CG - Information Sharing, or “I’ve got 99 problems and they’re probably pretty similar to yours” - C

okay oh well we'll just do it this way so uh how many of you have seen uh fishing nothing is working American Airlines uh fishing campaigns related to American Airlines or PayPal or ADP or FedEx anybody all right so uh this is information sharing so it may not be a very Grand example of it but it just shows the mechanics where somebody's asking a question and we're getting feedback on it and the information may not be useful to you but it's could be information that's useful to the person asking uh now it's a little bit about me I'll get back to this in a second so uh I work for a financial services company in

Tampa Florida we're based in New York City I do information privacy to started that last week uh ran the ins Response Team before that uh did a couple years in the Navy worked for for uh their cyber Defense command doing computer forensics incident response uh I also co-host the secur bit podcast so check us out secur bit.com subscribe to that listen to us give us good feedback but uh back to that example so if you did look around the room you'll notice that not everybody raised their hands and the negative feedback is also very useful it's very good to know if somebody didn't see something you're seeing because it kind of helps show whether you're being targeted or

not so why do we do anything like this so uh a lot of the times we have questions that we're trying to answer and we don't know the answer immediately off hand but chances are somebody else has already seen it similar to the way that you'll Google something for a problem you're trying to solve somebody else has already found it you type in your answer and even before you finish typing the question you already found out the answer so uh why don't we do this well a lot of times companies value secrecy over sharing but uh what I try to convey is that security maybe unless you're a company that sells security really shouldn't be

a competitive Advantage so one of the things that I think everybody here should do is try to encourage your companies at home to promote information sharing within your groups as the saying goes a rising tide lifts all the ships and so as an entire security community and in each of our individual sectors as we can help each other be more secure we come more secure as as a group so my perspective from this is financial services like I said I work for a financial services company we do clearing and settling so when I do information sharing I share with banks and stock exchanges and clearing houses and card processors so that's where the basis of my talk is coming from my

experiences there but uh so a lot of the things we share really EAS easy things to share as indicators so what have we seen our Network did we see an IP address an email address uh is there a certain subject of an email that's come in what are the headers of an email and even down to uh full packet captures uh if you're in a trusted group those are things that you can easily share so any events we share as well uh if we're being targeted by a Dos or if there are certain scans that come in fishing campaigns anything else we try to let all of our peers know what's going on because if it's coming at us

chances are it's coming at them and it gives them a chance to uh to better defend themselves and uh last thing is intelligence so know there's hundreds or thousands of different companies doing the same thing we are and we all have our own people doing our own research we're all into our own little things and we see things in our tunnel vision but it's helpful to put everything together with everybody that's doing their own research so any intelligence that we gather we help share with anybody else so how do you get involved uh there's a lot of different verticals different sectors and one of the things that has come along is information sharing and Analysis centers so in my

particular case in financial services we have the fsis sac and that's a group of anybody that does Financial Services can join uh but there's many others that are uh that are out there for different services so one of the things the ISAC is is trusted so there's sharing agreements between the ISAC and every member firm so whenever we share something with the ISAC and with the other member firms we have a sense of assuredness that the information is not going to get out we can trust the people that we're sharing with uh and analytics so the ISAC itself provides analytical Services through their sock and in information that we share to other firms their analysts will

contribute it back and give us their take on it uh sharing which is what this whole talk is about is how do you combine and fuse all these things together so an ISAC will take all the inputs from everybody and come up uh with research papers and things that can be shared with a broader audience and so for sharing we share within within the ISAC so firm to firm we can share and then the ISAC itself will take what we have and we can share it outside to different isacs or even to the general public and uh the Third Way We Share is uh going to the government so we can get lots of help from them

with regard to intelligence and things that they' seen and really the way it's been recently is we give them everything we have and maybe we'll hear something back but it's getting better we're working on that so uh the ISAC service services that they provide is risk mitigation So within the sharing group you have companies ranging from you know a couple dozen people up to 100 200 300,000 people so there's help if a smaller company is having a problem they can go out to the bigger companies and we work together as a team even though we may be competitors on the business side but when it comes to information security we understand that there's really no

competitive Advantage there uh that flows into incident response too so when somebody does have a problem they can reach out to us and we can lend a hand where necessary and again information sharing which is what everything I'm talking about now so I'm not sure what everybody works in uh there's different verticals all around different Industries and a lot of them have their own information sharing centers and so the National Council of isacs was put together to coordinate the sharing between all these different isacs and uh I'm just going to go through these really quick so communication sector if you work in Telcom anything like that there's an information sharing group that you can join you can share and have trusted

relationships electricity has their own Emergency Services Health Care Information Technology Maritime uh the state and local governments so this one uh is sponsored by the center for Internet Security and we get a lot of good information out of them they have a a perspective on different traffic that not a lot of us are privy to uh nuclear they have their own information sharing group uh public transportation so this could be uh buses trains uh anything like that uh real estate so this may not seem very important but with the physical attacks on buildings and things uh this has come to the Forefront for public occupancy uh research and education anybody that works for a university or

uh any sorts of uh Research Institute can join this and share information uh supply chain this is one thing that affects pretty much everybody uh the security of the supply chain is key to the security of what we do whether we buy things uh that we put on our Network or even to the endpoint customer devices uh so whenever they're sharing information and working together to make it better is better for everybody uh the Water IAC uh covers them and uh lastly is the one I belong to which is the financial services ISAC uh so the White House realized that this is a good thing too so the White House came up with presidential policy

directive 21 which established critical infrastructure and key resources and theyve identified uh 16 different sectors that they consider critical infrastructure and that's what they throw their support behind so with each of these there are what they call sector specific agencies that they use to promote information sharing between the private sector and the government so Within These 16 key sectors uh each one has a sector specific agency so uh DHS is has the largest share of it and uh I'm not going to go through all of them here but uh so what they want to do is anytime you have information that could be pertinent to other people they want you to share it up with

them uh Department of Defense obviously does uh all the dod stuff uh Department of energy treasury is what I go to for my financial services uh for food and agriculture there's a joint uh sector specific agency with USDA and uh Health and Human Services and uh HHS also covers healthc care and public health and uh EPA covers water so there's really a great opportunity to share back with the government and one thing that they're doing uh which was beneficial to me was uh so I used to be in the Navy and when I transitioned to the private sector uh I lost my clearance went inactive but with the public private Partnerships that we have with the government they're

able to hold your clearance even though you work in the private sector so that can enable sharing back to you from classified indicators that you may not normally be able to see uh one of the challenges that we've had in my organization and that I've seen with many other organizations is is getting the legal Department's buy off on this because everybody wants to have really tight lips nobody wants to give information out and everything's a secret so uh legal agreements is one of the important things that uh an ISAC can do and uh along with that is non-disclosure agreement so you can be assured that any information that you share out will remain with the people

that you explicitly share share it with and privacy statements that go along with that as well so whenever we share information if I want to talk to somebody and I want to give them an information I need to have an agreement between me and that person and that's pretty easy when you want to share with one person but when you bring another person into the mix that complicates it so now a already has an agreement with B but now C wants to come in and share so now C has to work out some deal with a and then C has to work out with some deal with b and each of those is time and money it's a separate

agreement that your legal department has to review approve it and has to go all the way up and it could take weeks or months and probably cost several thousands of dollars and so we have AB c d e and so they're all information sharing but each one of them has to have an individual agreement with each other entity that they want to share with and that's very complex very expensive and very timec consuming and really doesn't encourage enage the information sharing it probably won't even happen at all so when F decides they want to come in F has to go to a and then to B to C and then to D and then to e and by the time

they do that the information that they want to share the time sensitivity time sensitivity of it probably has no value anymore so in my particular sector we have 3,700 different members that are sharing information with each other and for us to go through 30 700 different groups and try to figure out how to share that would be impossible so this goes out the window but what we do have is a simplified version with an ISAC being right in the center so what I do is if I'm a I create an agreement with the ISAC it's reviewed once by my legal department and I know that anything I share with the ISAC and the other member firms will be safe and

secure and that there are consequences is if anybody breaches any of those agreements so when G decides to show up instead of going around to ABCDE and F and negotiating contracts and agreements and ndas with every one of them all they have to do is agree to the same one that all of the other firms have agreed upon and it's with the ISAC and one of the other benefits with that is all of those other member firms have already reviewed that with their legal department and it gives the new firm a sense of confidence that it's been reviewed and uh they should be able to trust it but in addition to isacs we kind of get constrained within

our vertical we get complacent and we don't really get the big picture of what's Happening uh so beyond isacs uh it's good to get perspectives from different Industries and to facilitate that we have private information sharing groups uh so what that does it combines the sectors into one group that you can share across so uh in financial services I can talk to somebody who's over in telecommunications I talked to people that work at Cisco and all different kinds of companies u oil and gas and they see things a lot of things are similar to me but they may see them ahead of time and that gives me advanced warning so I can protect my network and with the private information

sharing group there is no sector specific agency so you do have the option to keep the government completely out of it and depending on the information you're trying to share that may be a good thing for you and it really gives you great access to Talent so in my particular vertical with financial services we're not really key on all of the the advanced research and development that a technology company may have or that a research company may have so we can tap into those analysts and get the information back that can help us in our jobs and the legal and sharing agreements with the private information sharing groups are pretty similar to what we have with an

ISAC uh the particular one that I participate in is Red Sky Alliance they started up a couple years ago uh really to deal with a and other persistent threats uh and just check them out so uh the way to encourage sharing is through automation so automated sharing is fast so in the financial services company in our industry we have a security automation working group and that's a partnership between us and financial services and with the government and with miter so they're coming up uh with some uh protocols called sticks and taxi so sticks is the structured threat information sharing expression and so what that is is the language of how to share stuff and taxi is the method of of

getting it from point A to point B and the more people that we get on board with this and that can put their information into this format we can rapidly get the information from us to other people and get it to our analysts where it makes a lot of difference and you look at crit's tool called crit crit uh crits yes what do you think of that one uh I haven't personally touched it but other people on my team have and they're they're really running with it uh so new idea that uh kind of emerged on Twitter back in February is uh sharing boring stuff too so stuff like IP addresses indicators attacks and stuff that's the more exciting stuff but

what about policies and procedures and documents and stuff whenever you write stuff in your own company you're writing policies that are probably pretty similar to what everybody else and their company is writing and what if we had some sort of a repository or a way to do peer reviews on your own documents but you would be able to trust the person that's reviewing them I'm sure nobody wants to publish their internal documents up on pbin for somebody to look at but if you had an agreement between people you could easily do that so uh it started out on Twitter uh Steve Warby was saying he was working on a security assessment questionnaire looking at Cloud hosting

and so uh I respond is saying yeah I'm doing the exact same thing I really was we were doing the exact same thing in my company uh so uh he wondered you know how many different people are doing this exact same thing at the same time and how much time could we save if we could just look at everybody else's work uh so uh GD Bassa chimed in uh saying we need uh basically a stack Overflow for infos so we can share our documentation and get stuff done uh without Reinventing the wheel uh so I chime back again uh peer review would be great uh but how do we break out of our confidential finality

policies and a couple tweets later uh Gabe wants to start the infc policy Institute uh so we can have a clearing house for our policies and I think that's a pretty good idea I'm not really sure where to go with it yet but uh I think infosec peer reviewing Beyond just the people that are sitting across from your desk would be a really good thing to get perspectives from people that don't work in my industry that have experienced other things that I can flow back into my policy would make them a lot better and more applicable I think so uh I think it's good hopefully other people do and we can start something uh probably keep it

going on Twitter keep the conversation going so uh my message is never stop sharing uh you have any questions so indicators are cool I've seen people sharing get to compromise I work at a big manufacturing company that has been has been sled media my concern that's somebody build with this stuff is indicators of compromise open ioc S taxi they all have kind of a bad smell that reminds me of antivirus static signatures before we get too far down that same ugly path of a 50,000 line that file equivalent how do we get past that how do we think about these things so that's where I think with the Privacy agreements of the ND come into

play so rather than saying I saw this IP address well where did you see this IP address what did you see what did you see when did you see it what's it attacking what are the things that are surrounding it where instead of just giving somebody a list of ips that have no context around it if you can trust the people you're sending them to you can give them everything you know yeah I'm watching a bunch of people turn over at1 without having a Time context and that and it's just like it's a good start but it's it's one step away from being a sign indicators without bression State really are useless so one of the things that

um with is that a lot of compromise are coming through the supply chain right right so um figure out all the stuff you need to do before you hit your main target and you're already 75% there by the time you hit the person you're really going after the main problem is there's nothing for the supply as far as we are inexpensive so small companies uh that that provide the supply chain where do they go to get to get um open source or freely available uh indicators that can bring them into the same type of detection the big guys so that goes back into those private information sharing companies so in addition to getting the indicators to them they can also

communicate back saying hey we're seeing something they may be an electron supp use in a widget down the line but if you know that they saw something two months ago and that you're going to be receiving parts from them that's good information take a look at Z good tool for that what are you look looking for a way that companies can can automatically share information that doesn't cost them and that their whole legal department doesn't have to get involved because a lot of the stuff really is anonymous like if you see an attack and you pull a signature out of it and say you should look for this that doesn't tell anybody that there's no legal

reason to not share that but yet we still have this legal framework say no you better not share that but that's what I'm trying to get away from if you just say go look through this that doesn't mean anything for me I want you to say go look for this and this is why you should be look for this this is what we saw this is when we saw it this is why it should mean something to and I'm saying that's not available to it's not but it is available through the information sharing agreements both public and private and sector specific frame Frameworks and a poter to some