Europe's computer emergency response teams (CERTs) must do more to combat the increasingly complex cyber attacks faced by European organisations – including overcoming their own “lack of interest” in sharing attack information.
That's the warning from the EU's main cyber security agency, ENISA, which says Europe's almost 200 major emergency teams – which include 21 UK government and private-sector CERTs – face obstacles to sharing attack data including legal and technical barriers, as well as lack of co-operation and trust.
ENISA says that too often individual teams within these so-called ‘Digital Fire Brigades' are duplicating each other's efforts in detecting and dealing with sophisticated virus, malware and DDoS attacks.
The agency's latest‘Detect, SHARE, Protect' report says: “As the nature of cyber attacks is often global, it is crucial that responses to these incidents are co-ordinated not only within national boundaries, but also at a cross-border level. In order for this to happen, secure and effective information exchange and the sharing of information on such incidents must take place.”
To achieve this, report editor Romain Bourgue said ENISA is now focusing on identifying and promoting standards to share attack information and a common taxonomy to describe security events. “It's very difficult to exchange information if you don't speak the same language,” he said.
Asked about the problem of ‘lack of interest” in sharing attack data, Bourgue told SCMagazineUK.com this often stems from individual teams sharing data with others, but getting no feedback or reciprocal help.
He explained: “You have a team that identify an issue that involves another team's constituency. They decide to share this information - which takes some time because you have to explain everything - and they don't get any feedback from the other team. If they do it once, twice, then the third time they will just not share this information because they don't get any feedback from them or it's only one-way.”
Bourgue said, however, that there is good threat information-sharing among some groups of CERTs, and ENISA is now focused on scaling that up. “We have very good collaboration amongst small groups of teams - because trust doesn't scale,” he told us. “We would like to help to bridge those small sharing communities and bridge information between them. One way to do it is to promote some tools that are emerging now that focus on sharing information.”
These tools include MISP (Malware Information Sharing Platform) originally developed in Belgium and the US-sourced CIF (Collective Intelligence Framework) cyber threat intelligence management system, which enable people to share information on compromises.
ENISA is also pointing CERTs to a number of other evolving standards, including OpenIOC, two IETF standards - IODEF and RID – and the CyboX, STIX and TAXII standards from the US. It is also encouraging CERTs to adopt common data feeds for finding out about attacks and tools to manage them – like ‘Abuse Helper'.
The report confirms: “The ever-increasing complexity of cyber attacks requires more effective information sharing among CERTs. Local detection, accompanied by trusted forms of information exchange, leads to global prevention of cyber attacks.”
ENISA works with around 195 CERTs, of which 21 are based in the UK. These include teams from government and the MoD, as well as the ‘critical national infrastructure' such as the utilities, banks and other industry sectors.
The agency's stated aim is to develop a culture of network and information security for the benefit of citizens, consumers, business and public sector organisations in the European Union.