Hack victims urged to share the gory details
- 12 September, 2013 16:25
It may be difficult to remember now, but not too long ago, cyberattacks rarely made headlines in mainstream news. That's not to say that these advanced persistent threats, sometimes state-sponsored or the product of organized crime, were uncommon. On the contrary, they were booming. It was just that few people liked to talk about them.
Bill Guenther, the chairman, CEO and founder of Mass Insight Global Partnerships in Boston, recalls the bleak cybersecurity outlook in 2008. At the time, Mass Insight had teamed with McKinsey on a survey that found that, for many of the organizations, the most valuable information about recent cyberattacks was often the safest to share. The organizations that had suffered attacks could release the evidence of specific attacks, such as the signatures the attackers leave behind, without giving away sensitive information about their operations.
However, at the time, there was one problem no one wanted to do it, even though the attackers had been doing it all along.
[ALSO:Tracking the botnets]
"The bad guys share information informally, sometimes formally. There are auction markets for tools and resources and attack strategies," Guenther says. "And the good guys, each of them had a piece of the puzzle, but nobody was seeing the whole puzzle, and there was real value in sharing information."
So, in 2008, Mass Insight Global Partnerships launched the Advanced Cyber Security Center (ACSC), a nonprofit, cross-sector consortium of Massachusetts-based organizations designed to foster voluntary cyberthreat information sharing. At the time, asking private organizations to share information about their cybersecurity and vulnerabilities meant asking them to change how they handled security in general.
"We're talking about human behavior here," Guenther says. "And we're basically talking about how you change incentives from an incentive to run a closed shop to one to run a slightly opened shop within a protected circle."
Beyond the trust issue, a big obstacle the ACSC has seen is a reluctance to adopt a new mentality regarding cybersecurity, Charlie Benway, the organization's executive director, says.
"What's happening from a bigger-picture perspective is there's a shift in paradigm going on in cybersecurity, and there's a maturity spectrum here, and some folks are still at the beginning of the maturity curve, where it's the old philosophy of I have to set up firewalls, I have to keep people out and I've got to do my patches, and that's what I need to do,'" Benway says.
In the past few years, mainstream media has caught on to major cyberattacks. That publicity has led many organizations to accept the fact that they may not be able to prevent every attack, Benway says. This shift in paradigm led many CISOs to acknowledge that they may be better off gaining as much intelligence on the attackers and their methods as possible. Instead of approaching security from the perspective of vulnerabilities, the ACSC advocates focusing on the threats.
While the shift in mindset does explain the value of threat sharing, private organizations still need incentives to share their cyberthreat information. What many have come to realize, however, is that what's good for the security community as a whole will likely benefit them individually, Benway says.
"If I'm a financial services company and I'm connected to 500 banks, and some of those banks may be small or medium-sized banks and they don't have the type of resources I have for cybersecurity, I need to help them secure themselves, or I've got issues," Benway says. "And you hear that on a regular basis now."
As more organizations begin to realize the incentives of threat sharing, the ACSC still needs to establish trust. Guenther admits that threat sharing has occurred for years, between CIOs and CISOs at different companies who trust each other enough to discuss cyberattacks without worrying about the public finding out. That's where the value of operating as a regional organization comes into play.
Private organizations have plenty of resources for threat sharing, such as the Information Sharing and Analysis Centers (ISAC), which offer industry-specific, nationwide networks in which hundreds of businesses can share cybersecurity information. While Guenther says "there's clearly a place for the ISACs" and large-scale sharing, he says the ACSC provides added value by allowing organizations from several sectors to work together in small groups. Since launching in 2008, the ACSC has grown from 15 members to 28, and Guenther says the group likely will not grow larger than 35, to ensure a high level of communication in the network. By turning to the Massachusetts area and fostering a regional network, the ACSC connects organizations from the technology, financial services, higher-education and healthcare industries for bi-weekly, three-hour meetings to share threat information. Financial services firms, for example, get to see and discuss threat information from those in the technology or healthcare fields. The information they find from those organizations could help them identify trends within their own. Those trends could inspire new discussion within an industry-specific ISAC, and vice versa.
In a constantly fluctuating cybersecurity world, access to diverse threat information could be critical. Otherwise, the attackers might catch on to their targets' threat-sharing practices, and could adapt to avoid detection. That's how cyberwars are fought these days, and, as Guenther sees it, it's how they will be fought for the foreseeable future.
"You got the bad guys developing new tactics and the good guys trying to stay ahead of them. The more you understand about your adversary and the tactics they use, the better you can defend against them. That's the basic theory," Guenther says. "But there's no endpoint. It doesn't stop at some point. It's always going to get more sophisticated on both sides."
Colin Neagle covers emerging technologies and the startup scene for Network World. Follow him on Twitter and keep up with the Microsoft, Cisco and Open Source community blogs. Colin's email address is firstname.lastname@example.org.
Read more about wide area network in Network World's Wide Area Network section.