Hack victims urged to share the gory details

"The good guys, each of them had a piece of the puzzle, but nobody was seeing the whole puzzle"

It may be difficult to remember now, but not too long ago, cyberattacks rarely made headlines in mainstream news. That's not to say that these advanced persistent threats, sometimes state-sponsored or the product of organized crime, were uncommon. On the contrary, they were booming. It was just that few people liked to talk about them.

Bill Guenther, the chairman, CEO and founder of Mass Insight Global Partnerships in Boston, recalls the bleak cybersecurity outlook in 2008. At the time, Mass Insight had teamed with McKinsey on a survey that found that, for many of the organizations, the most valuable information about recent cyberattacks was often the safest to share. The organizations that had suffered attacks could release the evidence of specific attacks, such as the signatures the attackers leave behind, without giving away sensitive information about their operations.

However, at the time, there was one problem no one wanted to do it, even though the attackers had been doing it all along.

[ALSO:Tracking the botnets]

"The bad guys share information informally, sometimes formally. There are auction markets for tools and resources and attack strategies," Guenther says. "And the good guys, each of them had a piece of the puzzle, but nobody was seeing the whole puzzle, and there was real value in sharing information."

So, in 2008, Mass Insight Global Partnerships launched the Advanced Cyber Security Center (ACSC), a nonprofit, cross-sector consortium of Massachusetts-based organizations designed to foster voluntary cyberthreat information sharing. At the time, asking private organizations to share information about their cybersecurity and vulnerabilities meant asking them to change how they handled security in general.

"We're talking about human behavior here," Guenther says. "And we're basically talking about how you change incentives from an incentive to run a closed shop to one to run a slightly opened shop within a protected circle."

Beyond the trust issue, a big obstacle the ACSC has seen is a reluctance to adopt a new mentality regarding cybersecurity, Charlie Benway, the organization's executive director, says.

"What's happening from a bigger-picture perspective is there's a shift in paradigm going on in cybersecurity, and there's a maturity spectrum here, and some folks are still at the beginning of the maturity curve, where it's the old philosophy of I have to set up firewalls, I have to keep people out and I've got to do my patches, and that's what I need to do,'" Benway says.

In the past few years, mainstream media has caught on to major cyberattacks. That publicity has led many organizations to accept the fact that they may not be able to prevent every attack, Benway says. This shift in paradigm led many CISOs to acknowledge that they may be better off gaining as much intelligence on the attackers and their methods as possible. Instead of approaching security from the perspective of vulnerabilities, the ACSC advocates focusing on the threats.

While the shift in mindset does explain the value of threat sharing, private organizations still need incentives to share their cyberthreat information. What many have come to realize, however, is that what's good for the security community as a whole will likely benefit them individually, Benway says.

"If I'm a financial services company and I'm connected to 500 banks, and some of those banks may be small or medium-sized banks and they don't have the type of resources I have for cybersecurity, I need to help them secure themselves, or I've got issues," Benway says. "And you hear that on a regular basis now."

As more organizations begin to realize the incentives of threat sharing, the ACSC still needs to establish trust. Guenther admits that threat sharing has occurred for years, between CIOs and CISOs at different companies who trust each other enough to discuss cyberattacks without worrying about the public finding out. That's where the value of operating as a regional organization comes into play.

Private organizations have plenty of resources for threat sharing, such as the Information Sharing and Analysis Centers (ISAC), which offer industry-specific, nationwide networks in which hundreds of businesses can share cybersecurity information. While Guenther says "there's clearly a place for the ISACs" and large-scale sharing, he says the ACSC provides added value by allowing organizations from several sectors to work together in small groups. Since launching in 2008, the ACSC has grown from 15 members to 28, and Guenther says the group likely will not grow larger than 35, to ensure a high level of communication in the network. By turning to the Massachusetts area and fostering a regional network, the ACSC connects organizations from the technology, financial services, higher-education and healthcare industries for bi-weekly, three-hour meetings to share threat information. Financial services firms, for example, get to see and discuss threat information from those in the technology or healthcare fields. The information they find from those organizations could help them identify trends within their own. Those trends could inspire new discussion within an industry-specific ISAC, and vice versa.

In a constantly fluctuating cybersecurity world, access to diverse threat information could be critical. Otherwise, the attackers might catch on to their targets' threat-sharing practices, and could adapt to avoid detection. That's how cyberwars are fought these days, and, as Guenther sees it, it's how they will be fought for the foreseeable future.

"You got the bad guys developing new tactics and the good guys trying to stay ahead of them. The more you understand about your adversary and the tactics they use, the better you can defend against them. That's the basic theory," Guenther says. "But there's no endpoint. It doesn't stop at some point. It's always going to get more sophisticated on both sides."

Colin Neagle covers emerging technologies and the startup scene for Network World. Follow him on Twitter and keep up with the Microsoft, Cisco and Open Source community blogs. Colin's email address is cneagle@nww.com.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitylegalanti-malwareWide Area NetworkMcKinseycybercrime

More about BillCiscoInsightMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Colin Neagle

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place