Counterfeit court documents aimed at illegally authorizing wiretaps and other fraudulent activities are catalyzing legislation requiring federal, state and tribal courts to use digital signatures to ensure legitimacy of court orders. And an increasingly hard line by the U.S. government against foreign government hackers recently spurred President Biden to talk about the possibility of a “real shooting war” with a “major power” over a cyberattack. The message is loud and clear: The federal government is turning up the heat against cyber threats aimed at causing damage or disruption, and in the process lighting a fire under private- and public-sector organizations to work together to improve the nation’s cybersecurity.
To that end, the first requirement the May 12, 2021, Executive Order outlined is removing barriers to sharing threat information. Recognizing that current contracts with IT and OT service providers include terms or restrictions that limit the sharing of threat or incident information with executive departments and agencies, the order sets an aggressive timeline to begin to update requirements and language to enable the sharing of relevant cyber incident data, information and reporting.
The federal government already shares threat data with the private sector. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issues alerts and offers a free Automated Indicator Sharing (AIS) threat feed. The Federal Bureau of Investigation (FBI) and the National Security Agency (NSA) publish intelligence, trends and best practices. And there are dozens of Information Sharing and Analysis Centers (ISACs) that also foster the exchange of intelligence with the aim of helping member organizations protect their infrastructure, employees and customers from cyberthreats targeting their specific industry. But there isn’t a structured and effective mechanism for individual, private organizations to share relevant, actionable intelligence with the public sector.
The reality is, even within the federal government, sharing across agencies typically is done in an ad hoc way – manually and based on established relationships. In other words, calling a colleague to ask if they’ve heard about a threat.
The Executive Order also states that federal agencies should start making plans to implement zero trust architectures, as the deadline to adopt multi-factor authentication and encryption for data at rest and in transit is in November. The concept of zero trust has become increasingly popular as a construct to maintain privacy and control over digital assets in today’s perimeter-less world. Zero trust entails continuously verifying and authenticating every device, user – internal and external – and application to ensure they have the right privileges and attributes to connect to the asset they want to access.
At first glance, threat sharing and zero trust may seem to be at odds. Given that the extent of sharing we’ve seen to date is mostly fueled by trusted relationships, can you have meaningful sharing in a zero trust model, where the mantra is “never trust, always verify”? To me, the answer is yes. The two can coexist and even complement each other, provided you have a way to exchange threat data that adheres to the following five principles.
1. Control. We’ve already established that one of the barriers to sharing threat intelligence is knowing exactly with whom you are sharing, what you are sharing and how the intelligence will be used. A formal exchange must be established between participating entities so that participants know the recipients, with tracking and reporting enabled to maintain details of exchanged data. Also, the exchange must be bi-directional and point-to-point, so that participating entities have flexibility to establish their own sharing processes according to their specific requirements and missions without limiting the breadth of data they want to share or leaking data they want to keep private.
2. Timely. Intelligence on known threats must be shared instantly so that action can be taken quickly to mitigate risk. We’re talking here about intelligence on threat activity going on at that moment in their networks. With the ability to automatically stream curated threat intelligence to other entities, intelligence can be sent before it becomes stale and loses value. Sharing becomes a force multiplier – participating entities can collaborate to better understand threats and how to respond effectively.
3. Relevant. The intelligence cannot be restricted to technical indicators but should include context as well as information about malware, specific campaigns and threat actors’ tactics, techniques, and procedures (TTPs) and motivations. If one central team within an agency is responsible for sharing with other entities, then they need to be able to further curate threat intelligence based on parameters set by the entities they are sharing with, so that each time data is transferred it is already curated for local consumption. Bi-directional communication is also important so that the central team can collect feedback on the relevance of disseminated intelligence and pinpoint areas of weakness in coverage.
4. Standards-based. The sharing mechanism must support open intelligence-sharing standards and not be vendor-locked so that entities can use their platform of choice for data exchange. Data must also be in a usable format so that it can be shared with others and easily exported to existing infrastructure enforcement technologies.
5. Automated. The option to automate certain processes is critical to enable efficiency and effectiveness. For instance, automatically prioritizing intelligence based on parameters entities set based on their specific environment, sending intelligence on known threats to the right tools to enable enforcement without human intervention, and automatically updating and reprioritizing intelligence as new threats or additional context around known threats is found.
These principles make it possible for threat sharing and zero trust to not only coexist, but to enable the public and private sector to collaborate and, in the words of the Executive Order, “foster a more secure cyberspace”. The rise in malicious cyberattacks over the past several months and the U.S. government response have made it clear – we need to get started now. Fortunately, the essential elements are in place so we can.
