Difference between revisions of "Journal:Interoperability challenges in the cybersecurity information sharing ecosystem"

From LIMSWiki
Jump to navigationJump to search
(Saving and adding more.)
(Saving and adding more.)
Line 37: Line 37:
Various businesses and organizations have recognized the need of being able to share cyber threat information (CTI) in a timely and reliable manner to enhance their ability to identify any malicious activity or sources and mitigate attacks in a timely manner, prior to damaging their assets. The National Institute of Standards and Technology (NIST) defines CTI as "any information that can help an organization identify, assess, monitor, and respond to cyber threats."<ref name="JohnsonGuideTo16">{{cite web |url=https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-150.pdf |format=PDF |title=Guide to Cyber Threat Information Sharing |work=NIST Special Publication 800-150 |author=Johnson, C.; Badger, L.; Waltermire, D. et al. |publisher=National Institute of Standards and Technology |date=October 2016 |accessdate=03 March 2020}}</ref> In a survey conducted by the SANS institute regarding the evolution of cyber threat information, 72% of survey respondents mentioned that in 2018 they had produced or consumed such information for their network defense.<ref name="BrownTheEvo19">{{cite web |url=https://www.sans.org/reading-room/whitepapers/threats/paper/38790 |title=The Evolution of Cyber Threat Intelligence (CTI): 2019 SANS CTI Survey |author=Brown, R.; Lee, R.M. |publisher=The SANS Institute |date=04 February 2019 |accessdate=03 March 2020}}</ref> The respective percentage for 2017 was 60%.<ref name="BrownTheEvo19" /> This demonstrates that information sharing is increasingly becoming part of an organization's strategy, and the number of them that join the sharing community is rising. The types of information that can be produced and shared among communities include, among others, security appliance log entries and alerts, measurable and observable actions, security bulletins and advisories, identified vulnerabilities, news, reports, and intelligent information.
Various businesses and organizations have recognized the need of being able to share cyber threat information (CTI) in a timely and reliable manner to enhance their ability to identify any malicious activity or sources and mitigate attacks in a timely manner, prior to damaging their assets. The National Institute of Standards and Technology (NIST) defines CTI as "any information that can help an organization identify, assess, monitor, and respond to cyber threats."<ref name="JohnsonGuideTo16">{{cite web |url=https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-150.pdf |format=PDF |title=Guide to Cyber Threat Information Sharing |work=NIST Special Publication 800-150 |author=Johnson, C.; Badger, L.; Waltermire, D. et al. |publisher=National Institute of Standards and Technology |date=October 2016 |accessdate=03 March 2020}}</ref> In a survey conducted by the SANS institute regarding the evolution of cyber threat information, 72% of survey respondents mentioned that in 2018 they had produced or consumed such information for their network defense.<ref name="BrownTheEvo19">{{cite web |url=https://www.sans.org/reading-room/whitepapers/threats/paper/38790 |title=The Evolution of Cyber Threat Intelligence (CTI): 2019 SANS CTI Survey |author=Brown, R.; Lee, R.M. |publisher=The SANS Institute |date=04 February 2019 |accessdate=03 March 2020}}</ref> The respective percentage for 2017 was 60%.<ref name="BrownTheEvo19" /> This demonstrates that information sharing is increasingly becoming part of an organization's strategy, and the number of them that join the sharing community is rising. The types of information that can be produced and shared among communities include, among others, security appliance log entries and alerts, measurable and observable actions, security bulletins and advisories, identified vulnerabilities, news, reports, and intelligent information.


The number of CTI sources is therefore increasing, as do cyber threat intelligence platforms capable of consuming information from threat intelligence feeds, analyzing, evaluating, and classifying it prior to sharing threat information with the community. Threat intelligence, according to Tounsi and Rais<ref name="TounsiASurv18">{{cite journal |title=A survey on technical threat intelligence in the age of sophisticated cyber attacks |journal=Computers & Security |author=Tounsi, W.; Rais, H. |volume=72 |pages=212–33 |year=2018 |doi=10.1016/j.cose.2017.09.001}}</ref>, means evidence-based knowledge representing threats that can inform decision-making. Cyber threat information and intelligence (CTII) facilitate situational awareness of the threat landscape, a deeper understanding of threat actors and their tactics, techniques, and procedures (TTPs), and greater agility to defend against evolving threats.
Nowadays, organizations have the ability to participate in such threat-sharing communities or intelligence groups, and analyze and evaluate CTII via their security operations team. Depending on the types of security appliances they are using, they can incorporate CTII into their security solutions, including measures such as unified threat management (UTM), [[Intrusion detection system|intrusion detection/prevention systems]] (IDS/IPS), and security information and event mnagement (SIEM). IT security vendors and service providers also collect such information from their clients worldwide, analyze it, and feed it back to the deployed security appliances, thus gaining from the experience of their community. Analysis and evaluation of such information is considered essential, as sometimes the information that is shared is not properly filtered or checked.
Using unreliable sources poses risks to organizations, as the information may not be accurate or complete. To confront this undesired situation, organizations go beyond closed groups and use multiple sources instead. As such, CTII sharing takes place among multiple actors, such as government agencies and organizations, private sector organizations, and industry-based focus groups. One of the most challenging issues in this process is achieving consensus regarding how this information should be shared among interested parties and the threat intelligence community. This requires having a common understanding on what information is shared, how it is shared, and whether sharing of such information is legal.
This paper addresses the interoperability challenges that businesses and organizations face when adopting specific sharing solutions. These challenges mainly stem from the adoption of multiple [[  Specification (technical standard)|technical standards]], strategies, and policies among stakeholders, together with legal restrictions concerning information sharing. The aim of this work is to highlight points that impede the wide adoption of cybersecurity information sharing and the much-needed automation of the sharing process.<ref name="BrownTheEvo19" /> Security analysts would benefit from such automation, as they could devote more time on analyzing collected interoperable data, as opposed to devoting their efforts on the collection process itself. Interoperability is also a means to widen the CTII sharing spectrum and engage more stakeholders in the exchange process, thus developing a global shield against emerging threats, with significant benefits for the community.
==Background==





Revision as of 20:04, 26 October 2020

Full article title Interoperability challenges in the cybersecurity information sharing ecosystem
Journal Computers
Author(s) Rantos, Konstantinos; Spyros, Arnolnt, Spyros; Papanikolaou, Alexandros; Kritsas, Antonios; Ilioudis, Christos; Katos, Vasilios
Author affiliation(s) International Hellenic University, Innovative Secure Technologies, Bournemouth University
Primary contact Email: krantos at cs dot ihu dot gr
Year published 2020
Volume and issue 9(1)
Article # 18
DOI 10.3390/computers9010018
ISSN 2073-431X
Distribution license Creative Commons Attribution 4.0 International
Website https://www.mdpi.com/2073-431X/9/1/18/htm
Download https://www.mdpi.com/2073-431X/9/1/18/pdf (PDF)

Abstract

Threat intelligence helps businesses and organizations make the right decisions in their fight against cyber threats, and strategically design their digital defences for an optimized and up-to-date security situation. Combined with advanced security analysis, threat intelligence helps reduce the time between the detection of an attack and its containment. This is achieved by continuously providing information, accompanied by data, on existing and emerging cyber threats and vulnerabilities affecting corporate networks. This paper addresses challenges that organizations are bound to face when they decide to invest in effective and interoperable cybersecurity information sharing, and it categorizes them in a layered model. Based on this, it provides an evaluation of existing sources that share cybersecurity information. The aim of this research is to help organizations improve their cyber threat information exchange capabilities, to enhance their security posture and be more prepared against emerging threats.

Keywords: cyber threat information, cyber threat intelligence, interoperability, cybersecurity, evaluation

Introduction

Information has undoubtedly become one of the most valuable assets for organizations, whose dependence on it is constantly rising. At the same time, the frequency and ferocity of cyberattacks is also increasing, posing a great threat to business environments. According to a study conducted jointly by Ponemon Institute and Accenture, the average cost of cybercrime to organizations in 2018 rose to $13 million.[1] Moreover, 79% of chief information security officers (CISOs) in the banking sector believe that cybercriminals have become more sophisticated.[2]

In this constant battle of cybersecurity, organizations must remain cognizant of emerging and evolving threats and defend themselves against a wide range of adversaries with various levels of motivations, capabilities, and access to resources. These adversaries typically range from amateur hackers to well-organized and highly capable teams that have direct access to vulnerabilities and exploits, and therefore become advanced, and sometimes persistent, threats to organizations. The impact of such sophisticated, dynamic, and automated cyberattacks can be devastating.

Various businesses and organizations have recognized the need of being able to share cyber threat information (CTI) in a timely and reliable manner to enhance their ability to identify any malicious activity or sources and mitigate attacks in a timely manner, prior to damaging their assets. The National Institute of Standards and Technology (NIST) defines CTI as "any information that can help an organization identify, assess, monitor, and respond to cyber threats."[3] In a survey conducted by the SANS institute regarding the evolution of cyber threat information, 72% of survey respondents mentioned that in 2018 they had produced or consumed such information for their network defense.[4] The respective percentage for 2017 was 60%.[4] This demonstrates that information sharing is increasingly becoming part of an organization's strategy, and the number of them that join the sharing community is rising. The types of information that can be produced and shared among communities include, among others, security appliance log entries and alerts, measurable and observable actions, security bulletins and advisories, identified vulnerabilities, news, reports, and intelligent information.

The number of CTI sources is therefore increasing, as do cyber threat intelligence platforms capable of consuming information from threat intelligence feeds, analyzing, evaluating, and classifying it prior to sharing threat information with the community. Threat intelligence, according to Tounsi and Rais[5], means evidence-based knowledge representing threats that can inform decision-making. Cyber threat information and intelligence (CTII) facilitate situational awareness of the threat landscape, a deeper understanding of threat actors and their tactics, techniques, and procedures (TTPs), and greater agility to defend against evolving threats.

Nowadays, organizations have the ability to participate in such threat-sharing communities or intelligence groups, and analyze and evaluate CTII via their security operations team. Depending on the types of security appliances they are using, they can incorporate CTII into their security solutions, including measures such as unified threat management (UTM), intrusion detection/prevention systems (IDS/IPS), and security information and event mnagement (SIEM). IT security vendors and service providers also collect such information from their clients worldwide, analyze it, and feed it back to the deployed security appliances, thus gaining from the experience of their community. Analysis and evaluation of such information is considered essential, as sometimes the information that is shared is not properly filtered or checked.

Using unreliable sources poses risks to organizations, as the information may not be accurate or complete. To confront this undesired situation, organizations go beyond closed groups and use multiple sources instead. As such, CTII sharing takes place among multiple actors, such as government agencies and organizations, private sector organizations, and industry-based focus groups. One of the most challenging issues in this process is achieving consensus regarding how this information should be shared among interested parties and the threat intelligence community. This requires having a common understanding on what information is shared, how it is shared, and whether sharing of such information is legal.

This paper addresses the interoperability challenges that businesses and organizations face when adopting specific sharing solutions. These challenges mainly stem from the adoption of multiple technical standards, strategies, and policies among stakeholders, together with legal restrictions concerning information sharing. The aim of this work is to highlight points that impede the wide adoption of cybersecurity information sharing and the much-needed automation of the sharing process.[4] Security analysts would benefit from such automation, as they could devote more time on analyzing collected interoperable data, as opposed to devoting their efforts on the collection process itself. Interoperability is also a means to widen the CTII sharing spectrum and engage more stakeholders in the exchange process, thus developing a global shield against emerging threats, with significant benefits for the community.

Background

References

  1. Accenture, Ponemon Institute (2019). "The Cost of Cybercrime" (PDF). Accenture. https://www.accenture.com/_acnmedia/pdf-96/accenture-2019-cost-of-cybercrime-study-final.pdf. Retrieved 03 March 2020. 
  2. Kellermann, T. (5 March 2019). "Modern Bank Heists: The Bank Robbery Shifts to Cyberspace". Carbon Black. VMware, Inc. https://www.carbonblack.com/blog/modern-bank-heists-the-bank-robbery-shifts-to-cyberspace/. Retrieved 03 March 2020. 
  3. Johnson, C.; Badger, L.; Waltermire, D. et al. (October 2016). "Guide to Cyber Threat Information Sharing" (PDF). NIST Special Publication 800-150. National Institute of Standards and Technology. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-150.pdf. Retrieved 03 March 2020. 
  4. 4.0 4.1 4.2 Brown, R.; Lee, R.M. (4 February 2019). "The Evolution of Cyber Threat Intelligence (CTI): 2019 SANS CTI Survey". The SANS Institute. https://www.sans.org/reading-room/whitepapers/threats/paper/38790. Retrieved 03 March 2020. 
  5. Tounsi, W.; Rais, H. (2018). "A survey on technical threat intelligence in the age of sophisticated cyber attacks". Computers & Security 72: 212–33. doi:10.1016/j.cose.2017.09.001. 

Notes

This presentation is faithful to the original, with only a few minor changes to presentation, grammar, and punctuation. In some cases important information was missing from the references, and that information was added.