Saturday, August 17, 2013

Antitrust to cyber is like a wooden stake to a vampire...

Last night we posted an intelligence analysis report (IAR) in response to a question from a member of the Oil and Gas industry. What started with a simple question in the Red Sky portal, blossomed over the last two weeks into a full discussion with roughly half dozen of our other members and two of the Red Sky analysts, and then into a formal report, detailing the members of the group attacking the Oil and Gas companies, targeting associated with their activities, how they went about their business, and relative (or not) successes in their exploitative activities. In this case, the attackers had little success, but as we track them, we'll see the groups tactics change (likely get cleaner, more efficient and more effective). The Oil and Gas folks will already know them and be ready for them. And when the group decides to begin targeting other industries, our non-Oil and Gas company members will also be prepared.

This is the power of information sharing. 

Information sharing works, but only under specific circumstances:

Reform Cyber Antitrust. Antitrust to information sharing is like a wooden stake to a vampire.
I've been operating in this (information sharing) space since founding the Healthcare ISAC in 1999, and every company I've ever dealt with, when sharing information (above the 'doer level') worries about what their antitrust liabilities will be. Lawyers threaten of jail time when talking about sharing information with others, and when that information might lead to competitive advantage.

So here it is (Congress). We need to figure this out. Companies who share information about their cyber issues could face massive legal implications. Companies who don't, do face extinction.

Open and honest comms are a must. Anonymity doesn't work. 
In 1998, PDD-63 called out the US Critical Infrastructures. As a result of this new understanding of the critical infrastructures in the US and their susceptibility to cyber attack (we didn't call it cyber back then), Information Sharing and Analysis Centers (ISACs) were formed. The basic premise was this.. one company has a computer get attacked/breached. The company could take the lessons learned and anonymously submit those lessons learned and submit them to an aggregator who would perform triage level analysis and forward the results to the entire critical industry. ISACs popped up everywhere. I believe at the time, there were 13 critical infrastructures. A financial services ISAC was formed, water, energy, etc.  In fact, I founded the original Healthcare ISAC (here's a link to the wayback machine from the original post in 1999) on a suggestion by Alan Paller at the time.

In the early days, the idea of anonymity worked. Attacks occurring in member networks were not all that sophisticated (although at the time we thought that they were!) and anonymously sharing information about an attack on one system was simple to do. Today however, when one attack occurs, it's more sophisticated. Account takeover, stealing drilling data from our Oil and Gas folks, military fighter data from defense companies, breaking into a Mercedes dealer for their customer list... whatever the reason, attackers are employing tactics that simply weren't used in the mid 90s.. CISOs must understanding that an attack no longer effects just one machine, but potentially thousands, and that simply submitting an anonymous post to a list just doesn't work. One attack profile can be used in multiple ways depending on the circumstances. One piece of malware can be modified thousands of times, but it's still the same malware doing the same functionality as the very first.

Analysts need to be able to talk. Context must known to be able to troubleshoot and understand the cause-and-effect of the attack. It (context) must either be provided by the submitter or extracted through Q&A... And when context is extracted through open conversation, the results are amazing.

We must remove the mental barriers. Attackers collaborate. So must we.
Out of the (18?) ISACs today, only one that I'm aware of, has any kind of open conversation about cyber attacks --but it's not across the membership. It's across a very small subset (less than a couple dozen) of the very large membership (thousands). Why? Because the community, like others, has members with varying degrees of capability; because knowing about what's going on is very different than actually being able to do something about it... or even detect it; because members of afraid of anti-trust; because CISOs inherently don't like to talk; because if a regulator is in the room, they'll be an investigation; or worst of all, because simply being a member of the ISAC checks the block that shows you're doing due diligence.

There is hope. 
There are loads of CISOs who get it. Many of our Red Sky Alliance members are members of both an ISAC and Red Sky Alliance. They participate in multiple forums where information is exchanged -and they compare notes in our portal. They've seen how open discussions produce FAR better, more actionable results (and ROI on their membership fee) than simply sending and receiving anonymous submissions to an aggregator or participating in an email list where pseudonyms are used to hide member identities and operational security practices are always suspect. Why? They get the best of both worlds. They get the benefits of the anonymized ISAC submission process, government CIPAC interface (if they choose to use it), and from Red Sky they get full, detailed analysis and actionable information.

BT BT

Coming off the soap box, we're gearing up for the post-labor day workload. Summer is nearing a close and it's getting busy!

  • We posted our latest Intel Report was posted (mentioned above).
  • We posted a second analytic product, authored by one of our interns. She's a UT Austin student in her third year.. bilingual in Japanese and English and a dual major -computer science and journalism. She can really write! And when she's ready to graduate, we'll introduce her to the membership. She's very good and we love reading her analytic products!
  • We've been working hard on some new tech. As our community grows, so does the need to capture backend information. Our folks are, as we speak, heading for Japan for the first unveiling and beta testing with one of our members. 
  • And last, but certainly not least, we welcomed a new Forensic Examiner to Wapack Labs. Chris Wierda recently graduated from a BS program in Forensics at SUNY Erie County. He's an Army Vet and a Manchester native. We're glad to have him join the team!
Until next time,
Have a great week!
Jeff