Thomas Schreck, principal engineer of Simenes' CERT, alongside Margrete Raaum, leader of the KraftCERT from Norway told an audience at 4SICS 2016 today why information sharing is incredibly important in the energy sector, where it's currently failing and how it could be improved.
And then went on to give a quick history of how they have seen information sharing developed to what it is today, which they say began with the Morris worm in 1988. In response to this, one of the first CERTs was established. That was followed by the WANK worm from 1990, after which FIRST was established as people realised teams were simply not talking to each other when combatting threats.
Schreck went on to give some examples of where he thinks instances of information sharing have gone well, where teams managed to work together successfully.
Despite researchers spending lots of time trying to fight it, they struggled to keep up due to new versions which come out quite quickly and this has meant that it is still around. But working groups from different organisations and countries established a group to fight it further.
Schreck then told the story of a research paper named, “Amplification hell: revisiting network protocols for DDoS abuse” which is about a malware named ShadowServer. The researcher in question was not sure when/where to release the paper and its accompanying data, however with the help of FIRST, there are loads of initiatives out there who are helping beat it, over ten initiatives are working with data from the researcher.
“This is a positive way in which the community is working together to defeat targets,” said Schreck.
Luckily, said Schreck, “FIRST brought focus and helped bring the patched version to life over the course of a number of months with lots of hard work.” Schreck said, “People weren't notified of the heartbleed attack, and it meant that national CERT's were failing to talk to each other.”
Schreck said, “People often haven't ever shared data once, which means they literally don't know how. The recent DDoS attacks using the Mirai botnet are good examples of how info sharing works well, there is lots of sharing now, this is helpful because when you're being attacked you need help from anyone that can help.”
Cooperations are important but must be established before an incident is happening - if it's established mitigation happens quicker.
Speak the same language by using open standards, closed solutions and black boxes work against trust, and you can't connect and understand the full process of the other system.
Schreck said that one of the biggest problems with cyber-threat intelligence is that management think it's like something Tom Cruise would have used in the film Minority Report.
But the reality is very different, when you get the data is looks entirely different, and can even come in image based PDF reports, some needing OCR to be turned into actual data. Those indicators then need to be fed into a database, and a broken indicator in database, thanks to human error mistakes, Schreck said, “this takes away from the minority report magic.”
Other issues include legacy systems, which were developed without information security in mind, applying our current IT security toolsets and processes is not easily doable, and lots of vendors do not have vulnerability response capabilities or understand the need for them. Re-sellers of energy in the sector share as little as possible, so they don't step onto the supplier's toes, meaning it's difficult to get a full view of all vulnerabilities out there.
But it's not all doom and gloom, “the processes of using threat intelligence in the industry is maturing, and the CERT community is doing its part to help this happen more quickly.”
Information about old incidents is not really helpful – share information in a timely manner – share it as soon as possible and make sure you get feedback.
And finally, understanding your peers is important – you may end up sharing data no one can use – share actionable data which means something to other people.