The sharing of information about new threats among security professionals in the private and government sectors is a powerful weapon against stopping new attacks. However, CISOs have often been reluctant to share security information. But if we want help from other people, we have to be prepared to share information ourselves.
Cylance recently spoke with Frank J. Grimmelmann, President & CEO/ Intelligence Liaison Officer at Arizona Cyber Threat Response Alliance (ACTRA). Frank served as the President of Arizona’s Infragard program, where he worked with the FBI to establish an information exchange for the private and public sectors.
According to Frank, sharing information is just the start. “What is needed is a fully operational capability to allow those who own the assets to translate timely threat intelligence into defensive action, ideally in real time,” he explains.
To demonstrate the benefits that stand to be gained, Frank shared a story about two companies involved in information sharing that cooperated to stop a live attack. One company was attacked by an advanced persistent threat (APT). There was no motive, just a desire to destroy information. The attacker rewrote file directories and renamed files. The company reverse-engineered the original attack and created an algorithm to unscramble the files scrambled by the malware. When a second company sustained a similar attack, the first company quickly offered them the algorithm. The second company applied the script to unscramble their files, and resolved the problem without having to revert to recovering files from backup. They were fully operational almost immediately; and there was no cost for the solution.
Frank will be sharing his expertise and other stories when he joins Malcolm Harkins, Chief Security and Trust Officer at Cylance for a webinar on April 26, titled, ‘Why Sharing Actionable Information Prevents Risk and Secures the Enterprise’. This is the fourth webinar in the ‘Protect to Enable®’ webinar series, based on Malcolm’s book, Managing Risk and Information Security.
If you’re afraid of sharing information, you should consider that the benefits likely far outweigh any downside. Frank adds, “Everyone is worried about sharing information.” This can be successfully addressed by aligning diverse stakeholder’s interests across all engaged organizations. Worries dissipate when you understand that you are gaining access to actionable information that can be used against attackers.
“It goes beyond information sharing,” says Frank. “It goes all the way to defending your assets and eliminating the threat at the source.”
Frank’s group has also dealt with ransomware on a consistent basis. They track tactics, techniques, and procedures (TTPs) used by attackers to hide their actions, whether tunneling via email or a sinkhole through the web. On a very rapid basis, they determine headers and sources to help thwart future attacks. The victims sharing this information determine whether or not they reveal themselves as the source.
Frank has this message for all of us: “Read the newspaper. On a daily basis we are clearly losing to an increasingly sophisticated enemy, whether nation states, or just opportunistic criminals. They are capitalizing upon and monetizing our vulnerabilities. The reality is that you are not going to defeat the enemy by repeating responses that fail. We need to change the paradigm. We need seamless information exchanges that enable the private sector, public sector, academic, law enforcement, and intelligence agencies to work together to connect the dots and address the threat at the source. This can only work by aligning everyone’s self-interest in a trusted environment. In so doing, we deal with the source of the threats, not just the symptoms.”