cyber info sharing

7/29/2019 Cyber Info Sharing

1/8

Ocober 2012. Te MIRE Corporaion. All righs reserved. Approved or Public Release. Case Number 11-4486. Disribuion Unlimied.

P A R T N E R S H I P

Cyber Information-Sharing Models:An Overview


2/8

Table of Contents

The Imperative or Cyber Inormation Sharing 1

Cyber Inormation Sharing Approaches 2

Hub-and-Spoke Models 2

Post-To-All Models 3

Hybrid Models 4

One Size Does Not Fit All 4MITREs Role 5


3/8

The Imperative for Cyber Information SharingThreats rom cyber attacks are growing. Within the last year, there have been successul intrusions against

several major corporations, including Sony, Citigroup, Booz Allen Hamilton, and RSA Security. The Canadian,

French, Indian, and South Korean governments have all reported breaches o their computer systems and U.S.

government ofcials have been targeted through personal email accounts. These are only the attacks that are

known in the public domain; it is likely that other attacks have occurred without reaching the public eye. The

consequences o such incidents are serious. Criminal groups are causing millions o dollars o damage to indi-

viduals and businesses. Adversaries are stealing valuable intellectual property and government secrets that

an impact economic and national security.

One o he challenges in prevening, deecing, and responding o such incidens is ha businesses and governmen

are deeply inerconneced. For insance, oreign naions may ry o acquire sensiive governmen inormaion by arge-

ing companies ha have governmen conracs. A key elemen in deending agains hese atacks is having inormaion

abou he ools, echniques and resources (physical, nancial, and human) ha adversaries are using o breach cyber

deenses. Te gure below shows a ramework or hinking abou he mehods ha adversaries use o exlrae daa

rom a variey o organizaions.

Tis kill-chain involves a series o seps ha an adversary migh ake o compromise, conrol, and exploi a arge.

Because similar atack mehods are used hroughou he kill-chain agains a wide range o arges across he public-privae

specrum, i is imporan or organizaions in he public and privae secors o share inormaion wih each oher.

Tis can help organizaions

improve heir cyber deenses

and leverage he resources ex-

pended by ohers o improve

he value o heir invesmens.

Cyber securiy is

oen expensive and he

coss o inrusions can be exceedingly high; hence, here can be a massive gain in reurn-on-invesmen by leveraging work

done by ohers. For example, he rs hal o he kill-chain precedes an acual exploi and represens an opporuniy o

proacively preven and deec hreas. Te later hal o he kill-chain ocuses on inciden deecion and response.

1

Cyber Kill-Chain

Recon Deliver Control Maintain

Weaponize ExecuteExploit


4/8

1 A copy o PDD-63 can be ound at http://www.as.org/irp/ofdocs/pdd/pdd-63.htm (accessed August 15, 2011).

Inormaion sharing beween organizaions can enable paricipans o develop ailored sraegies or layering deenses

across dieren seps o he kill chain. Te advanages and disadvanages o sharing dieren ypes o inormaion will be

discussed in deail below.Cyber Information Sharing ApproachesHub-and-Spoke Models

Te rs ormal mechanism proposed by he U.S. governmen o aciliae cyber inormaion sharing was he Indusry

Sharing and Analysis Cener (ISAC) described in Presidenial Decision Direcive-63 (PDD-63), which was published

in 19981. ISACs serve as he mechanism or gahering, analyzing, and appropriaely saniizing and disseminaing

privae-secor inormaion o indusry and governmen. A cener can also disseminae governmen inormaion o he

privae secor. Alhough ISACs are usually designed by privae secor represenaives o key companies in each criical

inrasrucure, paricipaion in indusry ISACs is volunary. According o PDD-63, ISACs would possess a large degree

o echnical ocus and experise and non-regulaory and non-law enorcemen missions; hey would esablish baseline

saisics and paterns on he various inrasrucures, become a clearinghouse or inormaion wihin and among he

various secors, and provide a library or hisorical daa o be used by he privae secor and, as deemed appropriae by

he ISAC, by he governmen. Criical o he success o such an insiuion would be is imeliness, accessibiliy, coordi-

naion, exibiliy, uiliy, and accepabiliy.

A number o ISACs have been creaed in he las 10 o15 years. Teir resuls, o dae, have been mixed. Tere are

several reasons why many ISACs have no lived up o heir poenial. Many o he ISACs ocus on sharing inormaion

on inrusions and vulnerabiliies. Because hese ypes o inormaion are usually sensiive, companies are undersand-

ably relucan o reveal his ype o daa o heir peers and he governmen. Companies oen choose o wihhold his

inormaion; oherwise, he ISACs develop elaborae procedures o hide he ideniies o he organizaions ha doconribue his ype o inormaion. While such processes can reduce barriers o sharing, hey can also slow down he

inormaion-sharing mechanism and preven some o he ace-o-ace ineracions ha occur in rused environmens,

boh o which reduce he benes o inormaion sharing.

A relaed issue is ha inrusion and vulnerabiliy inormaion is no usually acionable. In he ormer case, paricipans

aler oher paricipans aer hey have been compromised. Oen, his is oo lae o miigae atacks beore serious dam-

age occurs. In he later case, vulnerabiliy inormaion is oen oo general o guide specic acions.

Anoher imporan issue ha aecs ISAC operaions concerns he overall srucure ha is used o exchange inorma-

ion. radiional ISAC models end o rely on hub-and-spoke archiecures. Tis ype o archiecure oen has a cenral

hub ha receives daa rom he paricipaing members (he spokes). Eiher he hub can redisribue he incoming daadirecly o oher members, or i can provide value-added services and send he new (and presumably more useul)

inormaion o he members. Wih his approach, he hub acs as a clearinghouse ha can aciliae inormaion sharing

while proecing he ideniies o he members. In addiion, he hub may provide value by combining inormaion rom

muliple members, by adding is privae daa, or by conducing exra analyses on he members daa.

2


5/8

While he hub-and-spoke model has benes, i also has limiaions. Te enire sysem relies on he uncioning o he

hub, which makes he sysem vulnerable o delays and sysemic ailures. I he hub is no working well, hen he enire

inormaion-sharing mechanism will no work well. Te more members ha paricipae in he exchange, he moreinormaion will be sen o he hub or processing, lering, analysis, and disribuion. While more inormaion can

provide greaer analyic insigh, i can also increase he burden on he hub and possibly inroduce delays ino he sys-

em. Because he mos valuable inormaion is oen ime-sensiive, delays in disribuion can reduce he benes o he

inormaion-sharing mechanism. Finally, a hub-and-spoke model can be expensive. Te more value-added services are

provided by he hub, he more i will cos. I he coss are borne by he members, hen hose ees will become requiremens

or enry ino he exchange. I hose ees are high, hey may preclude cerain companies rom joining he group.

A relaed challenge is ha sharing inormaion in his model requires a high degree o rus in he hub. I may be difcul

o creae a hub-and-spoke srucure around eiher a or-pro company or a governmen agency. In he ormer case,

here may be naural conic-o-ineres issues and/or members may be relucan o share inormaion wih anoher

company ha is rying o maximize pros while acing as a rused hird pary. In he later case, companies may be

relucan o share inormaion direcly wih a governmen agency, due o ears o inormaion being leaked or disclosed

by Freedom o Inormaion Ac requess. In addiion, here are culural barriers ha oen lead companies o disrus

he governmen. Companies need o eel ha he benes hey gain by sharing sensiive inormaion wih he govern-

men mus ouweigh he risks; oen, his barrier is no crossed.

Post-To-All ModelsSeveral indusry groups and consoria have developed a dieren cyber inormaion-sharing approach. Tis pos-o-

all model enables any paricipan o share wih he enire membership roser, raher han going hrough a cenral hub.

Because members share direcly wih each oher, inormaion disseminaion is quick and can be easily scaled o manyparicipans. A pos-o-all model can also be inexpensive, because here is no need o pay or a cenral hub. On he oher

hand, his model does no conain buil in value-added services; he only inormaion ha is owing beween mem-

bers is he daa colleced and analyzed by he members. Tis places a premium on sharing he righ kinds o inormaion.

Te previous secion described he challenges associaed wih sharing daa on inrusions and vulnerabiliies. Such chal-

lenges would be more pronounced in a pos-o-all sysem. Te greaes bene in eiher model would be derived rom

sharing inrusion atemp inormaion (i.e. inormaion abou incidens, regardless o acual inrusions).

Tere are many good reasons or sharing inrusion atemp inormaion:

It is less sensitive than other types of data. Information about aempted intrusions is less revealing that informationabou successul inrusions. Oher members will no know i he atemps were successul; hereore, hey cannodraw conclusions abou a given companys vulnerabiliies or is inormaion securiy capabiliies.

It can be disseminated quickly. Because intrusion aempt information requires less sanitization and analysis thanoher ypes o daa, i can be shared quickly w ih oher members. imeliness is criical because adversaries adapheir acics and echniques quickly.

3


6/8

It is actionable. Intrusion aempt information can be acted upon in a timely fashion. If one organization alerts other orga -nizaions ha i has deeced a specic ype o malware or a paricular ype o social engineering atack, oher organizaionscan look or similar paterns. Tis can be done quickly, wihou revealing sensiive inormaion o each oher.

Te rus issue in a pos-o-all model mus be handled dierenly han in a hub-and-spoke model. Because inormaion is shared

among paricipans, here mus be rus relaionships among all members o he exchange or he model will no work well. One

way o build an amosphere o rus is o design he inormaion exchange o a specic mission. Tis will creae an environmen

where members ace common hreas. Tey will seek o share inormaion and ocus he communiy around hose hreas. Hav-

ing a specic mission makes i easier o dene membership and provide direcion. Furhermore, rus in a communiy is a unc-

ion o how much members believe ha oher members suppor he same mission, respec he communiy rules, and are willing

o paricipae on a reciprocal basis. Tus, building an inormaion-sharing sysem or a specic mission can maximize rus, i i

is implemened properly. In addiion, rus is aciliaed and srenghened hrough ace-o-ace meeings and individuals who

have a long hisory o personal rappor. I is imporan ha he inormaion-sharing model develop veting requiremens and

procedures o aciliae he inroducion o new members and o mainain communicaion among exising members. Te secu-

riy, speed, and convenience o hese communicaion mechanisms will vary wih he mission and requiremens o he organizaion.

Alhough i has many benes, a pos-o-all model has is own se o challenges. o scale eecively, members mus agree on

a common axonomy or inciden inormaion and a emplae or sharing relevan inormaion while making inormaion

anonymous and removing sensiive daa. A relaed challenge o a pos-o-all inormaion exchange is ha members mus have

inrasrucures ha proec and suppor he communicaion o relevan inormaion and processes ha allow or ideniying and

acing on high-prioriy incidens. I such inrasrucures and processes place a heavy burden on member organizaions, hey will

be relucan o exchange inormaion. Inormaion securiy sas are oen incredibly busy; hereore, he inormaion sharing

process mus be easy. Ta is one reason why inroducing auomaion can be benecial. I a company can receive an aler in

a orma ha can be ingesed and inerpreed by a compuer, hen he people involved can ocus on analyzing and evaluaing

response acions.

Hybrid ModelsTe previous secions have described wo models or cyber inormaion sharing among and beween public secor and privae

secor organizaionshub-and-spoke and pos-o-all. While hese models were presened as sand-alone opions, here are also

blended or hybrid approaches ha combine characerisics o each. For example, an inormaion exchange could use a pos-

o-all archiecure or he exchange o inrusion indicaors while sending inciden-response daa o a cenralized hub. Tis hub

could conduc analysis on he daa coming rom muliple organizaions o produce analyic repors or all o use. A second op-

ion would allow members o he inormaion exchange o send he same daa o each oher and o a cenral hub. As beore, he

bene would be he abiliy o ac on ime-sensiive daa hrough direc, collaboraive sharing while leveraging he value o he

hubs abiliy o collec, synhesize, and analyze daa across he membership and disseminae ndings in he longer erm.

While here are advanages o using a hybrid arrangemen or cyber inormaion sharing, disadvanages also mus be consid-

ered. Esablishing and running a hybrid arrangemen is difcul. Te mechanics o sharing inormaion across wo dierenarchiecures can become complicaed, and he governance o such a model can be a challenge. In addiion, he coss associaed

wih an exchange using a hybrid model will be greaer han hose or an exchange ha relies on a single model.

One Size Does Not Fit AllEach ype o inormaion-sharing model carries is own se o benes and challenges. No single model will be he bes choice

or a given indusry secor or organizaion. In some cases, a cenralized model wih value-added services may provide he mos

4


7/8

benes. In oher cases, he abiliy o share inormaion direcly wih peer organizaions in a given indusry or region may be

atracive. A hybrid model may make he mos sense or cerain paricipans. Deerminaions mus be based on a number o key

acors, including, bu no limied o:

Te mission of the information exchange (e.g., Is it focused on a functional area, a region, or other?)

Te number of organizations participating (present and future)

Te type of organizations (e.g., size, industry, culture)

Te role of government (e.g., If the government is involved, is it a sponsor, member, hub, or other?)

Te types of information that will be shared.

Tere may be cases when a single enerprise paricipaes in muliple inormaion exchanges, each o which has a dieren archi-

ecure. Regardless o he approach, cyber inormaion sharing will no be eecive unless i ocuses on sandardized, acionable

daa ha can be handled in an auomaed manner.

MITREs RoleMIRE brings a unique mix o atribues ha make i an ideal parner or helping privae or public organizaions sand-up andrun inormaion sharing exchanges. Te MIRE Corporaion is a non-pro eniy charered o work in he public ineres ha

operaes muliple ederally unded research and develop ceners. As a resul, MIRE oen acs a rused hird pary or he

governmen and indusry. For example, MIRE is he developer and cusodian o muliple cyber securiy sandards, including

Common Vulnerabiliies and Exposures and Open Vulnerabiliy and Assessmen Language. In his role, MIRE is sponsored

by he U.S. governmen o lead he developmen o indusry collaboraion sandards.

One bene o MIREs long experience working wih cyber securiy sandards is is abiliy o develop srucures ha enable

he sharing and auomaed processing o inormaion. Tis work has enabled securiy auomaion in vulnerabiliy managemen,

asse managemen, and conguraion managemen hough he Securiy Conen Auomaion Proocol program. Curren eors

are ocused on developing srucures ha enable auomaion in malware analysis, inciden response, and cyber hrea sharing.

MIRE currenly operaes wo inormaion exchanges: one on behal o he governmen and one in suppor o a regional re-

search organizaion. Te ormer inormaion exchange is called he Aviaion Saey Inormaion Analysis and Sharing (ASIAS)

sysem. I is ocused on he sharing o daa rom airlines o improve air saey. In ha model, MIRE acs as a hub ha receives

inormaion rom muliple airlines and he Federal Aviaion Adminisraion (FAA). Members do no share inormaion. Each

paricipan sends is daa, which is oen highly sensiive, o MIRE, and MIRE works diligenly o ensure ha member daa is

kep condenial. MIRE gahers and analyzes his inormaion, and provides repors o all paricipans on key issues ha aec

airline saey. Tese repors are highly valuable, as evidenced by he growh o ASIAS rom 10 o 31 members in a ew years and

is coninued governmen sponsorship.

Te later inormaion exchange is called he Advanced Cyber Securiy Cener (ACSC), which is non-pro eniy sponsored by

Mass Insigh Global Parnerships. ACSC ocuses on inormaion sharing among a wide range o Massachusets-based members

rom indusry, governmen, and academia. I operaes a collaboraive model ha enables is members o share bes pracices,conduc and share real-ime analysis, and propose new cybersecuriy archiecures.

Finally, MIRE is a member o muliple inormaion sharing exchanges. Some exchanges ollow he hub-and-spoke model;

ohers use a pos-o-all archiecure. Tus, MIRE has rs-hand experience wih paricipaing in dieren ypes o inormaion

sharing collecives. I has gahered lessons learned rom is paricipaion in hese exchanges, and coninuously evaluaes wha

works and wha needs o be improved in hese various groups.

5


8/8

MITRE

cyber info sharing

Documents