Michael Smith, APJ Security CTO , Akamai reveals why threat intelligence sharing is so relevant in the context of cyber security and why Indian organizations need to understand its significance in safeguarding critical information.
Please elaborate on how threat intelligence sharing works and how can it help organizations in the current scenario?
The concept is really simple – the first person to see an attack shares the attack signatures and methods with their peers thus learning from each other’s experience.
Good threat intelligence information is timely, accurate, and actionable, and these contradict with each other. Sometimes you have to compromise on one to match the situation. For instance, if there is an active campaign hitting your organization and others, you might focus on speed of sharing but the information you’re sharing isn’t as complete as it should be. In that case, the information is less actionable and accurate as you want it to be.
I’ve worked a lot with my professional services folks on managed services reporting and there is a lot of crossover with the objectives of a threat intelligence program to make it timely, accurate, and relevant:
- Who is attacking me, how are they attacking me, and why are they attacking me?
- What changes to I need to make in operations, technical security controls, security devices, etc?
- What value did I get out of my IT security spend and where do I need to increase, decrease, or repurpose funds?
Is this being adopted in the Indian enterprise space? How can Indian organizations approach threat intelligence sharing?
In the enterprise space in India, from what I’ve seen they haven’t adopted much of it. We’re seeing a start of information sharing inside of Indian financial services with an Indian-only sharing community but it’s really early and they just set up a sharing platform.
One of the things that does cause me concern is when regulators start wanting to act as the hub to share threat intelligence. The big issue for me is that organizations need to be able to share information without fear of penalties by the regulators, and that runs counter to having a regulator be the aggregator of threat intelligence. There are regulators that are part of information-sharing organizations such as FS-ISAC, but it’s because they also are targets for attacks and they build processes to keep their own internal IT function from sharing attack information with their regulatory and punitive side of their organization.
What types of information are being exchanged and how the industry is moving towards automation?
The types of information being shared ranges widely. In the beginning, threat intelligence was anti-virus signatures, malware command and control domains, and IP blacklists. During some large attack campaigns that have been defended against, we created an ad-hoc working group of targeted organizations, law enforcement, infrastructure and service providers, and industry researchers. Some of these working groups became permanent fixtures for other low-impact attacks. For India specifically, this is a very important approach and government and regulators should encourage networking wherever possible to support this peer-to-peer intelligence sharing.
Over time, the amount and depth of information has increased to the point where most organizations have more information shoved at them than they can process.
What’s your advice on balancing information sharing with protecting personal privacy?
In most cases, it’s pretty easy, you focus on the attacker–what tactics, techniques, and procedures (TTPs) they use–and on signatures or Indicators of Compromise (IoC) that you detected. Identify how they do, what they do, and how you find them. In those cases, the primary concern is for organizations to not be named as the target or for their source of the information, such as dark web forums, to dry up because the criminals now know that they’re being watched. In such cases, organizations don’t want the public or their regulator to know that they have been attacked because it leads to a ton of misplaced speculation and a certain amount of blaming the victim.
I know quite a few organizations that download a copy of usernames, email, and passwords from account compromises to see if any of their users were exposed then they force that user to do a password reset.
What are the most common attack methods being used to target websites and supporting infrastructure including India specific trends comparative with the APJ region and the world?
I usually categorize organizations by both industry and geography, so you’ll get a slice across everything here. India in general is interesting because it’s a huge user population and some really talented engineers but connectivity to the user is small, mobile network speeds being a good example. Online channels are the equalizer between India and the rest of the world. The Internet brings significant wealth to India in the form of consulting and engineering efforts but the amount of services for people inside of India are proportionately smaller than they should be because the infrastructure is not built out with the local user population in mind.
Akamai has been tracking the activities of a group called DD4BC, or DDoS for BitCoin, who are running a DDoS protection racket. DD4BC sends the target an email and threatens to DDoS their site if they don’t pay the protection money in charge targeted organizations. They’ve been highly active in Asia over the past two months, including India.
Then there is the usual industry-specific attacks. Commerce sites get attacked for user information and PII such as credit card numbers. Media and news organizations get hacked in order to use them to distribute the attacker’s message or as retribution for a particular story. Government gets flash crowds depending on the relevant news of the day.