As part of our expert panel question series, we have the following question for the month of March 2017 to our expert panel members.
Cyberattacks has no boundaries and hackers usually collaborate across boundaries, while law enforcement agencies not. How can we collaborate at global level to fight against these new type of attacks with no boundaries?
CO-FOUNDER AND CEO, EventTracker
Defending the network today requires both a detailed understanding of the internal assets and tactics, techniques and procedures that are prevalent with attackers. Threat intelligence sharing via global threat feeds is an excellent resource to identify known bad actors and attack vectors. These feeds provide indicators of compromise (IOCs) that defenders can immediately put to use.
Examples of IOCs include:
- Behavior anomalies
- Process whitelists
- IP Internal whitelists
- Internal blacklists
- Honeynets (or internal lures)
- Contributions from your own security analysts, as well as analysts at customer sites
However, a challenge with these feeds is relevance to your local network. A superior and more targeted approach is to use a blend of global threat feeds along with community and local feeds. This collection is best maintained in a threat intelligence platform, which is designed for this purpose.
Knowing that some of these IOCs will be relevant to other defenders in your community, a standard way of sharing these is important. STIX/TAXII are industry efforts to standardize and encourage such sharing.
Machine-to-machine sharing is necessary, but person-to-person collaboration shouldn’t be forgotten. Experiences can be shared in forums such as White Hat, industry groups (ex. FSISAC, Educause), public/private partnerships (ex. InfraGard) and vendor-supported user groups.
Rebecca Herold – CIPM, CIPP/IT, CIPP/US, CISSP, CISM, CISA, FLMI
Co-Founder & President, SIMBUS; and Founder & CEO, The Privacy Professor
Indeed, everyone on this planet all part of the large cyberworld. As history has proven, though, law enforcement agencies usually tend to want to keep their data to themselves, and not share. Governments use the data for their nation state probes and hacks. Effective collaboration will not occur through government or law enforcement agencies or initiatives. Especially with our current state of international distrust and nation state hacking activities. The trust necessary for collaboration simply does not exist, and will not be established any time soon through such agencies.
To date the organizations that have been most cooperative with regard to cybersecurity are those that have wide international membership that are not sponsored by governments, such as ISACA and (ISC)2. International standards organizations, such as ISO/IEC, IEEE and ACM, are also good sources of international cooperation. Such organizations already collaborate with multi-national members in their working groups to create a wide variety of other types of cyber security and privacy frameworks, standards, and other work products. This history of sharing and cooperation provides a strong basis from which to build an effective and valuable international cybercrime-fighting body of information security experts. These organizations already have experience in creating and implementing policies, procedures, standards and tools; such experience would be valuable in creating these same types of work products for fighting and responding to cross-boundary cyber attacks.
You can read our expert panel members biographies here.