The value of a joined-up approach

Westpac CISO Richard Johnson last week urged government and industry to boost their efforts in collaboration and sharing of cyber security intelligence within Australia. 

“This concept of sending intelligence between our industries and between industry and government - to me - is the future of information sharing for this nation in terms of maintaining critical infrastructure," Johnston said.

What’s interesting is that the financial services industry has been better than most at sharing threat intelligence with fellow institutions, giving banking an edge over less cooperative industry verticals.

Johnson suggests that the Australian Cyber Security Centre (ACSC), which opened in Canberra at the end of last year, will encourage a new level of intelligence sharing in Australia, leading to a more resilient nation.

This approach aligns well with the model established in the UK a few years ago, where GCHQ extended cyber security protection to government, organisations deemed national critical infrastructure (NCI), and other important industry verticals.  

The financial services industry has been considered an aspect of NCI for some time, alongside services such as power, water, health and communications.

The Australian government’s Critical Infrastructure Resilience Strategy, updated in 2010, extended the remit of the Trusted Information Sharing Network (established in 2003) as a mechanism to “provide national level forums for owners and operators of critical infrastructure to discuss critical infrastructure vulnerabilities with relevant government agencies.”

It would seem that national policy is already in place to facilitate threat intelligence sharing across multiple NCI industry sectors, so why has it not really been that effective to date?

The answer lies in implementation issues. If a bank’s cyber security team discovers a new, targeted specimen of malware, what do they do with that information? How do they convey that to their competitors in a way that potentially allows them to remain anonymous?

If they push the information through law enforcement (or the TISN), what is the response time for dissemination, and how is the detail communicated to participating organisations?

These are the challenges that ACSC needs to address. How will it work better with NCI organisations and other interested parties to get timely threat intelligence disseminated to cyber security teams more effectively and in a way they can use?

The ACSC website states it “is considering a number of models for partnering with industry which will allow close engagement on everything from information sharing to the development of effective response strategies,” so there is hope that a more joined-up approach is on the immediate horizon.

But given the promise of effective threat intelligence sharing, we still don’t have an answer to how this will be implemented.

How will we build security systems that disseminate alerts in a timely and automated manner with all the necessary information to make an informed decision on dealing with a threat and implement adequate countermeasures?

This is exactly the purpose for which Mitre Corporation’s Structured Threat Information eXpression (STIX) language has been designed.

STIX is an XML schema that allows security systems to communicate threat information in a standard format.

It allows security systems to communicate at wire-speed and pass threat intelligence to peers that can subsequently improve detection, bolster IDS/IPS detection, tighten firewall rules, etc.

The initial version of STIX consists of eight standard fields, including indicator, incident, exploit target, campaign, and threat actor.

As a community project, it is being contributed to by vendors, service providers, government agencies, universities and threat research organisations, hence it is truly ubiquitous and heterogeneous.

This is exciting. It seems that the stars are aligning, where government, industry and security companies can work together in a much more effective way that allows our reaction time to be quicker than the time needed for an emergent threat to take hold.

And while we’re not quite there today, we are getting closer.