According to security vendor Palo Alto Networks’ APAC chief security officer, Sean Duca, the threat landscape in Australia, and around the world, is not abating and those looking to penetrate security are becoming more sophisticated, sharing tools, exploits and attack methods, and automating their processes. “In doing so, they have achieved a clear competitive advantage in cyberspace and are eroding trust in today’s digital age.”
Duca urged the federal government, with industry, to quickly put into action the recommendations for greater cyberthreat information sharing laid out in the government’s new Cyber Security Strategy announced in April.
“Cybersecurity threat information sharing within and across industries and with the public sector must be embraced by everyone. The faster organisations can share information, the better we can serve to protect each other and push the cost back to the adversary.
“Until the public and private sectors truly collaborate to build systemic information sharing partnerships, it’s like we’re combatting our adversaries with technological weapons that have no ammunition.”
According to Duca, cybersecurity provides longevity to a business and can help differentiate the business from its competitors – “for both good and not so good reasons”.
“Organisations, both in the public and private sector, need to have strong cybersecurity fundamentals to provide trust and confidence to citizens, businesses and customers alike.”
Duca says Australian industry can play a valuable role in combatting cybersecurity threats by participating in voluntary cyberthreat information sharing.
He says “operationalising” threat information sharing, both within and across industries, and between the private and public sectors, will dramatically shift the balance of power, close the competitive gap, “and realise exponential leverage against cyber adversaries by driving up the cost of successful attacks”.
Here’s what information Duca says should be shared between the private and public sectors:
• Threat Indicators: forensic artefacts that describe the attacker’s methodology;
• Adversary’s campaign plan: a collection of threat indicators for each link in the cyberattack lifecycle attributed to a specific adversary group;
• Context: additional non-campaign plan intelligence about an adversary group that is helpful for organisations to understand the adversary. This includes things like motivation, country of origin, and typical targets;
• Adversary dossier: campaign plans + context – a collection of threat indicators attributed to a specific adversary campaign or playbook (campaign plans), plus any additional context about the adversary group.
“Our mission should be to share all of the above but, most importantly, an adversary group dossier. Doing so will enhance the assessment of the adversary group’s potential, material impact to the targeted organisation, giving a better opportunity for that organisation to detect and prevent the attack, as well as deter an adversary,” Duca observes.
He cautions that the information (to be shared) itself is important – but it must be actionable, and must arrive in as close to real time as possible.
“As we have observed in some of the largest breaches, the best resourced security teams cannot scale manual responses to automated threats – only through automating prevention and detection can organisations be fast enough to adequately secure networks.”
According to Duca, government and industry must collaboratively build a “robust, automated information sharing architecture”, capable of turning threat indicators into widely distributed security protections in near-real time.
He acknowledges that there is apprehension amongst some Australian organisations that information sharing could negatively impact them and that many feel that that by sharing information that could be classified as sensitive and privileged, “they would be giving the upper hand to their competitors”.
“This sentiment from the business community is valid and should be acknowledged. But, as noted above, we should focus on sharing attack information – not information on who has been breached.”
Some of the other challenges and “perceived barriers” to greater cyberthreat information sharing that Duca maintains should be addressed:
• Privacy: Laws should not unduly prohibit the sharing of personal information that is necessary to identify and prevent attacks. At the same time, the Australian government should ensure that there are responsible privacy protections in place related to cyberthreat information sharing.
• Trust among private sector competitors: Some organisations consider cyberthreat information to be their own proprietary intellectual property (IP) and do not want to share it. We need to reverse this notion. The more one continues to treat this information as IP, and the more it is kept in silos within our own organisations, the greater opportunity the adversary has to strike again. Adversaries share tools, exploits and attack methods – so should we. Everyone should have access to the same body of threat information and collaborate to quickly translate it into security controls to use within their own organisations and their collective customer base.
• Antitrust concerns: There is a fear among some companies that sharing threat information between organisations makes them vulnerable to antitrust violations. The Australian government should clarify that cybersecurity threat information voluntarily shared, or received, by a private entity with another private entity is exempt from antitrust laws.
• Over-classification: The government, in some instances, may “over-classify” cyberthreat information it receives from both internal and external sources. It takes a significant effort — and valuable time — to declassify that same information to share with private companies and the public at large.