Empowered by high-level endorsement of their collaboration, Australia's businesses and government bodies need to proactively leverage their growing body of threat intelligence into new defensive and offensive cybercrime strategies, one regional CISO has advised in the wake of his growing engagement with the country's cybersecurity community.
While it had taken some time for comfort levels with increased threat-sharing practices to grow, increasing familiarity with threat-exchange formats like STIX and TAXII had taken the complexity out of the actual processes of data sharing, Palo Alto Networks vice president and APAC chief security officer Sean Duca recently told CSO Australia.
Duca, whose remit includes protecting the almost continuously-attacked systems of a worldwide security vendor, has embraced the emerging culture of threat sharing, particularly in countries like Australia where an explicit government mandate around cybersecurity has promoted the productive sharing and use of threat information as part of its Australian Cyber Security Strategy (ACSS).
Calling the strategy “a great thing”, Duca called for more action by business leaders in its wake – particularly from large companies – “who are driving a large part of the economy of Australia” and have extensive experience and investments in cybersecurity capabilities.
“Whilst we would like to see a lot more, this is a step in the right direction,” Duca said. “Collectively it's up to us to make it work – and it's now time that we start to consider, collectively, how we can really start to get a lot of leverage here.” Rather than simply cataloguing online nasties and the depredations of the seemingly ceasless flow of online actors, Duca advocates the joint creation of 'adversary dossiers' that draw on growing bodies of threat intelligence to draw up collections of 'campaign plans' that outline not only what hacker groups are doing, but why and how. “We need to start thinking about how we map what we do to that lifecycle,” he said, noting the importance of fleshing out the widely-referenced ' cyber attack kill chain' for key cybersecurity threats.
“We can pick up on the very indicators focus on reconnaissance, and other organiastions are picking up on other indicators. We will eventually have maybe 100 threat indicators that we can put together, enrich that information and get to a point where we have very good information about what the adversary is trying to do.” “It's not enough just saying 'there is something bad out there',” he added. “The more that we share this information in a way that allows us to get that timely information into everyone's hands, it is actionable and we can decide what to do with it.
There needs to be contextual threat intelligence, where everyone can act on it as quickly as they possibly can.” Duca's support of increased threat-sharing practices has been echoed by other players in Australia's information-security market in the wake of damning assessments by the likes of the Australian Centre for Cyber Security (ACCS), which in June slammed “a relative lack of attention” to persistent gaps in cybersecurity capabilities.
Recent changes to the structure of the government's Australian Cyber Security Centre (ACSC) – which was moved from an office inside a secure government building into its own facility – had “allowed the industry to start to collaborate”, Duca noted.
Similarly, growing consensus around the types of information that were most important to share – “STIX has around 600 different fields that can be populated with information but if you talk with anyone that has actually used it internally, there are probably around 45 fields that are pertinent,” he said – had helped threat-sharing efforts get well past the starting blocks.
Despite the government taking an early role in getting the cybersecurity ball rolling, individual private-sector companies were rapidly picking up the baton – heralding a new level of sharing that Duca believes will help private-public cybersecurity partnerships really start putting runs on the board in the fight against cybercrime.
“There are a lot of people in the private sector that have been doing amazing things,” he explained. “If we can get that into the hands of private organisations or the public sector, we can quickly create a standard. We've all got a role we can play.”