2018-07-26
9.11恐怖袭击事件之后,威胁信息共享开始受到网络安全行业的更多关注。
你可能认为这是一个例行的过程,特别是考虑到在过去几年中发生了大量的数据泄露事件。尽管联邦政府和信息共享分析中心(ISAC)在这一方面已经取得了很大的进展,但是许多组织仍然将威胁信息共享放在次要位置。
“目前的情况是,首席信息安全官(CISO)非常忙碌!尽管他们知道信息共享能够帮助自己更胜任现在的岗位,或者至少是更好的人,但是他们却把它推迟了。”TruStar Technology创始人兼首席执行官保罗�库尔茨(Paul Kurtz)说,“他们并不总是能认识到信息共享的好处。”
库尔茨称,威胁信息共享的主要原则是:
1、信息共享不是利他主义的。数据交换的目的是更快地发现问题并缓释攻击。当一个行业纵向共享威胁数据时,该行业内的其他公司就不必再做重复性的工作了,每个人都会从中受益。
2、信息共享不是入侵通知。在事件发生之前,组织需要在安全周期的早期共享事件数据,例如有关可疑活动的信息。
3、只要不共享个人身份信息,与其他组织共享有关漏洞利用代码和漏洞的数据就是合法的。例如,受害者的电子邮件地址通常不被共享。共享的典型信息类型包括:可疑的URL,哈希标签和IP地址。2015年的《网络安全信息共享法案》提供了更多的细节。
4、共享系统必须易于使用。确保系统是人性化的,并且可以轻松地与安全运营中心(SOC)、威胁猎捕团队或欺诈调查团队的工作流程进行整合。
金融服务信息共享和分析中心(FS-ISAC)的首席信息风险官格雷格�泰姆(Greg Temm)警告说,企业在进行威胁信息共享时需要有足够的耐心。
“威胁共享共享需要时间”,泰姆说。“我们可能有一些可疑活动的清单,但是我们真正想要的是威胁源进行攻击的原因。真正重要的信息是威胁源是否为国家效力,网络犯罪分子是为了赚钱还是服务于某个政治观点。要想深入了解这些信息,需要结合共享的数据、分析方法和威胁情报技术。”
零售业网络情报共享中心(R-CISC)的高级行业信息共享和分析中心(ISAC)分析师尼尔�丹尼斯(Neal Dennis)表示,那些不知道从哪里开始或者没有大量安全工具的公司应该联系其ISAC。“我们的很多成员都是小型零售公司,他们没有Target或Home Depot的资源,所以他们寻求零售ISAC的威胁信息和指导来部署潜在的工具是很有意义的。”丹尼斯说。
以下是有关如何共享威胁情报的一些建议。
顾好自己的企业:首先了解企业内部的事件以及它们之间的联系。除非您了解自身组织内部正在进行的活动,否则您无法与他人分享信息。如今有很多工具可以帮助您了解事件数据。该领域的一些供应商包括TruStar Technology(该公司专门从事威胁情报集成,以便与其他企业和地域共享情报)以及威胁情报提供商Anomali和ThreatConnect。
确保能够使用其他提供商共享的情报,无论这些情报是来自CrowdStrike还是ISAC,无论是来自金融、航空航天领域还是零售业。企业通常无法轻易使用来自专有威胁提供商或共享中心的外部威胁资源。通常他们会收到一封列出20个可疑IP地址的电子邮件,但他们无法筛选这些信息。当选择一个工具时,请询问该工具是否可以帮助完成这个过程,因为筛选列表是非常耗时的,会占用安全专家的大量时间和精力。
现在您已经准备好与行业和业务伙伴的同行交换数据了。但是在共享信息之前,一定要选择一个返回即时值的系统,让你看到自身事件数据与他人数据有何关联。例如,如果你的事件与另一家公司或行业ISAC相关联,则可以与他们共享信息并获得他们的信息。除非您确定威胁是真实的,否则就没有分享的动力。
选择一个允许您加入任意数量的共享组织或合作关系的系统,同时保护您认为合适的归因。一些事件可以广泛地共享,而其他事件可能需要更多的特殊处理。寻求与其他行业共享信息的好处是,您可以根据不良URL、IP地址或浏览器数据找到共同的模式。
与国土安全局的自动指标共享(AIS)服务部门共享信息可能有益于你的组织。在过去几年中,国土安全部一直致力于开发共享威胁情报的合作伙伴生态系统。AIS旨在广泛分享公共和私营部门的威胁情报,使组织能够更有效地保护自己免受网络攻击。
中小型企业根本没有购买更复杂的威胁情报的经济实力,他们也无法聘请威胁捕手。这些组织应该与其行业ISAC合作,建立一个低成本的威胁情报系统。多半的可能是,您的行业ISAC与供应商有联系,甚至可能有与专门的威胁情报公司建立关系的特殊交易。
11/10/2017
11:00 AM
Industry experts offer specific reasons to share threat information, why it's important - and how to get started.
Threat information-sharing first started getting more attention and interest in the cybersecurity industry after the 9/11 terror attacks.
So you'd think by now it would be a routine process, especially with the volume of high-profile data breaches in the past few years. But while there has been much progress between the federal government and the vertical flavors of the Information Sharing Analysis Centers (ISACs), threat information-sharing still has been put on the back burner by many organizations.
"What's happened is that CISOs are so busy today that information sharing has become the kind of thing that they know will make them a better CISO, or at least a better person, but they put it off," says Paul Kurtz, founder and CEO of TruStar Technology. "They don't always recognize the benefits of information sharing."
[See Paul Kurtz discuss threat intelligence-sharing best practices at Dark Reading's INsecurity conference].
Kurtz says the key principles of threat information-sharing are:
1. Information sharing is not altruistic. The objective of data exchange is to identify problems more quickly and mitigate attacks faster. When an industry vertical shares common threat data and other companies in the field don't have to reinvent the wheel, everyone benefits.
2. Information sharing is also not about breach notification. Organizations need to share event data early in the security cycle – before an event happens – such as information about suspicious activity.
3. Sharing data with other organizations about exploits and vulnerabilities is legal so long as you don't share personally identifiable information. For example, a victim's email address is usually not shared. Typical types of information that are fair game include suspicious URLs, hash tags, and IP addresses. The Cybersecurity Information Sharing Act of 2015 provides more detail here.
4. The sharing system must be easy to use. Make sure the system is user-friendly and can easily integrate with your established workflow within a SOC, a hunting team, or a fraud investigation unit.
Greg Temm, chief information risk officer at the Financial Services Information Sharing and Analysis Center (FS-ISAC), cautions that organizations need to have patience with threat intel-sharing.
"Threat intelligence takes time," Temm says. "We might have lists of suspicious activity, but what we really want are the reasons why threat actors are making their attacks. What's really significant is whether the bad threat actors are working for a nation state, are cybercriminals in it for the money, or possibly hacktivists looking to make a political point. Getting to the bottom of that takes a combination of the shared data, analytics, and the threat intelligence tradecraft."
Neal Dennis, a senior ISAC analyst at the Retail Cyber Intelligence Sharing Center (R-CISC), says companies that don't know where to start or don't have deep pockets for security tools should contact their industry ISAC. "A lot of our members are smaller retail companies that don't have the resources of a Target or Home Depot, so it makes sense for them to seek of the retail ISAC for threat information and guidance on potential tools to deploy," Dennis says.
Here are some tips on how to get started with sharing threat intelligence.
Get your own house in order: Start by understanding the events within your four walls and how they correlate. You can't begin to share information with others until you have an understanding of what's going on inside your own organization. There are many tools out there today that can give you this picture of your event data. Some vendors in this space include TruStar Technology, which specializes in aggregating threat intelligence to share with other verticals and regional geographies, and threat intel providers Anomali and ThreatConnect.
Operationalize threat feeds from other providers with your event data. Make sure you can use what you are getting already, whether it's from CrowdStrike or one of the ISACs, be it the financial, aerospace, or retail sector. Often companies can't easily use external threat feeds from proprietary threat providers or sharing centers. Often they will get an email that lists 20 suspicious IP addresses, but they have no way to sift through all that information. When selecting a tool, ask if the tool can help with this process, because sifting through the listservs is very time consuming and a good way to burn out your security pros.
Now you're ready to exchange data with your peers in the industry and business partners. But be sure to select a system that returns immediate value by allowing you to see how your event data relates to others before you share. For example, if your event correlates with another company or industry ISAC, then move forward and share and get the benefit of what your peers also know about the threat. There's no incentive to share unless you know for sure that the threat is for real.
Select a system that allows you to join any number of sharing organizations or partnerships, while still protecting attribution as you see fit. Some events can be broadly shared, while others may require more special handling. The benefit to seeking out sharing arrangements with other verticals is that you may find common patterns in terms of bad URLs, IP addresses, or browser data.
It may benefit your organization to share information with the Department of Homeland Security's Automated Indicator Sharing (AIS) service. Over the past couple of years, DHS has worked to develop an ecosystem of partners that share threat intelligence information. AIS seeks to share this threat intelligence broadly across the public and private sector so organizations can more efficiently protect themselves against cyberattacks.
Small- and midsized companies simply don't have the money to pay for the more sophisticated threat intelligence feeds, and they probably can't afford to hire a threat hunter. Those organizations should work with their industry-specific ISACs to set up a low-cost threat intelligence system. Odds are, your industry ISAC will have contacts with vendors, and may even have special deals available for setting up relationships with companies that specialize in threat intelligence.
附件:
微信公众号