United We Stand, Divided We Fall.
If I had to single out an individual development that elevated the sophistication of cybercrime by order of magnitude, it would be sharing. Code sharing, vulnerabilities sharing, knowledge sharing, stolen passwords and anything else one can think of. Attackers that once worked in silos, in essence competing, have discovered and fully embraced the power of cooperation and collaboration. I was honored to present a high-level overview on the topic of cyber collaboration a couple of weeks ago at the kickoff meeting of a new advisory group to the CDA (the Cyber Defense Alliance), called the “Group of Seven” established by the Founders Group. Attendees included Barclays’ CISO Troels Oerting and CDA CEO Maria Vello as well as other key people from the Israeli cyber industry. The following summarizes and expands upon my presentation.
TL;DR – to ramp up the game against cybercriminals, organizations, and countries must invest in tools and infrastructure that enable privacy-preserving cyber collaboration.
The Easy Life of Cyber Criminals
The size of energy defenders must invest to protect, vs. the energy cybercriminals need to attack a target, is far from equal. While attackers have always had an advantage, over the past five years the balance has tilted dramatically in their favor. Attackers, to achieve their goal, need only find one entry point into a target. Defenders need to make sure every possible path is tightly secured – a task of a whole different scale.
Multiple concrete factors contribute to this imbalance:
- Obfuscation technologies and sophisticated code polymorphism that successfully disguises malicious code as harmless content rendered a large chunk of established security technologies irrelevant. Technologies built with a different set of assumptions during what I call “the naive era of cybercrime.”
- Collaboration among adversaries in the many forms of knowledge and expertise sharing naturally speeded up the spread of sophistication/innovation.
- Attackers as “experts” in finding the path of least resistance to their goals discovered a sweet spot of weakness. A weakness that defenders can do little about – humans. Human flaws are the hardest to defend as attackers exploit core human traits such as trust building, personal vulnerabilities and making mistakes.
- Attribution in the digital world is vague and almost impossible to achieve, at least as far as the tools we have at our disposal currently. This fact makes finding the cause of an attack and eliminating it with confidence.
- The complexity of IT systems leads to security information overload which makes appropriate handling and prioritization difficult; attackers exploit this weakness by disguising their malicious activities in the vast stream of cybersecurity alerts. One of the drivers for this information overload is defense tools reporting an ever growing amount of false alarms due to their inability to identify malicious events accurately.
- The increasingly distributed nature of attacks and the use of “distributed offensive” patterns by attackers makes the defense even harder.
Given the harsh reality of the world of cybersecurity today, it is not a question of whether or not an attack is possible, it is just a matter of the interest and focus of cybercriminals. Unfortunately, the current de-facto defense strategy rests on creating a bit harder for attackers on your end, so that they will find an easier target elsewhere.
Rationale for Collaboration
Collaboration, as proven countless times, creates value that is beyond the sum of the participating elements. It also applies to the cyber world. Collaboration across organizations can contribute to defense enormously. For example, consider the time it takes to identify the propagation of threats as an early warning system – the period decreases exponentially in proportion to the number of collaborating participants. It is highly important to identify attacks targeting mass audiences more quickly as they tend to spread in an epidemic like patterns. Collaboration in the form of expertise sharing is another area of value – one of the main roadblocks to progress in cybersecurity is the shortage of talent. The exchange of resources and knowledge would go a long way in helping. Collaboration in artifact research can also reduce the time to identify and respond to cybercrime incidents. Furthermore, the increasing interconnectedness between companies as well as consumers means that the attack surface of an enterprise – the possible entry points for an attack – is continually expanding. Collaboration can serve as an essential counter to this weakness.
A recent phenomenon that may be inhibiting progress towards real collaboration is the perception of cybersecurity as a competitive advantage. Establishing a robust cybersecurity defense presents many challenges and requires substantial resources, and customers increasingly expect businesses to make these investments. Many CEOs consider their security posture as a product differentiator and brand asset and, as such, are disinclined to share. I believe this to be short-sighted due to the simple fact that no-one is safe at the moment; broken trust trumps any security bragging rights in the likely event of a breach. Cybersecurity needs to progress seriously to stabilize, and I don’t think there is value in small marketing wins which only postpone development in the form of collaboration.
Cyber collaboration across organizations can take many forms ranging from deep collaboration to more straightforward threat intelligence sharing:
- Knowledge and domain expertise – Whether it is about co-training or working together on security topics, such partnerships can mitigate the shortage of cybersecurity talent and spread newly acquired knowledge faster.
- Security stack and configuration sharing – It makes good sense to share such acquired knowledge where now kept close to the chest. Such collaboration would help disseminate and evolve best practices in security postures as well as help gain control over the flood of new emerging technologies, especially as validation processes take extended periods.
- Shared infrastructure – There are quite a few models where multiple companies can share the same infrastructure which has a single cyber security function, for example, cloud services and services rendered by MSSPs. While the current common belief holds that cloud services are less secure for enterprises, from a security investment point of view, there is no reason for this to be the case and it could and should be better. A large portion of such shared infrastructures is invisible and is referred to today as Shadow IT. A proactive step in this direction is a consortium of companies to build a shared infrastructure which can fit the needs of all its participants. In addition to improving the defense, the cost of security is shared by all the collaborators.
- Sharing real vital intelligence on encountered threats – Sharing useful indicators of compromise, signatures or patterns of malicious artifacts and the artifacts themselves is the current state of the cyber collaboration industry.
Imagine the level of fortification that could be achieved for each participant if these types of collaborations were a reality.
Challenges on the Path of Collaboration
Cyber collaboration is not taking off at speed we would like, even though experts may agree to the concept in principle. Why?
- Cultural inhibitions – The state of mind of not cooperating with competition, the fear of losing intellectual property and the fear of losing expertise sits heavily with many decision makers.
- Sharing is almost non-existant due to the justified fear of potential exposure of sensitive data – Deep collaboration in the cyber world requires technical solutions to allow the exchange of meaningful information without sacrificing sensitive data.
- Exposure to new supply chain attacks – Real-time and actionable threat intelligence sharing raises questions on the authenticity and integrity of incoming data feeds creating a new weakness point at the core of the enterprise security systems.
- Before an organization can start collaborating on cybersecurity, its internal security function needs to work correctly – this is not necessarily the case with a majority of organizations.
- The brand can be set into some uncertainty as the impact on a single participant in a group of collaborators can damage the public image of other participants.
- The tools, expertise, and know-how required for establishing a cyber collaboration are still nascent.
- As with any emerging topic, there are too many standards and no agreed-upon principles yet.
- Collaboration in the world of cyber security has always raised privacy concerns within consumer and citizen groups.
Though there is a mix of misconceptions, social and technical challenges, the importance of the topic continues to gain recognition, and I believe we are on the right path.
Technical Challenges in Threat Intelligence Sharing
Even the limited case of real threat intelligence sharing raises a multitude of technical difficulties, and best practices to overcome them are not ready yet. For example:
- How to achieve a balance between sharing actionable intelligence pieces which must be extensive to bee actionable vs. preventing exposure of sensitive information.
- How to establish secure and reliable communications among collaborators with proper handling of authorization, authenticity, and integrity to reduce the risk posed by collaboration.
- How to validate the potential impact of actionable intelligence before applied to other organizations. For example, if one collaborator broadcasts that google.com is a malicious URL then how can the other participants automatically identify it is not something to act upon in a sea of URLs?
- How do we make sure we don’t amplify the information overload problem by sharing false alerts to other organizations or some means to handle the load?
- In established collaboration, how can IT measure the effectiveness of the efforts required vs. resource saving and added protection level? How do you calculate Collaboration ROI?
- Many times investigating an incident requires a good understanding of and access to other elements in the network of the attacked enterprise; collaborators naturally cannot have such access, which limits their ability to conduct a cause investigation.
These are just a few of the current challenges – more will surface as we get further down the path to collaboration. There are several emerging technological areas which can help tackle some of the problems. Privacy-preserving approaches in the world of big data such as synthetic data generation; zero-knowledge proofs (i.e., blockchain). Tackling information overload with Moving Target Defense-based technologies that deliver only accurate alerts, such as Morphisec Endpoint Threat Prevention, and emerging solutions in the area of AI and security analytics; and distributed SIEM architectures.
In a highly collaborative future, a network of collaborators will appear connecting every organization. Such a system will work according to specific rules, taking into account that countries will be participants as well:
Countries – Countries can work as centralized aggregation points, aggregating intelligence from local enterprises and disseminate it to other countries which, in turn, will distribute the received data to their respective local businesses. There should be some filtering on the type of intelligence to be disseminated and added classification so the propagation and prioritization will be useful.
Sector Driven – Each industry has its common threats and famous malicious actors; it’s logical that there would be tighter collaboration among industry participants.
Consumers & SMEs – Consumers are the ones excluded from this discussion although they could contribute and gain from this process like anyone else. The same holds for small to medium-sized businesses, which cannot afford the enterprise-grade collaboration tools currently being built.
One of the biggest questions about cyber collaboration is when it will reach a tipping point. I speculate that it will occur when an unfortunate cyber event takes place, or when startups emerge in a massive number in this area or when countries finally prioritize cyber collaboration and invest the required resources.