Smarter Cybersecurity Thinking: Disruption Through Analysis

Previously in this series of blog posts, we discussed the steps that organizations can use to improve their cybersecurity and we looked at how cybersecurity companies need to share information to enable more effective network defense. When cybersecurity companies share contextualized technical indicators at speed and at scale and use those indicators in their products, we’ve taken the first step in addressing the cybersecurity problem in a new way, protecting end-users more quickly and efficiently.

We also promoted the idea of moving from a “castle defense” strategy to one focused on adversary disruption – don’t focus solely on keeping the adversary “out,” but do your best to prevent them from achieving their goals. Putting all your efforts into making your castle walls thicker and your moat deeper won’t work. No matter what you do, a determined adversary will find their way in. Further, in today’s enterprises, application and threat landscapes are constantly evolving. There is no “castle gate,” no single point of entry for malicious actors to enter. In fact, there are multiple ways that malicious actors can breach a company’s security, and that number is growing every day.

So how can the entire ecosystem of cybersecurity providers, cloud-service providers, software companies, and end-users prevent these malicious actors from achieving their goals? Cybersecurity providers must share threat intelligence with context, correlate the diverse intelligence elements included in that shared information to assemble a more holistic picture of the adversary, and analyze how an adversary tries to achieve their goals. Cybersecurity providers can then create analytic outputs that enable everyone in the digital ecosystem to take actions that will raise the costs for adversaries over the long run and disrupt their entire underlying business model.

CTA plays a leading role in these disruption efforts in three ways.  First, our threat information sharing improves our members’ cybersecurity products, which we’ve talked about in previous blogs. Second, when this information is publicized in various analytic outputs that defenders then act upon, it forces adversaries to move to new infrastructure and to change procedures much more rapidly than they otherwise would, thereby increasing their costs and reducing their effectiveness. Third, and finally, by sharing information during significant cyber incidents, we can decrease the impact of these events on the digital ecosystem and increase resiliency.  The rest of this blog discusses these latter two methods.

Analysis of Shared Data: Raising Costs and Forcing Change

CTA’s information sharing facilitates analysis aimed at disrupting malicious actors, raising their costs, and forcing them to change their tools and behavior.

  • Raising Costs

CTA’s information sharing provides a large, common set of threat data to our members. Through analysis, our members can assess adversary activity and better protect end-users. When CTA members take the next step and publicize their results, they share insights and help the entire cyber ecosystem understand the bigger security picture and become more effective. This raises costs on the adversary and reduces their return on investment.

  • Forcing Change

CTA members will produce analytic outputs using our shared threat information on a regular basis. These outputs will be shared with network defenders in various ways, such as through the production of Adversary Playbooks and Joint Analysis.

Adversary Playbooks will be written and distributed by some CTA members to describe the actions that adversaries must take to successfully execute their goals, along with the technical indicators they use at each step in a Cyber Kill Chain. This approach provides network defenders with multiple opportunities to stop malicious activity beyond just the initial breach, shifting the balance of power from the adversary to the defender.

CTA has developed a white paper to describe Adversary Playbooks in more detail and the common principles that our members will consider when creating Adversary Playbooks. Network defenders and their cybersecurity providers can use the information in these Playbooks to protect themselves across the Kill Chain.

Joint Analysis outputs will take a different form. CTA members created an early version of this type of output back in 2016.  At that time, eight companies (six of whom would later go on to found CTA) combined their intelligence on a type of ransomware called Cryptowall Version 3 to create a Joint Analysis output. This document represented a new way of tying together threat research among competitors. They shared threat data, samples, and information on Cryptowall with each other and used that to provide the public with an in-depth look at a large-scale crimeware campaign. Soon after, the actors behind Cryptowall 3 abandoned that version, probably much sooner than they otherwise would have.

In the coming months, CTA members will look for opportunities to develop new Joint Analysis reports related to specific threats and campaign activity, with the goal of disrupting adversary activity at higher levels of David Bianco’s Pyramid of Pain, such as the tools and tactics, techniques, and procedures tier. Since no one company in isolation can see everything, our members will cast as wide a net as possible, share threat information, and put together more complete pictures of specific threats for the public good.

Incident-Focused Sharing: Disrupting the Adversary in Real Time

CTA also shares information in response to large-scale or significant cyber incidents and enables member companies to be more effective in their response efforts. This sharing occurs at both machine and human speed. For automated sharing, our members prioritize the sharing of technical indicators and context associated with the incident, ensuring that information is distributed as rapidly as possible to all members and therefore to customers.  For the human to human sharing, we convene our member companies to discuss our understanding of the incident, what the data is telling us, and what mitigations are effective. The human speed sharing helps the cybersecurity community quickly build a better understanding of the situation, make effective decisions about how to respond, and push more effective protections to end-users.

We have already put this concept into practice.  During the WannaCry and NotPetya incidents, CTA facilitated information sharing at both human and machine speeds among our members.  This sharing allowed us to rapidly understand the infection vectors and avoid analytic dead-ends. We also shared our findings with government partners. CTA is positioned across the cybersecurity ecosystem, where information sharing can lead to the rapid mobilization of our resources to address incidents on a large scale. In this way, CTA can begin to operationalize the recommendation to establish a group of “Information and Communications Technology (ICT) Enablers” that was called for in the National Security Telecommunications Advisory Committee’s report to the President on Information and Communications Technology Mobilization.

We will continue to improve our information sharing during cyber incidents by developing policies for how to conduct the human speed information sharing alongside the machine speed sharing enabled by our Platform, creating best practices for common assessments of incident severity, and establishing the capability to connect to any relevant entity during an incident. In turn, this incident information sharing will inform our members’ independent response actions, thereby making them more effective. CTA is also committed to developing Incident Reviews of important cyber incidents to ensure that the cybersecurity industry is learning the correct lessons. Incident Reviews will describe what was known about a particular cybersecurity incident at the time and compare that to what we know today. CTA is uniquely positioned to review notable incidents, provide insights to the broader community, and drive progress.

Do Your Part in Making Disruption Effective

CTA strives to develop new ways to identify and disrupt adversary activity through facilitating better information sharing among our members. We are not afraid to experiment. We routinely seek input from members and non-members alike to understand whether our information sharing is working, what outputs would be most valuable to network defenders, and how to make our activities as effective as possible. CTA welcomes the feedback of the community, and it can always be provided to us at feedback@cyberthreatalliance.org.

Each of our members finds different value in our disruption efforts and participates in different ways, depending on their business model and competitive advantage. CTA creates an environment that enables our members to be “laboratories of disruption” and to share their insights and lessons with one another. We also invite any cybersecurity provider who meets our membership criteria to join us in these activities through membership in the CTA. We are ready to work together on a smarter approach to cybersecurity, one that disrupts malicious cyber actors and keeps them from succeeding in their goals.

Author: Neil Jenkins

As Chief Analytic Officer, Neil leads CTA’s analytic efforts, focusing on the development of threat profiles, adversary playbooks, and other analysis using the threat intelligence in the CTA Platform. Previously, he served in various roles within the Department of Homeland Security, Department of Defense, and Center for Naval Analyses, where he spearheaded numerous initiatives tied to cybersecurity strategy, policy, and operational planning for both the public and private sectors.