Sharing cyber threat indicators while managing cyber risk
November 2016 | PROFESSIONAL INSIGHT | RISK MANAGEMENT
Financier Worldwide Magazine
Malicious cyber attackers are innovating faster than companies and organisations can adapt to defend themselves alone. Malicious software, or malware, is becoming more sophisticated and at the same time more widely available. Many attackers may end up reusing and evolving previously existing malware and methods, rather than creating novel attack vectors for each potential victim. Thus as more attacks occur, the odds increase that a given entity may have seen some element of the attack before. Malware is one example of the diverse cyber threats affecting organisations.
The primary benefit of cyber threat indicator sharing is that the recipient may be better able to defend its network from cyber threats identified by others. A cyber threat indicator is information that is directly related to and necessary to identify or describe a cyber security threat. Examples include the headers of a phishing email, malicious IP addresses and other elements of an attacker’s command and control infrastructure, methods for defeating security controls, and vulnerabilities. Highly sensitive information – such as human resources data, consumer financial information or health records – may be directly relevant to a potential victim of a cyber threat, but it is unlikely to be directly relevant to the cyber threat. Most often, this information need not be shared. For example, if a phishing email requested tax data, details related to the phishing email would be helpful in identifying the sender email address, type of attachment (if any), etc., so that it could be blocked or quarantined – but the tax information of the victims would not.
Why share cyber threat indicators?
A 2015 survey by the Ponemon Institute of IT and security practitioners in the United States revealed that 67 percent of respondents believed that the use of cyber intelligence provides benefits that outweigh the costs. Forty percent of companies in this research admitted that they had experienced a material security breach in the past 24 months, and 80 percent of respondents believe if they had threat intelligence at the time of the breach during this period, that they could have prevented or minimised the consequences of the attack. On average, these organisations reported 35 cyber attacks that eluded traditional defences were uncovered since using threat intelligence.
Even if cyber threat indicators are not shared in time to prevent a network infiltration, a company may be alerted in time to prevent data exfiltration. The Verizon 2016 Data Breach Investigations Report found that most network compromises succeed within minutes; however, data exfiltration may not occur until days later, leaving a window of opportunity for defence of the network. Attackers still have the advantage, though. While the time to detect a compromise has decreased in recent years, the Mandiant Consulting M-Trends 2016 report found that in 2015 attackers were present on a victim’s network an average of 146 days before being discovered. Cyber threat indicator sharing aims to reduce the attacker’s luxury of time, by accelerating the response of network defenders from months to milliseconds.
One-time information sharing is unlikely to directly benefit the sharing organisation; however, reciprocated cyber threat indicator sharing over time is likely to benefit participating organisations.
How to share cyber threat indicators
For organisations to realise the cyber defence benefit of information sharing, the sharing organisation needs to provide information that is relevant, actionable and timely.
In terms of being relevant, common interests and information sharing goals between organisations participating in an information sharing relationship make it more likely that the information shared will be relevant to the recipient.
In terms of being actionable, the information shared must provide sufficient context for others to process and appropriately act on that information, meaning to prepare, prevent, defend against and/or respond to the identified threat.
In terms of being timely, information shared too late, such as after an adversary has changed tactics or a botnet has been remediated, becomes noise rather than useful information.
The receiving organisation needs to be capable of acting on that information. For example, developing an automated cyber threat indicator sharing programme should not take precedence over foundational activities, such as routinely updating firewall rules or patching vulnerabilities. On the other hand, sharing indicators at network-speed is not necessary to benefit, depending on the information sharing objectives. Relationship building, reciprocity with peers or even a desire to contribute to public safety and security may be important reasons.
Information may be shared through informal or formal relationships. While not required, companies new to information sharing may particularly benefit by seeking out and joining a formal information sharing and analysis organisation (ISAO), which matches the organisation’s information sharing goals and which has already established consistent expectations and practices for information sharing among its membership. Informal relationships may take longer to cultivate and bear fruit.
Certified ISAOs are an emerging option in the information sharing ecosystem, which includes formal private ISAOs, public-private ISAOs, government information sharing programmes, informal private industry and government relationships, and law enforcement information sharing related to cyber security incident investigations. These organisations and relationships are not limited to US participants. Similar programmes outside of the United States are available, such as the UK’s Certified Information Sharing Program and Japan’s ICT-ISAC, even where differences in cultures may shape the expectations and norms regarding information sharing.
While cyber threat indicator sharing offers benefits, it is not without risks. In addition to being selective about ISAOs and other information sharing relationships, the organisation can help avoid pitfalls by developing internal policies and procedures to guide its activities. Particularly in an automated environment, inadvertent sharing may occur, so risk calculations and legal guidance will be most helpful in advance. Companies are well-advised to document their cyber security incident response process and the processes by which the company monitors external sources for cyber threat indicators (including vulnerability information) and to implement appropriate patching, defence measures or other mitigations. Not every indicator may require action. A clearly articulated process for logging, analysis, escalation and the threshold for action is likely to help identify gaps in any post-incident review.
Many of the risks associated with cyber threat indicator sharing relate to what information is being shared. For example, cyber threat indicators include both ‘indicators of attack’, a description of potential adversary activity that does not result in compromise of the organisation’s networks or systems, as well as ‘indicators of compromise’, which do provide description of how an organisation may have been compromised. The vast majority of indicators are indicators of attack, not compromise.
The risk is that sharing an indicator of compromise may provide evidence of the organisation’s failure to follow an applicable standard of care that would have otherwise prevented such an attack. The US Cybersecurity Information Sharing Act of 2015 (CISA) provides liability protection for the sharing and receipt of cyber threat indicators, but not for the underlying acts or omissions, which may have led to the indicator, nor for the organisation’s acts or omissions after receiving a cyber threat indicator.
To take advantage of the full set of liability protections offered in the US, CISA requires a non-Federal entity to remove any information from a cyber threat indicator that it knows at the time of sharing to be personally identifiable information that is not directly related to a cyber security threat before sharing that indicator. In a cross-border context, other privacy restrictions also may apply.
In consideration of confidentiality, companies are well-advised to assess the risks and benefits of sharing in the context of each information sharing relationship, the extent of information to be disclosed, any restrictions imposed by law limiting disclosure of that information, any restrictions imposed by agreement limiting disclosure of that information, limitations on the subsequent use of and reliance on information shared, and the capability of the organisation to operationalise the information received.
Allison Bender and Paul Otto are senior associates at Hogan Lovells. Ms Bender can be contacted on +1 (202) 637 5721 or by email: firstname.lastname@example.org. Mr Otto can be contacted on +1 (202) 637 5887 or by email: email@example.com.
© Financier Worldwide
Allison Bender and Paul Otto