Still needing treatment for your cybersecurity nightmares? CISA may help.

Kevin Pratt, previously Lead Anti-Fraud Analytics Scientist at Teradata, MSCS, JD

CIOs have nightmares after reading about  adversaries like these:
 “These attackers [ Hidden Lynx] are a highly efficient team who can undertake multiple campaigns at once and breach some of the world’s best-protected organizations."  Semantec-hidden_lynx

midnight hacker 
Yes, criminal hackers team-up to attack.  Why don’t their intended victims collaborate to defend?  They are starting to.  After years of calls for shared cyber defense, the US government is moving forward with some treatment for these cyber nightmares. 
 
Cyber attacks are often preludes to fraud.
Organized crime knows the road to big payoffs begin with cyber attacks to acquire the predicate information needed to accomplish massive exfiltrations of money or intellectual property. Estimated globally at $400 billion. Google-economic impact of cybercrime

Crime rings are sneaky and opportunistic.
Until now, each company individually wrestled with solitary defenses against attack modus operandi.  But the criminals may have already perfected and repeated the attack across the ocean or down the street.  To meet these persistent and creative attacks, every business would need a building full of cybersecurity experts.  Lack of shared defensive practices simply meant failure of defenses.
Finally, at the end of 2015 both political parties with the wide support of business, completed enactment of the Cybersecurity Information Sharing Act (CISA).  For the first time, there can be secure and protected, broad, real-time sharing across the country of threat indicators and useful defensive measures accompanied by liability protection.
The joint explanatory statement (JES) from the four congressional authoring committees said it this way:

“Cybersecurity threats continue to affect our nation’s security and its economy, as losses to consumers, businesses, and the government from cyber attacks, penetrations, and disruptions total billions of dollars. This legislation is designed to create a voluntary cybersecurity information sharing process that will encourage public and private sector entities to share cyber threat information, without legal barriers and the threat of unfounded litigation—while protecting private information. This in turn should foster greater cooperation and collaboration in the face of growing cybersecurity threats to national and economic security.”  Joint Statement-House Intelligence Committee

Collaborators’ real-time benefit

The benefit to you is an “automated real-time process (AIS) that allows for information systems to exchange identified cyber threat information without manual efforts… Once a cyber threat indicator or defensive measure is received, analyzed, and sanitized, AIS will share the indicator or defensive measure with all AIS participants. AIS will not provide the identity of the submitting entity to other AIS participants.”    And Personal Identifying Information will NOT be shared.  Thus participating companies receive early-warning benefits of other’s experiences.

Terms you need to know in CISA

Threat indicator – A pattern or activity that is a precursor or footprint of a cyber attack.  “For example, a cyber threat indicator has a variety of observable characteristics: a malicious email, internet protocol (IP) addresses, file hashes, domain names, uniform resource locators (URLs), malware files, and malware artifacts.”

Defensive measure – a technique for preventing or defending against a threat.  “Some examples …are:
o    A computer program that identifies a pattern of malicious activity in web traffic flowing into an organization.
o    A signature that could be loaded into a company’s intrusion detection system in order to detect a spear phishing campaign with particular characteristics.
o    A firewall rule that disallows a type of malicious traffic from entering a network.
o    An algorithm that can search through a cache of network traffic to discover anomalous patterns that may indicate malicious activity.”

Personal information - When you share threat indicators and defensive measures, you must remove details that could identify individuals.  This includes not only name, address, email address but also health, human resource, education, credit and property ownership details.  Thus, the AIS government system is not tracking or storing personal information that could be breached.

Congress did its best to defuse all legal and operating objections that companies might have to sharing this cybersecurity information – the information is protected from freedom of information requests and antitrust claims.  Proprietary information must be preserved.  As long as personal information is removed before sharing, and the cybersecurity information is submitted to the DHS (directly or through confidential sharing organizations), the company is protected from liability.  The automated sharing system (“AIS”) is run by the expert non-profit Mitre Corp. and all the supporting software is opensource and flexible.

What this law recognizes is that cyber defense is hard and needs sophisticated and aggressive support from all the major players.  Nobody can succeed alone to build sufficient protection against a well provisioned adversary.

 adversary

However, effective collaboration assumes that individual companies will continue to develop strong and innovative defenses which they may share for the common advantage.  Thus, Teradata and other advanced analytics consulting groups play an important part in cyberattack defense and anti-fraud management. 

Simplistic, one-size-fits-all approaches become rapidly outdated and ineffective.  The best protected companies use:
*    A team of security focused data scientists that can build unique attack detection methods. 
*    Assemblage of previously disconnected data stores across the enterprise  to help create those detailed fingerprints of evolving fraud and cyber attacks. 
*    Visualizations of event sequences and behavioral linkages to locate advance indicators of attacks that exceed traditional descriptive statistics.
*   Alerts based on threat levels trends across the enterprise.
*   Holistic cyber and fraud management and strategy planning.

Take-away

The final take-away – don’t try to combat cyber attacks alone.  Collaborate, share, and bring in the needed expertise.

More:
http://blogs.wsj.com/cio/2016/02/03/wsj-cio-network-dhs-to-start-sharing-cybersecurity-threat-indicators-with-industry/
https://risk.thomsonreuters.com/sites/default/files/GRC01950.pdf
https://www.europol.europa.eu/content/internet-organised-crime-threat-assessment-iocta-2015




Kevin B. Pratt has been Chief Scientist at ZZAlpha LTD. since 2010
He was also Lead, Anti-Fraud Analytics, Sr. Analytics Scientist in the Teradata Big Data and Advanced Analytics Group until June 2016.
There was and is no connection whatsoever between ZZAlpha LTD.and Teradata Corp.