Companies with mature cybersecurity organizations have vested interest in understanding their adversaries and cyberthreats. There's always the chance another organization uncovered a threat pertinent to someone else. What happens if the data isn't shared?
Information sharing without government input and evaluation widens the knowledge gap. And with so many new threats emerging daily, public and private sector organizations can't afford to defend them separately. If data isn't shared, they will.
"It feels to me that there's a lot of organizations that are out there in the private sector that don't necessarily realize how much of a national security role that they play," said Chad Hoffman, COO of Analyst1, a threat intelligence company, and former Department of Defense threat intelligence analyst.
Federal agencies want more threat intelligence and information sharing while companies are reserved with how much they trust the government, and each other. The relationships among companies and the public sector is improving as government is working to balance its national security interests with the interests of businesses — continuity, reputation and sustainability.
The Cybersecurity and Infrastructure Security Agency (CISA) has become a dominant authority in identifying and mitigating vulnerabilities alongside the FBI and NSA. However, with the new national cyber director in the White House, "it just seems really confusing the amount of work that the federal government is still trying to figure out on their end of who's going to be in charge of what and then how are they going to mandate sharing," said Hoffman.
Threats only have meaning if a company decides it does; some threats aren't shared among peers because an organization doesn't deem them serious enough. But a company may not always know what's a benign threat versus one that is a piece of a larger puzzle the company doesn't know about.
Businesses may not think they should inform the FBI'S Internet Crime and Complaint Center (IC3) of general non-targeted phishing attacks. But federal agencies have been able to piece together disparate reports to contain attackers. "My team would always share the more generic stuff through IC3," said Curtis Simpson, CISO of Armis. If something more specific arises, they submitted a report through the FBI's tip submission system.
CISA's automated indicator sharing (AIS) is a no-cost feed, essentially, for sharing threat intelligence in open source or paid-for platforms. "You're getting a wide array of details from the government in terms of how they see these attacks playing out in the landscape, and how you can determine whether or not you've been potentially exposed," said Curtis. It's a form of continuous, proactive information sharing.
AIS was set as part of the Obama-era 2015 Cybersecurity Information Sharing Act. The law protects non-federal organizations from liability for participating in sharing, as long as the process adhered to the law's standards.
But the law and AIS are still not mature enough to accomplish effective proactive sharing, said Hoffman.
Who you gonna call?
CISA is one of the federal agencies, next to the FBI and NSA, that has a finger on the pulse of cyberthreats, said Curtis. The FBI is the first and foremost partner between the private sector federal government and the FBI's InfraGard is "the easiest entry point into engaging with the federal intelligence agencies," he said.
While relationships in FBI field offices are common, most FBI/private sector relationships begin with an InfraGard membership, which "connects owners and operators within critical infrastructure to the FBI."
InfraGard was not accepting applications for new members, but "we will re-open the application process in the near term as we transition to a new application form," according to the website at the time of publication. Normally the application process is straightforward, and companies can join the information sharing feedback loop with the FBI.
Whilst in the program, companies will be able to pull in more relationships among local FBI chapters to the point they can establish direct contacts with insights into a specific industry.
Companies looking for more industry-specific information sharing, Industry Sharing and Analysis Centers (ISACs) come into play. Various ISACs are scattered across industries since its inception in 2000 and about 36% of organizations belong to an ISAC or Information Sharing and Analysis Organizations (ISAO) group, as of 2018, according to the Ponemon Institute. About 36% of organizations engage in inbound ingestion, while 31% participate in outbound sharing.
There are limitations in ISACs.
CISA has championed ISACs as nonprofit organizations, but in "my opinion, it's become a money driven business to share cyberthreat information or intelligence," said Hoffman. "It's kind of like a closed loop where a lot of organizations aren't necessarily getting that information unless you pay for it."
In 2018, 44% of organizations use paid threat intelligence feeds, followed by 23% that use open source and 17% that use ISACs or ISAOs, according to the report.
ISACs' effectiveness also varies by industry, depending on how many members participate and its tenure. To complicate matters further, "cyber leaders trust no one, by default," said Curtis. "One of the factors of doing this job for a long time, is that you trust no one until they prove that you should trust them. And it's the right way to operate in this role."
However, in the context of information sharing, uninformed business decisions are divorced from cybersecurity. Non-technical or security personnel could discourage information sharing due to misunderstanding data relevant to cyber versus strategic business data, said Curtis. "That fear was being introduced" internally in companies.
Competing companies and federal authorities sometimes have opposing agendas. "Experience has shown that ISAC organizations attempt to withhold information or obscure the identity of the company," according to a 2016 report from the AFCEA International Cyber Committee. This is based on experience in ISACs, indicating some companies are unwilling to be forthright with their identities with fellow industry players and government.
It's now becoming more understood that threat intelligence drives value in security operations centers, not business objectives. From a business perspective, 79% of security professionals said threat data feeds improve their organization's security posture, according to a survey by Ponemon Institute and sponsored by Neustar. The report was based on responses from 1,025 IT security practitioners based in the U.S. and UK.
"Most people understand that now, if they don't, they're just laggards," said Curtis.
A similar theme of mistrust bleeds into public/private sector relations. "You have people that put on that tinfoil hat, and say 'If I start sharing my information with the government, what are they going to do with it? How am I going to get associated with that?'" said Hoffman.
Layers of trust
Cross-sector information sharing forums have historically had an air of skepticism and distrust. While agencies like CISA are trying to chip away at that perception, it will take more time.
"I fell into that category to some extent in years past, because it was a lot of, give data to the FBI, get no confirmation back from them or no feedback. They share data with you, but it was incredibly generic, highly filtered, and not really useful," said Curtis.
Hoffman and Javvad Malik, security awareness advocate at KnowBe4, agreed; the government could be the bottleneck in unintentionally closing the feedback loop. Continuity of information sharing is an issue, leaving unanswered questions, including:
- Where the data was found
- Who was the attacker
- How the attack was uncovered
- What defensive measures were in place at the time of the attack
- What details are shareable versus what could prompt a secondary attack
"I don't know if it's necessarily going to get fixed anytime soon," said Hoffman, though additional security and defense funding could help.
But with increased reliance on private industry, the government has overhauled its willingness to share more information. Curtis believes that about-face began with CISA's inception in 2018. "It was at that time that I think all of the U.S. intelligence agencies really looked at how we need to operate going forward," he said.
Following the SolarWinds compromise, the Department of Homeland Security asked CISA for confidential data regarding SolarWinds and private companies. CISA denied the request, fearing it could harm the relationship between the agency and companies because companies enrust CISA with technical details of cyber incidents, which can include proprietary data.
"I think there still needs to be some anonymization of the data that does get shared," said Hoffman. Yet for SolarWinds and Microsoft Exchange, "I don't think there wasn't as much backlash as there has been in the past, because people were trying to be as open as possible."
While more information sharing should theoretically prevent large breaches or cyberattacks, reactive information sharing can be a point of contention in ISAC organizations. While more barriers to share openly are broken down, companies sometimes have a penchant for over-sharing.
"I think sometimes the marketing is ahead of the actual content," said Malik. It becomes "more of an opportunity to show, 'Look how great I am. I found this, look how technically efficient I am." Curtis agreed.
On average, organizations were attacked 28 times in the last two years. More than one-third of the respondents said the cyberattacks succeeded because the business lacked "timely and actionable data from their feeds," according to the Ponemon Institute report.
Malik wants more actionable items to supplement threat intelligence, provide informed criteria for mitigating a new-found vulnerability. "The danger is a lot of companies end up getting paralyzed because there's just too much information," said Malik. Making threat intelligence reports usable also makes them easier to prioritize for companies. "Make it clear as to what people should do with that information."