CTA was absolutely thrilled to have recently celebrated our first anniversary just a few weeks ago during the RSA Conference. We highlighted strong growth in membership, in staff, and in the amount of cyber threat information we shared at machine speed on a daily basis. Our first year also provided the opportunity to test how CTA as an organization could help our members respond to a significant cyber incident in the form of the WannaCry outbreak. A key takeaway from the experience was that sharing information on cyber threat indicators and defensive measures at “human speed” needs to be a core CTA mission.
To some, this may seem counterintuitive. Why is sharing information at human speed important? Isn’t that too slow for cyber? The simple answer is that while many elements of cybersecurity are fast, cybersecurity practitioners need to recognize that we are constantly exposed to new incidents that we must deal with where automation is of limited use. After all, how do you automate something you don’t understand?
Artificial intelligence and machine learning may one day help us speed our understanding and response to new and different cyber events. But for the foreseeable future, the level of activity and decisions required for effective cyber incident response and recovery cannot be automated. It must be done through operational collaboration and coordination. We have no choice but to respond to incidents by talking with one another, using phones, video conferences, emails, tweets, and even face-to-face discussions to understand the threats and organize the proper actions that are necessary to protect, respond, and recover. When facing a new problem, nothing can compare to the ability of human minds working together to find novel solutions.
As we begin our second year, one of our goals is to improve our ability to allow our members to respond to cyber incidents as effectively as possible. Let’s look back at what CTA and our members did in the response to WannaCry nearly one year ago to provide some lessons about what we can and should do in the future.
WannaCry: How CTA Assists
As the global impact of WannaCry became apparent on May 12, 2017, CTA kicked off an internal collaboration process. We leveraged our unique status as an independent, not-for-profit organization to hold member teleconferences related to the incident, share threat information related to WannaCry, and provide information on appropriate defensive measures. Our members were leveraging our platform to share technical indicators at machine speed while sharing other information at human speed to understand the problem and develop mitigations. Prior to the establishment of CTA, our members had no readily available mechanism to come together and share information regarding cyber threat indicators or defensive measures that could be leveraged.
During our initial call, all members discussed their current analysis of the threat and the possible attack vectors that WannaCry was using to infect its victims. This operational collaboration allowed our members to realize that email was not a vector of compromise and they were able to focus their analysis elsewhere. We estimate that our collaboration sped up analysis by about 24-48 hours per member, providing additional time during the height of the incident for members to develop and deploy protections to their end-users.
WannaCry also demonstrated the difficulty that cybersecurity companies currently have in sharing victim telemetry. CTA’s operational collaboration helped to close this gap in the moment by sharing that telemetry data via our conference calls. In the future, CTA will seek to enable the automated sharing of telemetry data between members to improve our ability to collectively assess impact and incident severity. Active collaboration between CTA members also allowed for rapid dissemination of cyber threat indicators and defensive measures to better understand the attack and deploy protections to their end-users. Sharing information during the incident at human speed allowed us to supplement our machine speed information with context, analysis, and insight from across the cybersecurity community. Members were able to avoid pitfalls and focus on getting the most productive solutions to their end-users.
Later in the day, CTA extended its internal operational coordination by participating in a conference call with representatives from the U.S. Department of Homeland Security and other non-government cybersecurity groups to share information gathered on WannaCry. CTA told the participants that email was not a vector of compromise and provided collective understanding of victim telemetry to assist with the U.S. Government’s situational awareness efforts and assessment of overall impact.
Moving Forward: Operational Collaboration and Global Outreach
Overall, the WannaCry experience validated that CTA could play a useful role in improving the cybersecurity industry’s response to significant cyber incidents. Therefore, in our second year, CTA intends to make this incident-based operational coordination and information sharing a routine practice. We will develop methods for members to assess incident severity so response efforts can be scoped appropriately. We will support our members in building policies and operational plans for use during cyber incidents. We will exercise these plans while we expand our collaboration to new entities, including additional cybersecurity companies, cloud service providers, and telecommunications companies, that want to be a part of our sharing community.
Our collaboration and sharing will not be limited to cyber incidents. In addition to our daily sharing of cyber threat information, CTA members routinely meet to discuss current trends in the threat landscape and share published information and analysis through our standing committees. For example, our Algorithm and Intelligence (A&I) Committee meets biweekly to discuss recently released public reports from their companies. They share defensive measures, such as signatures, techniques, and procedures to detect, prevent, and mitigate cybersecurity threats. As year two begins, A&I members are building a deeper level of professional trust. This camaraderie will come in handy when it is time to work together during a cyber incident, because there is no substitute for that human connection during a crisis.
CTA also believes that the cybersecurity industry must engage in information sharing with governments around the world, both on a routine basis and in response to significant cyber incidents. Industry-government collaboration will provide a scaling effect as shared information is converted into protections for the end-users of products and services. Only by working together will we be able to truly ensure the security and resilience of cyber infrastructure and the networks, services, and data that are reliant on that infrastructure. CTA will seek to collaborate with governments across the globe during cyber incidents to ensure a broader response. CTA’s Contributing Allies program will be the primary mechanism for this outreach, mainly through government network defense and CERT organizations.
Our success in cybersecurity is dependent on our ability to share cyber threat information and collaborate. Much of that sharing will be automated and near real-time – after all, CTA exists to support the provision of this very capability! But we must not discount the role that good, old-fashioned human speed collaboration will play in cybersecurity. If you’re interested in working with us, we encourage you to contact us and inquire about membership.