THANK YOU FOR SUBSCRIBING
Gov CIO Outlook Weekly Brief
Be first to read the latest tech news, Industry Leader's Insights, and CIO interviews of medium and large enterprises exclusively from Gov CIO Outlook
Lester Godsey, Chief, Maricopa CountryAccording to a 2021 Infosec Institute article that shared research conducted by Agari, when credentials were successfully stolen, 20% of those were compromised in less than one hour. In Maricopa County, we regularly see honeyed credentials, and we submit to credential harvesting sites’ attempt to log in, sometimes in 15 minutes or less. Additionally, we continue to see targeted phishing campaigns, with live threat actors engaging users in attempts to gain access, data and/or money. With the increased speed in which technology is being used to leverage weaknesses in organizations and the business-fication (think DDOS as a service, etc.) of cyber-attacks, it is imperative that our information sharing capabilities scale accordingly. And therein lies the problem, well one of several. There are a few reasons why we need to evolve the way we share cyber intelligence:
Regionality and Sectors
Much of how cyber intelligence is shared is based on these two factors. In the case of different sectors, many of the organizational structures in place are based on this. Look at the creation and use of ISACs (Information Sharing and Analysis Centers), which arefocused on critical infrastructure sectors. According to the National Council of ISACs there are currently 25 ISACs in existence. Sharing efficacy amongst these ISACs aside, what they have in common is that they are typically limited to their sphere of infrastructure. Is sharing threats with others in the same sector valuable? Absolutely, but sharing and receiving cyber intelligenceonly amongst similar entities certainly diminishes the scope of inquiry and awareness. This isn’t to suggest that most orgs rely on a single source of intelligence when it comes to cyber security but it does point to a limited perspective at best.
In terms of regionality, this is something most often experienced by government agencies, especially at the state and local levels. Because there is not a national standard per se for government intelligence (the closest thing to this is the Multi State ISAC or MS-ISAC) many government agencies, especially states, have been forming their own intelligence sharing coalitions. However, much like the other ISACs, this provides a limited perspective of the threat landscape.
"There are standards out there, just not widely adopted and none mandated, at least across all public and private sectors.”
A great example of this was the recent Super Bowl hosted in Arizona this year. Part of the planning activities included cyber monitoring leading up to and day of the event. What was unusual about this planning was the fact that multiple sectors, ranging from government to transportation to manufacturing to entertainment were all participatory. While the actual day of event was quiet, there was cyber activity leading up to the game and the two sectors who were targeted with the same attack were local government and entertainment (specifics withheld to maintain anonymity). If we had taken the normal ISAC or regional intel sharing approach this correlation between two disparate sectors would’ve never been discovered or at least discovered a lot later than it was.
Timeliness
This is an ongoing struggle between threat actors and defenders and isn’t one that is only technology-based. Yes, technology is improving and as such, the speed at which attacks are launched against organizations is increasing with technological improvements. However, threat actors are getting better in terms of workflow and process. They continue to refine processes and then leverage technology, in the form of automation to deliver malicious payloads at scale and speed.
If we want to have any hope of being able to stem the cyber tide, we need to receive intelligence at machine speed or as close to it as possible so that we can take advantage of technology to do something constructive with this information. It is impossible to manually take all the information received in the form of IOCs (indicators of compromise) and do something meaningful with it. Automation is the key by which we can take this intel and protect our organizations – temporary blacklisting, DNS sinkholing, reporting and threat modelling, etc.
But Why a National Approach?
We have determined that, while effective, sector-based sharing is hardly sufficient to gain a holistic awareness of the threat landscape. Disparate sectors need to share with one another, but how? Creating a national standard would ensure that, regardless of sector, there was a uniform way to disseminate IOCs in such a way that organizations could take action.
There are standards out there, just not widely adopted and none mandated, at least across all public and private sectors. For example, CISA (Cybersecurity Infrastructure and Security Agency) has the AIS (Automated Indicator Sharing) platform that uses open standards for intel sharing like STIX (Structured Threat Information Expression) for cyber threat indicators and TAXII (Trusted Automated Exchange of Indicator Information) for machine-to-machine communications. Truthfully, most threat intel sharing platforms, open source and paid, support STIX/TAXII. Where a national approach would be most helpful is the trust factor.
The real issue with taking threat intelligence and doing something at machine speeds is that one must trust the information being shared implicitly. Most of us in this industry have more stories about false positives being shared in threat feeds than we care to admit.
Until a national standard is adopted and followed, we will continue to see a series of communities sharing with one another, to varying degrees of effectiveness. However, sharing at a comprehensive national level will continue to elude us all.
Read Also
