A View on Information Sharing and Threat Intelligence

Information SharingGuest author Robert Huber is a co-founder of Critical Intelligence, a for profit ICS Cyber Situational Awareness and Threat Intelligence provider.

If you look closely at all the banter of information sharing, especially with a focus on the electric sector, you have to be perplexed. ES-ISAC, ICS-CERT, ICS-ISAC, NESCO/EnergySec and some other sector specific information sharing groups that I won’t name. Where do you as an owner/operator turn?

ICS-CERT is definitely in the information sharing business across many sectors. They host public and private information sharing portals. They would also like asset owner/operators to report information to them directly. If you listen to, or read any ICS-CERT reports, they always add the following statement:

[o]rganizations that detect any of the indicators of compromise in business or control system networks are encouraged to contact ICS-CERT …

So why report to them instead of your sector specific organization? I know not all sectors have ISAC’s, but the electric does. Weird considering PDD-63, created in 1998, directed the National Coordinator to work with private industry to create the necessary ISACs across all sectors.

ES-ISAC has grown and improved their information sharing role, encouraging asset owners and operators to share. They have a specific section on their portal dedicated to this, which seems to work quite well. They also host the monthly ES-ISAC call to share relevant information, which DHS and ICS-CERT also attend and brief (as well as my company).

NESCO/EnergySec maintains the TAC (Tactical Analysis Center), a community driven information sharing capability.

ISC-ISAC, from their own description “[t]he ICS-ISAC is a non-profit Knowledge Sharing Center established to help facilities develop situational awareness in support of local, national and international security”. Nothing against these guys, I as I know they are out to do good, but to my knowledge, they seem to be the only ISAC dedicated to a specific type of technology versus a sector.

Oh, lest I forget, that FBI just announced its information sharing initiative – http://fcw.com/articles/2013/07/30/fbi-information-sharing.aspx . Certainly from the government side with all the push for information sharing everyone wants a piece of the pie.

If I were an asset owner or operator I’d feel overwhelmed. Much of the information is the same across the above sources. In fact, many of them share information from the other sources to their constituents. Most of them do work together to some extent, but there are certainly some very evident turf battles. Add to all this, Presidential Decision Directives, Executive Orders, and potential legislative bills for information sharing and the space only gets muddier. Maybe if they actually implemented what they envisioned in PDD-63, we wouldn’t even need all of these other government efforts.

If you were at Black Hat this year, you will note that one of the hot terms was threat intelligence. We have it, we produce it, we help you ingest it. Seriously? In the past 6 months Accuvant, IOActive and Mandiant have joined the commercial threat intel/situational awareness bandwagon. They join the existing mix of: CrowdStrike, Verisign iDefense, Cyveillance, Symantec DeepSight, Cisco Intellisheild, Dell SecureWorks, McAfee Global Threat Intelligence, Lookingglass, Booz Allen Cyber4Sight, IBM X-Force, iSIGHT Partners, Lockheed Palisade and Critical Intelligence.

I’m sure there are several more that I either forgot, or they are announcing soon and I can’t mention them yet. Quite honestly, most of them focus on the IT side of things versus ICS, although some are targeting ICS, mainly through their vulnerability research and penetration testing. I almost forget the commercial information sharing organizations, RedSky Alliance and ThreatConnect.

Threat Intelligence and Information Sharing is the sign of a mature organization, and quite frankly FEW companies are there. Large defense contractors and financials? Sure. And yet they still get compromised on a regular basis. In fact, most large DIB and financials have threat intelligence TEAMS in place. It’s not some person’s part time job to read DarkReading, the CSSP Private Portal, Full Disclosure and BugTraq every couple of days for a few minutes to track the threat. That’s an argument we get a lot from potential customers. “Hey, I can get cyber security feeds to! Why do I need you guys?” To which I say, “great, we track several thousand sources constantly, provide detailed analysis in a context that is meaningful to our clients.” If you think you can protect your organization’s crown jewels with 1/10 of some person’s time, more power to you. Here’s Mandiant’s contact info, keep it handy, you’ll need it.

It’s interesting that in the military, intelligence is used to prepare the battlespace, yet, in the commercial world, it’s usually a luxury or afterthought.

How about we get some basic defense in depth: policies, procedures and technology in place first? Or at the least, identify your crown jewels and high value targets (HVTs). Wouldn’t it be easier to defend, if you know exactly what you should be defending? In essence, this is how you draft your intelligence collection requirements. Do you really want information from all the sources I mentioned, or would you rather worry about the stuff that affects your organization? Do you really want to sift through 5 or more feeds for your intelligence and situational awareness, or would you prefer a team to correlate, aggregate and analyze it?

I have to laugh when I hear the constant calls for information sharing. Here you go:

Domain: pb.qocp[.]net

C2 IP:

Dropped Filename: cyslog.dat

Dropped File Hash: 3b98c9c3879f4846967c4e93fa10c934

Incoming Filename: Nuclearpowerplants.doc

Incoming File Hash: 6e79167bad3dd115086567226325cbf8

The original file was likely taken from here, although I found several similar versions.

The original file is 2 years old. Recently someone grabbed it and added their malware.

It’s from the PLA of China (Bob’s speculation, I’m not in the business of attribution). Does that matter to you? If so, why or why not? Are you bidding on any projects that the Chinese may also be bidding on? Do you have access to key fracking or some other technology that the Chinese would like to have? Are you operating ventures in China?

How many organizations can action that? Yes, it’s real. Yes, it’s APT.

What should you do with these indicators?

First, search all available sources of information to identify any past activity related to these indicators (firewall logs, network flow logs, IDS/IPS alerts, SIEM tools, web proxy logs, DNS logs etc).

For the file based indicators, if you are running Microsoft SMS, Encase Enterprise, HB Gary, AccessData FTK, Mandiant MIR, Tenable Nessus or similar, you can search on the filenames and/or file hashes. Heck, just grab the free hashdeep or md5deep, or roll your own.

You should also consider implementing network intrusion detection/protection signatures, web proxy blocks, DNS blackholes, and firewall blocks on the above indicators. [I’m not giving advice on the above indicators, I’m just providing examples of what you could do].

From DHS ICS-CERT reporting, we know most organizations don’t have any of these capabilities in place. If that’s you, refer to my previous statement and pull out Mandiant’s contact information.

If you really want information sharing and threat intelligence, build a program, assign resources and action the data. Don’t make it someone’s part time job.

Flame away……

Image by Gavin Kealy

7 comments to A View on Information Sharing and Threat Intelligence

  • Hi Bob,

    No need to Don the Flameproof Apparel. ;~)

    First, your prime premise is effectively correct: there is a proliferation of information sharing entities of all types and stripes. Your closing thought is also supportable, in that asset owners need to makes some choices about sources of information, and those choices are best where they are as informed as possible.

    We are in an interesting transition in knowledge sharing. In the recent past it has been generally assumed that A Source will emerge, and that as long as we all face in that direction and listen carefully Everything will be All Right. What you note above is summary evidence that the actual future is likely to be more analogous with the Internet than to this broadcast television model, with many information sources and entities each providing and processing in different ways.

    The inevitable solution is for individual persons and organizations to make appropriate choices among these sources. To select one – or, more often – a small number of sources that together provide the speeds and feeds that fit their needs. This may be, where they do not have the resources or inclination to maintain full awareness of where the most applicable information is to be found today, a single integrator who handles these decisions for them in a trusted fashion. It may be, as you note, where a well-resourced facility creates the internal processes to make and maintain such decisions independently.

    As to the nature of the ISAC structure as it exists today there are several which like the ICS ISAC do not intrinsically target industry verticals: the Multi State ISAC, Supply Chain ISAC and by nature the IT ISAC being some examples. The ICS ISAC was conceived to serve a variety of purposes related to the commonalities of ‘cyber physical systems’ across sectors and the organizations associated with these commonalities, and based on response from membership and associated organizations has found a niche in the knowledge sharing ecosystem worth filling. Among the notable environmental factors leading to this niching is the fact that most ISACs and other sharing systems have singular focuses on asset owners and explicitly or implicitly exclude vendors, integrators and other subject matter experts who have interests in and capabilities to offer to the shared communities of interest.

    Among the looming tasks facing all entities interested in knowledge sharing is – as your article illustrates – the integration of sharing between knowledge centers themselves. This includes sharing among ISACs and other dedicated public, private and public/private knowledge centers as well as with for-profit analytic and intelligence creation centers, researchers, vendors and other sources of expertise. While we continue to live in a world where any single entity can be in possession of The Answer to imminent threats without having the logistic, legal and economic ability to share that Answer with all concerned parties we will continue to be under evolutionary pressure to develop more effective means of sharing.

    The future of information sharing is less likely to reflect the star-topology networks of the mainframe era than the mesh networks of modern information systems. As individual centers of expertise and knowledge begin to raise their sights from servicing only the asset owners directly in front of them and perceive the interdependent single global infrastructure these facilities are embedded in, progress in this area will continue to accelerate.

    Keep up the good work, best to you and your team.

    Chris Blask

  • Two things are missing from this whole information sharing discussion and until industry understands these two concepts all of the information providers will be next to worthless because too much information will just paralyze your operations. Both come from military intelligence, EEEI and EEFI; Essential Elements of Enemy Information and Essential Elements of Friendly Information.

    In the military the commander (owner at each level of the organization) tells the intel folks what information he needs to know about the enemy capabilities and intentions to support his operations. In the corporate world the commander, oops owner, needs to know who is likely out to get information about his operations, who will likely be taking action to counter his operations, what techniques and technologies will likely be applied to accomplish the above. Don’t tell me about what they are going to do to the credit card guys; if I’m using Siemens don’t tell me about what they can to an AB system.

    Of course, this means that the owner needs to know what systems he has, and which ones will really impact his ability to get widgits out the door.

    Just as important is the information that you don’t want the bad guys to have about your operations. Commercial intelligence is pretty well understood in this regards but industrial security not so much. You don’t want the ‘enemy’ to know where you keep your sensitive information (and what is sensitive will vary from organization to organization). You don’t want them to know how to get around your facility or systems and you don’t want them to know what your sensitive equipment is.

    Again, this is part of the hazard analysis that must take place at every facility. You can’t protect everything well, so you have to figure out what things are most necessary for you to carry on.

  • The proliferation of information sharing groups is a complaint I also hear frequently. Whether it is valid or not remains to be seen. In some ways, the phrase “water, water, everywhere and not a drop to drink” applies. In other ways, the phrase “you can lead a horse to water, but you can’t make him drink” is more appropriate. Maybe both are true today.

    The mission of the NESCO TAC is simple: To enable sharing from industry, to industry. That is a harder task than it seems for reasons mentioned in this post. Information cannot be shared unless it first exists (in shareable form). This takes capabilities. It also cannot be used (actioned) unless capabilities are in place. The TAC, being aligned with the broader goals of NESCO and EnergySec seeks to enable and grow those capabilities, particularly within the many smaller (and less resourced) organizations in the electric sector. That may not make us unique, but it certainly makes us different.

    I sensed a bit of frustration in the post – or maybe I was simply projecting my own frustrations onto it. Industry (I’m generalizing here) needs to do a better job of building capabilities to both produce and consume actionable security intelligence. A recent Gartner report surmised that such collective sharing of intelligence will be (if it is not already) necessary for there to be any hope of successful defense. I obviously agree with that.

    I would say that the current rush towards the “info-sharing” space is a validation of the need, or at least the perception of the need. It will be interesting to see it all shake out.

  • Bob

    Good points Patrick. Inserting your mandatory Sun Tzu, ““[i]f you know the enemy and know yourself, you need not fear the result of a hundred battles.”
    Usually I refer to the points you mentioned, as developing your standing intelligence needs or requirements (SINs). This is what drives your collections.
    This also plays slightly into the 7 Security Ideals – http://www.if.uidaho.edu/~amm/faculty/Ideal%20Based%20Cyber%20Security%20Technical%20Metrics%20for%20Control%20Systems.pdf
    Paraphrasing two of them:
    – the security groups knows the system perfectly
    – the attackers know nothing about the system

  • @Patrick: That’s exactly right. EEEI is a huge barrier today because facilities don’t know what information applies to them, therefore they stop listening to all of it (assuming they have listened at all in the first place). This has been a topic of lively agreement with some of our friends in DHS as recently as this afternoon. Where facilities don’t know what they have, nobody can effectively help them and they themselves cannot determine what external information to pay attention to.

    EEFI is hinderance in outbound (from a facility perspective) sharing. Where facilities do not know what information they own is sensitive the only safe choice is to share nothing, and the safety and reliability of combined infrastructure (ie “society as a whole”) is lesser.

    “Sharing information” is pointless without context, which is one of the major drivers behind the existence of all of these centers from Digitalbond to Critical Intelligence to Energysec to the ICS ISAC and others. Developing that context is a specific driver behind our own efforts with SARA (http://ics-isac.org/sara/): if you don’t know who you are, what you have and what it is doing then simply sharing information only has so much use (iow: “very little”).

    @Steve: As you know I concur, and maintain that progress is being made in that direction. But all of those sides of the balance have to rise together – specifically both the ability to produce actionable data as well as to effectively and efficiently consume it. What you folks have done with your efforts is part of that, what we are doing together with SARA is another, what the vendors and integrators and industry organizations in that cloud are doing are yet more components.

    A pattern is emerging.

    @Bob: And yes, this is not news. It has been more than a few (thousand) years since those who studied conflict came to realize that where one does not have awareness of one’s own characteristic, not even Batman or Sun Tzu is going to be able to save you.


  • bryan owen

    @Chris “most ISACs and other sharing systems have singular focuses on asset owners and explicitly or implicitly exclude vendors, integrators and other subject matter experts”

    Thanks for raising the vendor exclusivity issue. Safety realm seems to have overcome potential abuse of related to sharing defect information. IMHO, critical infrastructure protection should be no different.

  • @Bryan – It is an interesting artifact of where we are at the moment, and an example of how much specific word use matters. At the highest levels in the 90s and the past decade it was enunciated that [sic]”we need to make sure asset owners get this information” and therefore all public and most private efforts have been around building structures that connect (for example) an electric utility with Washington DC. This is true down to the level of the specific procedures and structures inside federal agencies such as DHS, and can be seen during events such as the ICS-CERT Amber Alert this spring.

    While the advisory delivered as part of that alert was itself a step forward in content, the structures built over previous years could only deliver it to a subset of asset owners (who may or may not have read or used it, as the thread above discusses) and was not available to the vendors and integrators with the tens of thousands of direct relationships with asset owners and the skills to provide assistance. It was not shared with parts of DHS which could have brought capabilities to bear.

    But Washington Post still had it within 24 hours…

    Which is not because of incompetence or stupidity on anyone’s part, it is just a characteristic of where we are today. This article and thread are illustrative of that same fact, where folks as skilled and informed as you, Bob, Steve, Patrick, myself (to whatever extent I have any skills) and others are still working through how who knows and shares what why.

    It comes as no surprise that asset owners are at present unable to determine where to get which information for what substantial reason. Until those charged with the issue in industry (and by extension those in public service) understand how this will be done in the future we will not be well able to guide those who need to do it in the present.

Leave a Reply