Crowdsourcing cyber defence is now a necessity

The recent wave of cyber attacks that spread from Ukraine and Russia to the United States reinforces the need for greater global collaboration on cyber threat intelligence sharing

Crowdsourcing cyber defence is now a necessity

Real-time cyber threat intelligence sharing is the logical first step towards developing a holistic cyber defense strategy our world has been chasing for years. Together, industry can advance towards a world with only one patient zero, and the rest of us sharing intelligence to outrun the infection increasing the costs of an adversary

For years, the public and private sectors have worked independently on developing and touting their own latest and greatest network defence solutions and tools to address the cyber security concerns plaguing their respective markets. But the reality is none of these tools has proven capable of adapting fast enough to keep up with the changing tactics used by cyber attackers.

As a result, the financial losses from cybercrime continue to skyrocket – now exceeding $1.3 billion – up 24% from 2015 according to the newly released Federal Bureau of Investigation Internet Crime Report.

>See also: The value of sharing threat intelligence

There simply is no magic solution to cyber defence. Businesses can continue to spend astronomical amounts of money to address this danger individually, or they can team up and tackle this challenge together, creating a cyber defence force multiplier that will better protect global commerce and enhance international security. Think of it as crowdsourcing cyber security. The best part? The cost of sharing cyber threat data is relatively inexpensive and we all reap the benefits.

When it comes to cyber threat intelligence sharing, the Department of Defense has already experienced significant success with its Defense Industrial Base (DIB) partnerships and subsequent Cyber Security / Information Assurance (CS/IA) Program.

The DIB, through framework agreements, launched in 2009 in partnership with six of the nation’s largest defense contractors, including BAE Systems, has since grown dramatically in membership.

Under CS/IA each contractor as a best practice would voluntarily collects cyber threat attack strings and data targeting their own respective networks. In 2015, DIB and DFARS changes have made information sharing mandatory and even extended coverage of sub-contractors.

When the partners identify and neutralise these threats, the cyber threat data – and protections – are collected by the DoD and used to defend its own networks and shared with the rest of the program’s user community.

The value of the intelligence shared has proven to be extremely beneficial with collaboration and best practice sharing building even further upon the program participant’s relationships. For example, many of the threats shared amongst the program’s participants involved Advanced Persistent Threats – which pose one of the most significant threats to our nation’s government, critical infrastructure, and defense networks.

>See also: Critical challenges ahead for threat intelligence sharing

The program has also identified a number of spear phishing attack signatures that could be shared with the user community to improve their automated malware defences, and each member’s overall network security.

Challenges often arise in legal and technical hurdles surrounding information sharing. United States Computer Emergency Readiness Team (US-CERT) has published guidance around Automated Indicator Sharing which includes the process they go through in redacting which participant in their program shared the data.

This is an important step for many organisations to assure that data sets are cleansed of privacy controlled information or to address legal challenges with what data can be shared.

BAE Systems has developed systems to leverage industry standards for sharing and secure means of transferring intelligence at an indicator level utilising open standards. Its models analyse STIX – or structured threat information eXpression (STIX) data – a sort of a “universal language” for cyber threats which can be used for simple storage and sharing of indicators or complex relationships of threat actors.

It is important to leverage automated models for sharing the vast “ones and zeros” of this STIX data to feed analytics systems in addition to raw unstructured information for analysts.

For example, using our models cyber analysts can flag distinct patterns in the data to uncover unique signature markers akin to a cyber attacker’s fingerprints, which can also reveal key information regarding what kind of threat we are looking at; when the threat was identified; where it originated from; how it attempted to enter a network and eventually – who is likely behind the threat.

>See also: Understanding the actor in the cyber threat landscape 

The use of standards helps solve a challenge businesses are facing in sharing with the expanding number of agencies and organisations requesting similar data. Currently, BAE Systems is the leading provider of cyber threat intelligence to the DIB CS/IA Program as well as non-governmental organisations such as the IT-ISAC.

In addition, it is a provider of cyber threat intelligence to the US-CERT Cyber Information Sharing Collaboration Program (CISCP); and it shares its threat intelligence with the Defense Security Service.

Each of these efforts is contributing to a safer cyber landscape in their own right, but a single, more centralised sharing effort could offer even more benefits to the cyber community.

The move to standardised formats like STIX with communications linkages utilising TAXII simplify connecting to new organisations and maximising the intelligence shared and received while reducing the costs of CTI sharing.

Businesses cannot each continue to invest in their own cyber infrastructures, tools and experts to stay ahead of cyber attackers. Only by collectively pooling resources can organisations create an effective force multiplier that reduces IT costs, tightens cyber security for businesses, and enhances global security.

>See also: Cyber security in 2020: boosting protection with traps and tripwires

That’s why real-time cyber threat intelligence sharing is the logical first step towards developing a holistic cyber defense strategy our world has been chasing for years. Together, industry can advance towards a world with only one patient zero, and the rest of us sharing intelligence to outrun the infection increasing the costs of an adversary.

Furthermore, sharing of data can amortise the investment in tools across all defenders such that each of us can reduce our costs to defend. Finally, best practice sharing can help make our infrastructure more resilient and easier to defend such that ransomware and tomorrow’s threats become minimised to noise.

 

Sourced by Peder Jungck, chief technology officer of the Intelligence & Security sector at BAE Systems, Inc.

 

The UK’s largest conference for tech leadershipTech Leaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here

Comments (0)