Cyber security can provide longevity to a business and can help differentiate it from its competitors. Organisations, both in the public and private sector, need to have strong cybersecurity fundamentals to provide trust and confidence to citizens, businesses, and customers alike.
Of course, however, the threat landscape is not abating and will eternally continue to evolve. This challenging reality is true for Australian organisations, as it is for global businesses alike. The Australian Government is taking important steps to help raise its cyber resilience and approach to cyber security with the release of the Cyber Security Strategy in April 2016. As Australian Prime Minister Malcolm Turnbull says, “the Australian Government has a duty to protect our nation from cyber attack and to ensure that we can defend our interests in cyberspace. We must safeguard against criminality, espionage, sabotage, and unfair competition online.”
Australia’s Cyber Security Strategy has five main themes:
- A national, cyber public-private partnership,
- strong cyber defences (including cyber threat information sharing),
- global responsibility and influence,
- growth and innovation, and
- a “cyber smart nation”
While these are laudable goals, if Australia really aspires to put an end to breaches, a partnership is necessary.
One key way for industry to play a valuable role is to participate in voluntary cyber threat information sharing. Operationalising threat information sharing, both within and across industries, and between the private and public sectors, will dramatically shift the balance of power, close the competitive gap, and realise exponential leverage against cyber adversaries by driving up the cost of successful attacks.
What Is Meant by Cyberthreat Information Sharing?
Cyberthreat information sharing is the sharing of information about threats and incidents so that all entities can better protect and defend their networks. The information in question is generally technical in nature, such as bot command-and-control servers, malware samples, malware analysis results, and indicators of compromise. In short, it is about sharing attack information. What’s most critical to organisations is to learn about the kinds of actors targeting organisations, the tools they have available, and the tactics they employ.
What to Share and How
- Threat Indicators: forensic artefacts that describe the attacker’s methodology.
- Adversary’s Campaign Plan: a collection of threat indicators for each link in the cyber attack lifecycle attributed to a specific adversary group.
- Context: additional non-campaign plan intelligence about an adversary group that is helpful for organisations to understand the adversary. This includes things like motivation, country of origin, and typical targets.
- Adversary Dossier: campaign plans and context: a collection of threat indicators attributed to a specific adversary campaign or playbook (campaign plans), plus any additional context about the adversary group.
Sharing the above will enhance the assessment of the adversary group’s potential, material impact to the targeted organisation, giving a better opportunity for that organisation to detect and prevent the attack, as well as deter an adversary.
The information itself is important, but it must also be actionable. As we have observed before, even the best-resourced security teams cannot scale manual responses to automated threats — only through automating prevention and detection can organisations be fast enough to adequately secure networks. Thus, government and industry must collaboratively build a robust, automated information sharing architecture, capable of turning threat indicators into widely distributed security protections in near-real time.
Resistance to Sharing and Other Barriers to Success
Increasing cyber threat information sharing in our country is easier said than done, for a number of reasons. First, there is apprehension amongst organisations that information sharing could negatively impact them. Many feel that by sharing information that could be classified as sensitive and privileged, they would be giving the upper hand to their competitors. However, as noted above, we should focus on sharing attack information – not information on who has been breached.
Some of the other challenges and perceived barriers to greater cyber threat information sharing that will need to be addressed are:
- Privacy: Laws should not unduly prohibit the sharing of personal information that is necessary to identify and prevent attacks. At the same time, the Australian Government should ensure that there are responsible privacy protections in place related to cyber threat information sharing.
- Trust among private sector competitors: Some organisations consider cyber threat information to be their own proprietary intellectual property (IP) and do not want to share it. We need to reverse this notion. The more we continue to treat this information as IP, and the more we keep it in silos within our own organisations, the greater opportunity the adversary has to strike again. Adversaries share tools, exploits and attack methods – so should we. Everyone should have access to the same body of threat information and collaborate to quickly translate it into security controls to use within their own organisations and their collective customer base.
- Antitrust concerns: There is a fear among some companies that sharing threat information between organisations makes them vulnerable to antitrust violations. The Australian Government should clarify that cybersecurity threat information voluntarily shared, or received, by a private entity with another private entity is exempt from antitrust laws.
- Over-classification: The government, in some instances, may “over-classify” cyber threat information it receives from both internal and external sources. It takes a significant effort —and valuable time — to declassify that same information to share with private companies and the public at large.
Where to Go From Here
We urge the Australian government as well as industry to quickly put into action the recommendations for greater cyber threat information sharing as laid out in the new Cyber Security Strategy. Cyber security threat information sharing within and across industries and with the public sector must be embraced by everyone. The faster organisations can share information, the better we can serve to protect each other and push the cost back to the adversary. Until the public and private sectors truly collaborate to build systemic information sharing partnerships, it’s like we’re combating our adversaries with technological weapons that have no ammunition.
Written by Sean Duca, APAC CSO at Palo Alto Networks.