat information sharing (i.e. sharing the love) has been slow going, and certainly not everyone’s current reality.
The simple reason is the diverse range of ISAC and ISAO member maturity levels. What does that mean? According to ThreatConnect’s Threat Intelligence Maturity Model, there are five levels of maturity when developing a threat intelligence program for any organization, ISAC or ISAO. The Threat Intelligence Maturity Model offers direction on the capabilities, risks, and exposures that organizations anticipate at each level, and as they move to the next milestone.
For simplicity, consider the farm systems (minor leagues or development leagues) in Major League Baseball (MLB). The MLB has the same diversity across their players and coaches as ISACs/ISAOs have across their members from less experience and “industry” knowledge, to varying skill levels, and player development, which all dictate the need for the farm system. With that:
Let’s Play Ball
Single A (or Level 0)
Let’s classify Single A (or Level 0) as ‘learning,’ with a small or no threat intelligence team; no processes, and minimal exposure to threat intelligence outside of their ISAC. In Single A, the organization is unclear where to start. Most become data collection programs, focusing on endpoints, SIEMs, or external data. Because there is no formal team, there are minimal to no processes. It’s a reactive and consumption-based state.
At any level in baseball, repetition is important; whether it’s at-bats, pitches, or time in the field. But it’s most crucial in Single A. When ball teams have only one or some “players” that play every position across all of information security, they need to keep it simple. They don’t have enough time or resources. When there is a lack in people, there has to be a reliance on the process. That’s where ThreatConnect comes to bat. The Platform automates the collection and correlation of the threat data the ball club receives and allows them to set thresholds to send that data to their defensive tools and most importantly – reduce alert fatigue. The alerts they receive have higher reliability and more context so the ball player can make faster decisions and report on the actions effectively. As Single A ball teams are consumers, ThreatConnect makes it easy for them to collect their ISAC data, and if they trust the data that is being disseminated by the ISAC and the members, they can push that intelligence to their endpoints.
Double A (Level 1) and Triple A (Level 2)
Let’s classify Double and Triple A as ‘maturing,’ where small teams are beginning to build some processes and get an expanded view of threat intelligence. They are still on the consumption side of the pendulum and may not share into a community, but want to participate in discussion or ask some questions. Player development is important for all farm systems but is important for ‘maturing’ teams, as coaches work to expand their capabilities. Double A (Level 1) is where an organization is warming up to threat intelligence; aggregating threat data, and beginning to correlate internal data with ISAC or ingested data within a SIEM to create alerts. Still, the “ballplayer” responsible for this is overwhelmed, and possible alert-fatigue only makes it worse. Triple A (Level 2) is where player development is evident, as coaches are expanding their team and threat intelligence capabilities. They are beginning to draw context and connections in the data to produce some operational and actionable threat intelligence in a small Security Operations Center (SOC).
ThreatConnect fosters player development by helping these ball players create repeatable processes around the detection, enrichment, and remediation of their threat data so they become more efficient hunters.
- ThreatConnect’s Playbooks helps ball players achieve this by creating automated and configurable workflows and templates around the identification, analysis and remediation of threats. Since each playbook records whenever it runs and provides lists of every action, the ball teams can recognize deficiencies and repeatable patterns.
- With ThreatConnect’s Analyze feature, these ball players can ask ThreatConnect what it knows about an indicator or threat.
- And the Collective Analytics Layer (CAL™), (anonymous global reputation of an indicator) allows them to ask if the indicator has been seen before; and,
- ThreatConnect’s Spaces lets players connect multiple portals on a specific indicator to make them faster and refine their skills.
Like Single A, these ball teams want to consume their ISAC data, but ThreatConnect allows them to correlate with other intelligence sources, third party enrichment services and their own analysis so they can push to their endpoints or ask questions in the community.
The Majors (Level 3) and All Stars (Level 4)
The Majors (Level 3) is where there is a threat intelligence program in place – and for ball fans, ticket prices start to increase significantly. There are some processes and workflows in place, where teams are producing tactical and strategic threat intelligence, and sharing threat intelligence with stakeholders and in communities. The All-Stars (Level 4) are operating in high gear, with well defined threat intelligence programs. They have mature teams and processes, actively participate in or lead communities, and produce and utilize tactical and strategic threat intelligence. These two levels are generally classified as ‘advancing,’ with defined programs that produce actionable threat intelligence.
When hitting in the big leagues players want to maintain high performance and operate on all cylinders. These ball clubs want to orchestrate processes to distribute knowledge across teams and tools. It’s important to create best practices and templates, define what success is, and continue to replicate it. ThreatConnect Playbooks allows these teams to do exactly that, and allows the coaches to have a bird’s eye view of their current processes so they can recognize deficiencies (track them, and train the players where necessary) and create repeatable workflows. ThreatConnect becomes a workbench for these teams where they can not only customize their processes for detection, analysis, and action in the Platform, but also create custom indicator types, apps for specific indicator and group types, and how they want data represented.
Rounding the Bases
Joining ISACs and ISAOs is important for members of all maturity levels and it’s just as important for these ISACs and ISAOs to classify and understand the maturity level of their members. However, because of member maturity variance, it’s hard to appease everyone. For newer ISAC and ISAO members, it’s best to focus on simplicity and look to ‘advancing’ members to lead the way in the collaboration and analysis of relevant threat intelligence.
To incentivize sharing, all ISACs and ISAOs need to automate the dissemination and memorialization of threat intelligence to their members in a way that makes it easy for them to consume, enrich, and share back into the community. In the ThreatConnect Platform, ISACs and ISAOs have the ability to automate the dissemination and memorialization of threat data for their internal analysts and members. And, the Platform provides a Community where ISAC and ISAO members can consume the data, ask questions, enrich the intelligence and share it back to the community securely. As ISACs and ISAOs grow their capabilities and add more members, ThreatConnect can scale with them.
While it’s important to share threat data and intelligence, there is greater benefit in sharing the methodology for how the threat intelligence was derived because this is something that can be replicated across organizations. In the ThreatConnect Platform, methodologies can be shared via Playbooks. ISACs, ISAOs, and organizations have the ability to create templates for their threat analysis processes that can be imported, exported, and shared into the community. Sharing how the threat intelligence was created enables sectors to protect their assets more effectively, whereas solely presenting the end result – that piece of intelligence is relevant or irrelevant – is far less impactful. True collaboration really occurs when ISACs, ISAOs, and organizations actually share methodologies regarding how to look at threat data, analyze an alert or an incident. Implementing this practice in ThreatConnect is one more way in which ISACs, ISAOs and organizations can take a proactive stance in protecting industry assets.
Sliding into Home
There is still much we don’t know about our adversaries, and we are all equal targets. The collective knowledge always outweighs that of an individual – that is, the power of ISACs and ISAOs and using ThreatConnect. ISACs and ISAOs and their members can build and collaborate on actionable threat intelligence. Having a community portal where minor league members can learn from major league members is a big step in protecting sector assets. ThreatConnect is a central place where ISACs, ISAOs, and their members can ask questions and validate the threat data being seen in the Platform which allows members to be proactive, and get ahead of adversaries – thus embracing our reggae song about cybersecurity information sharing: “sharing the love,” social empowerment and movement through collaboration. (P.S. Thanks for the vocals, Bob).