If I had to single out a single development that elevated the sophistication of cybercrime by an order of magnitude, it would be sharing. Code sharing, vulnerabilities sharing, knowledge sharing, stolen passwords and anything else you can think of. Attackers that once worked in silos, in essence competing with each other, have discovered and fully embraced the power of cooperation and collaboration. I was honored to present a high-level overview on the topic of cyber collaboration a couple of weeks ago at the kickoff meeting of a new advisory group to the CDA (the Cyber Defense Alliance), called the “Group of Seven” established by the Founders Group. Attendees included Barclays’ CISO Troels Oerting and CDA CEO Maria Vello as well as other key people from the Israeli cyber industry. The following summarizes and expands upon my presentation.
TL;DR – In order to ramp up the game against cyber criminals, organizations and countries must invest in tools and infrastructure that enable privacy-preserving cyber collaboration.
The Easy Life of Cyber Criminals
The amount of energy defenders must invest in order to protect, vs. the energy cyber criminals need to attack a target, is far from equal. While attackers have always had an advantage, over the past five years the balance has tilted dramatically in their favor. Attackers, in order to achieve their goal, need only find one entry point into a target. Defenders need to make sure every possible path is tightly secured – a task of a whole different scale.
Multiple concrete factors contribute to this imbalance:
- Obfuscation technologies and sophisticated code polymorphism that successfully disguise malicious code as harmless content rendered a large chunk of established security technologies irrelevant. These technologies were built with a different set of assumptions during what I call “the naive era of cyber crime.”
- Collaboration among adversaries in the many forms of knowledge and expertise sharing naturally speeded up the spread of sophistication/innovation.
- Attackers as “experts” in finding the path of least resistance to their goals discovered a sweet spot of weakness. A weakness that defenders can do little about – humans. Human weaknesses are the hardest to defend as attackers exploit core human traits such as trust building, personal vulnerabilities and making mistakes.
- Attribution in the digital world is vague and almost impossible to achieve, at least as far as the tools we have at our disposal currently. This makes finding the root cause of an attack and eliminating it with confidence very difficult.
- Complexity of IT systems has lead to security information overload which makes timely handling and prioritization difficult; attackers exploit this weakness by disguising their malicious activities in the wide stream of cyber security alerts. One of the drivers for this information overload is defense tools reporting an ever growing amount of false alarms due to their inability to accurately identify malicious events.
- The increasingly distributed nature of attacks and the use of “distributed offensive” patterns by attackers makes defense even harder.
Given the harsh reality of the world of cyber security today, it is not a question of whether or not an attack is possible, it is just a matter of the interest and focus of cyber criminals. Unfortunately, the current de-facto defense strategy rests on creating a bit more difficulty for attackers on your end, so that they will go find an easier target elsewhere.
Rationale for Collaboration
Collaboration, as proven countless times, creates value that is beyond the sum of the participating elements. This is also true for the cyber world. Collaboration across organizations can contribute to defense enormously. For example, consider the time it takes to identify the propagation of threats as an early warning system – the time span decreases exponentially in proportion to the number of collaborating participants. This is highly important to identify attacks targeting mass audiences more quickly as they tend to spread in epidemic like patterns. Collaboration in the form of expertise sharing is another area of value – one of the main roadblocks to progress in cyber security is the shortage of talent. The sharing of resources and knowledge would go a long way in helping. Collaboration in artifact research can also reduce the time to identify and respond to cyber crime incidents. Furthermore, the increasing interconnectedness between companies as well as consumers means that the attack surface of an enterprise – the possible entry points for an attack – is constantly expanding. Collaboration can serve as an important counter to this weakness.
A recent phenomenon that may be inhibiting progress towards real collaboration is the perception of cybersecurity as a competitive advantage. Establishing a solid cybersecurity defense presents many challenges and requires substantial resources and customers increasingly expect businesses to make these investments. Many CEOs consider their security posture as a product differentiator and brand asset and, as such, are disinclined to share. I believe this to be short-sighted due to the simple fact that no-one is really safe at the moment; shattered trust trumps any security bragging rights in the likely event of a breach. Cyber security needs to progress seriously in order to stabilize and I don’t think there is value in small marketing wins which only postpone progress in the form of collaboration.
Cyber collaboration across organizations can take many forms ranging from deep collaboration to more straightforward threat intelligence sharing:
- Knowledge and domain expertise – Whether it is about co-training or working together on security topics, such collaborations can mitigate the shortage of cyber security talent and spread newly acquired knowledge faster.
- Security stack and configuration sharing – It makes good sense to share such acquired knowledge although it is now kept close to the chest. Such collaboration would help disseminate and evolve best practices in security postures as well as help gain control over the flood of new emerging technologies, especially as validation processes take long periods of time.
- Shared infrastructure – There are quite a few models where multiple companies can share the same infrastructure which has a single cyber security function, for example cloud services and services rendered by MSSPs. While the current common belief holds that cloud services are less secure for enterprises, from a security investment point of view there is no reason for this to be the case and it could and should be better. A big portion of such shared infrastructures are hidden in what is called today Shadow IT. A proactive step in this direction is for a consortium of companies to build a shared infrastructure which can fit the needs of all its participants. In addition to improving defense, the cost of security would be offset by all the collaborators.
- Sharing concrete live intelligence on encountered threats – Sharing effective indicators of compromise, signatures or patterns of malicious artifacts and the artifacts themselves is where the cyber collaboration industry is currently at.
Imagine the level of fortification that could be achieved for each participant if these types of collaborations were a reality.
Challenges on the Path of Collaboration
Cyber collaboration is not taking off at the speed we would like, even though experts may agree to the concept in principal. Why?
- Cultural inhibitions – The state of mind of not cooperating with competition, the fear of losing intellectual property and the fear of losing expertise sits heavily with many decision makers.
- Sharing is limited due to the justified fear of potential exposure of sensitive data – Deep collaboration in the cyber world requires technical solutions to allow sharing of meaningful information without sacrificing sensitive data.
- Exposure to new supply chain attacks – Real-time and actionable threat intelligence sharing raises questions on the authenticity and integrity of incoming data feeds creating a new weakness point at the core of the enterprise security systems.
- Before an organization can start collaborating on cyber security, its internal security function needs to work properly – this is not necessarily the case with a majority of organizations.
- The brand can be put into some uncertainty as impact on a single participant in a group of collaborators can damage the public image of other participants.
- The tools, expertise and know-how required for establishing a cyber collaboration are still nascent.
- As with any emerging topic, there are too many standards and no agreed upon principles yet.
- Collaboration in the world of cyber security has always raised privacy concerns within consumer and citizen groups.
Though there is a mix of misconceptions, social and technical challenges, the importance of the topic continues to gain recognition and I believe we are on the right path.
Technical Challenges in Threat Intelligence Sharing
Even the limited case of concrete threat intelligence sharing raises a multitude of technical challenges, and best practices to overcome them have not yet been determined:
- How to achieve balance between sharing actionable intelligence pieces which must be rich in order to bee actionable vs. preventing exposure of sensitive information.
- How to establish secure and reliable communications among collaborators with proper handling of authorization, authenticity and integrity to make sure the risk posed by collaboration is minimized.
- How to verify the potential impact of actionable intelligence before it is applied to other organizations. For example, if one collaborator broadcasts that google.com is a malicious URL then how can the other participants automatically identify it is not something to act upon?
- How do we make sure we don’t amplify the information overload problem by sharing false alerts to other organizations or some means to handle the load?
- Once collaboration is established, how can IT measure the effectiveness of the efforts being invested vs. resource saving and added protection level? How do you calculate Collaboration ROI?
- Many times investigating an incident requires good understanding of and access to other elements in the network of the attacked enterprise; collaborators naturally cannot have such access, which limits their ability to conduct a root cause investigation.
These are just a few of the current challenges – more will surface as we get further down the path to collaboration. There are several emerging technological areas which can help tackle some of the challenges: Privacy preserving approaches in the world of big data such as synthetic data generation; zero knowledge proofs (i.e. blockchain); tackling information overload with Moving Target Defense-based technologies that deliver only true alerts, such as Morphisec Endpoint Threat Prevention, and/or emerging solutions in the area of AI and security analytics; and distributed SIEM architectures.
In a highly collaborative future, a grid of collaborators will emerge connecting every organization. Such a grid will work according to certain rules, taking into account that countries will be participants as well:
Countries – Countries can work as centralized aggregation points, aggregating intelligence from local enterprises and disseminating it to other countries which, in turn, will disseminate the received intelligence to their respective local enterprises. There should be some filtering on the type of intelligence being disseminated and classification so the propagation and prioritization will be effective.
Sector Driven – Each industry has its common threats and common malicious actors; it’s logical that there would be tighter collaboration among industry participants.
Consumers & SMEs – Consumers are the ones excluded from this discussion although they could contribute and gain from this process like anyone else. The same holds true for small to medium sized businesses, which cannot afford the enterprise grade collaboration tools currently being built.
One of the biggest questions about cyber collaboration is when it will reach a tipping point. I speculate that it will occur when a disastrous cyber event takes place, or when startups emerge in a massive number in this area or when countries finally prioritize cyber collaboration and invest the required resources.