ISACs Demystified

  /     /     /  
Publicated : 22/11/2024   Category : security


ISACs Demystified


How some intelligence-sharing organizations operate in the face of todays threat landscape.



Second installment in a series on ISACs and threat intelligence-sharing.
The first clue of what was later exposed as the Carbanak international cybercrime ring targeting banks was a piece of intelligence shared within the financial services ISAC (FS-ISAC) in September: backdoor malware that was siphoning credentials from a banking application used in Eastern Europe.
The malware, which a US-based security firm shared with the FS-ISAC, last month was confirmed to be part of the Carbanak international attack campaign out of Eastern Europe that stole some $1 billion in two years from 100 different banks it hacked in nearly 30 countries, according to
findings published by Kaspersky Lab
.
We did not know the extent of the breach or damage [in September], but that there was malicious activity. So there was no attribution, but there was a way to look for this malware, says Mike Davis, CTO at CounterTack, who is a member of the FS-ISAC.
This single malware alert ultimately tied to the now-infamous banking hack campaign demonstrates how banks and other vertical industries sometimes first learn of the latest threats hitting their sectors: a member of the ISAC community spots a piece of malware or a malicious IP address targeting it or another organization in the industry, and then shares that information with other members who then can block that IP address, scan for the malware, and apply other parameters to shore up their defenses against the threats.
But not all ISACs and related intel-sharing organizations operate the same way, or even share information in the same manner. Some ISACs are more effective in thwarting attacks than others, experts say. Their effectiveness often depends on the maturity and level of participation within those communities.
One of the biggest criticisms about ISACs I hear across the intel community at large is that you get indicators without context, and that the volume [of information] is so high that … you dont know where to prioritize, says Stuart Solomon, vice president, general counsel and chief risk officer at iSIGHT Partners. The way ISACs should go is to explain why something deserves more or less attention, and to also validate the information, he says.
So by alerting their members about new threats and attacks, do ISACs actually help prevent the spread of breaches and attack campaigns?
It depends on the quality and actionability of the information, says Solomon, who is scheduled to speak at 
Interop
 next month 
about intelligence-sharing and gathering
.
Another factor: not all members necessarily act on the intel. You get an email with a bunch of file names and hashes. What do you do with it? CounterTacks Davis says. Some organizations are able to sift through and use it, but not so much with others:  Some organizations get the information, but no one does anything with it, CounterTacks Davis says.
The key ingredient for a useful ISAC is providing
context
along with the indicators of compromise that get reported. Then members need the ability to anlayze and ingest the intelligence, and apply it to their security tools.
Take, for example, a malicious IP address thats reported targeting the financial services industry. In order to appropriately apply that information internally, an ISAC member would need accompanying details such as why its malicious and which campaigns or malware its associated with, for example, iSIGHTs Solomon says. It helps to know the timeframe of malicious activity associated with the IP address. Has its perishability window closed? All of these items relate to context. Without context, it is just more noise.
Veterans And Rookies
The defense industrial bases intel-sharing organization, the Defense Security Information Exchange (DSIE), and the financial services industrys FS-ISAC are the most mature intel-sharing organizations and considered model mechanisms. The defense group, which began in 2008 as a small group of representatives from some of the largest defense contractors, spun out of the Network Security Information Exchange (NSIE), which was formed in 1991 as a subcommittee of the Network Security Telecommunication Advisory Committee (NSTAC). The FS-ISAC, meanwhile, dates back to 1999. Both groups experienced their share of growing pains in the early days, especially the initial hurdle of trusting your fellow members enough to freely swap intelligence with one another.
In contrast, theres the Industrial Control Systems (ICS) ISAC, formed in 2012 and a relative newbie in the ISAC world. That in part explains why hardly any of the in-the-trenches industrial facility members swap attack information. Chris Blask, chair of the ICS-ISAC, says its mainly vendors and systems integrator members that share attack information in the ISAC, which offers an information-sharing platform via ThreatStreams service to its membership, along with Soltra Edge.
Blask explains that most industrial sites dont have a lot of information to share at this point--they may not know theyve been attacked-- and if they do, many cant share it, anyway. They have the worry that regulators are going to jump down their throat if they share intel, he says. Very few anywhere in the industrial space are really actively sharing information about what happens to them.
Even the FS-ISAC took a while to evolve into a true sharing organization. William Nelson, president and CEO of the FS-ISAC, which includes member institutions from across the globe, says banks at first didnt want to share information with their competitors. But all that is changing, especially as attackers continue to target the financial industry. In January, there were 450 instances where members shared information, amounting to tens of thousands of threat indicators, he says.
But the big turning point for the FS-ISAC came during the massive Operation Ababil DDoS attacks that hit North American banks in 2012 and 2013. Nelson says the financial services industry stepped up and teamed up: They realized we needed to form response teams of victims, and share with others what they had gone through, he says. The ROI was unbelievable, and one member of the community commented that when they were attacked, they were ready because of the FS-ISAC communitys response teams and intel-sharing, he says.
A vendor member of the ISAC also provided some key intel to the banks targeted in the DDoS attacks: the command and control server instructions used by the DDOS botnet in the first level of the attack against bank networks. That gave the banks an early warning of the attack, says Jim Routh, CISO for Aetna Global Information Security, and a member of the FS-ISAC. Each bank had to determine how to protect themselves from the level 2 and 3 [DDoS] attacks, but knowing when they were coming was a big help to manage resources so that first responders could get some rest and be prepared when the attacks came, Routh says.
The second level of the attack required making configuration changes to impede the attackers, he says. So knowing when the attacks were coming was helpful for the banks to apply resources effectively to respond and minimize business impact, Routh says. Anti-DDoS service providers also had access to the intel via the ISAC, he says.
The DSIE, meanwhile, now has nearly 70 member companies. Unlike many ISACs, the DSIE doesnt anonymize or scrub the source of attack information. So a defense contractor who gets targeted in an attack campaign first shores up his defenses against the attack, and then posts the attack footprints with other members of the DSIE, and everyone knows who shared it.
A tenet we often advocate is contacting your largest competitor and engaging with them in information-sharing. Because they are most likely being attacked by the same set of advanced adversaries, theres a wealth of potential intelligence, says Mike Gordon, vice chairman of the DSIE. We might be fierce competitors outside of DSIE, but within the partnership, we agree that cyber is a team sport, says Gordon, who works for Lockheed Martin.
Analysts at various defense contractors are on a first-name basis. Our Lockheed Martin analysts need to know Waynes [Boline, chairman of the DSIE] analysts at Raytheon by name, Gordon says.
Scrubbed or anonymized information isnt as useful and is more difficult to use, he says. Analysts need to be able to jump on the phone with one another and get more context than just a malicious IP, he says.
The defense industrial base group prides itself in disseminating attack intel fast, too:  “Within minutes of an indicator being found by one company, whether we knew it was successful or not, its being shared with other companies” in the ISAO, says Jay Weinstein, a member of the DSIE board. That’s what makes us unique. Other less-mature [ISACs] take weeks, days, and some are down to hours to share intel, says Weinstein, who is responsible for network security at a top 10 defense contractor firm. 
Members of the DSIE have discovered multiple zero-day attacks, and have shared those markers accordingly, members say.
Meantime, the healthcare industrys NH-ISAC in the past year has evolved into more intel-sharing activity. A year ago, it was more of pushing out information to the membership, says Deborah Kobza, executive director of the healthcare industrys NH-ISAC, whose membership includes private and public-sector health organizations, hospitals, medical device manufacturers, and health departments. But that has shifted dramatically, she says.
Anthems
massive data breach revealed last month
put the NH-ISACs intel-sharing capability into full gear. The NH-ISAC received indicators of compromise from what appeared to be the Anthem breach, which the ISAC confirmed with Anthem, and then pushed to members of the NH-ISAC as well as to other ISACs.
The I In ISAC
But in the end, its not just about the ISAC itself. Members of these communities need to discerningly ingest and apply the intel they get. The best intel is what you generate yourself, says an expert with experience in ISACs who requested anonymity.  
Theres also the potential for human error on the sharing end of the equation, notes Colby Derodeff, chief strategy officer at ThreatStream. An ISAC member could accidentally post a legitimate IP address rather than an illegitimate one, for example: If you just take that data at face value and put it into a correlation engine and monitor all firewall and proxy logs … youre going to generate thousands of false positives, he says.
Having the ability to analyze intel prior to putting it into active monitoring mode is really important.
[Read the first installment in this series

Efforts To Team Up And Fight Off Hackers Intensify
]
 

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
ISACs Demystified