We met with David Heed, senior IT-security practitioner from the Swedish NREN Sunet, and joint task-lead for security products and services (including cyberthreat intelligence and security threat landscape) in the GN5-1 Work Package 8 on Security. David talked to us about the growing need for a common platform to facilitate and standardise cyber threat intelligence sharing in order to overcome the evolving cybersecurity challenges faced by the R&E sector.
David, what are the main cybersecurity challenges that the R&E sector is facing and how do you think that cyber threat intelligence sharing could address them?
The research and education (R&E) sector is vital for every country’s national interest as it contributes to the advancement of knowledge, innovation and economic growth. However, the sector is also facing increasing cyber threats from various players, such as state-sponsored hackers, cybercriminals, hacktivists and often insiders. These threats can compromise the confidentiality, integrity and availability of the sector’s data, systems and services, as well as harm its reputation and trust.
To address these challenges, the R&E sector needs to adopt a proactive and collaborative approach to cybersecurity, by sharing information about cyber threats and incidents with relevant stakeholders, such as institutions, government agencies, industry partners and research networks. Cyber threat sharing can help R&E to improve its collective security and resilience, as well as to enhance its situational awareness and intelligence capabilities. By exchanging and analysing cyber threat indicators and defensive measures, the sector can gain insights into the tactics, techniques and procedures of the adversaries, as well as the vulnerabilities and risks of the systems and processes. In addition, it can enable the sector to detect, prevent, respond and recover from cyber-attacks more effectively and efficiently, as well as to inform and influence its strategic and operational decision making.
However, cyber threat sharing is not a straightforward or simple practice, as it involves various technical, organisational and social challenges, such as ensuring the quality, relevance and timeliness of the shared information, protecting the privacy and confidentiality of the sources and targets and establishing trust and cooperation among all parties.
How can cyber threat sharing be managed?
To overcome these challenges, the R&E sector needs to use a platform that facilitates and standardises cyber threat intelligence sharing, as well as to build a trusted shared environment, where parties can collaborate and communicate with each other in a secure and respectful manner.
So, let’s talk about MISP (Malware Information Sharing Platform). MISP is an open-source project that allows users to store, correlate, analyse and share cyber threat indicators and defensive measures in a structured and machine-readable way.
MISP supports various data formats and protocols (STIX, OpenIOC, TAXII, and MISP JSON) to enable interoperability and integration with other tools and systems. MISP also provides various features and functionalities, such as visualisation, tagging, feeds and automation, to help users make sense of the large amount of threat information available.
What can be shared through MISP?
- The frequent requests for a large number of sessions that seldom lead to interaction or data transfer. Being able to share IP-numbers is just an indicator that this is a common occurrence and not targeted threats to organisations.
- Phishing senders and information. These could include infrastructure (SMTP hosts), IP-numbers or used addresses. Webservices linked through these messages are often useful to keep track of and to identify potential victims of an attack.
- Bots such as attacking and overtaken infrastructure. Most communication to and from these hosts is to be considered malicious in some way.
- Collecting information from other sources such as malware protection and sharing Indicators of compromise (IOCs) from Sandboxes and antivirus. This could include strings, addresses and hash values.
- Various indicators of attribution. Although accuracy might be an issue here, there could be indicators of repeating behaviour, processes and tools used in a specific order or other forms of references.
- Additional sources of information defined by your use-case.
What else do you think should be considered alongside a common platform for cyber threat intelligence sharing?
A platform like MISP is not enough to ensure effective and efficient cyber threat sharing. There is also the opportunity to improve detection in log platforms and filtering devices with threat feeds. There are both community and commercial alternatives available. Users also need to build a trusted shared environment, where they can collaborate and communicate with each other in a secure and respectful manner. Trust building is a complex and dynamic process that depends on a variety of factors, including goals, interests, values, norms and expectations of the parties, as well as the context, frequency and quality of their interactions. Engagement with trusted partners and vendors is needed at the start of the process as openly shared information can contain a great deal of noise or old information.
Activities to build trust in a cyber threat sharing environment could include:
- Definitions and agreement on the objectives, scope and rules of cyber threat sharing, such as what type of information, how to share it, when and with whom.
- Establish and maintain a clear and transparent governance structure, such as roles, responsibilities and accountability mechanisms for cyber threat sharing activities and processes.
- Develop and implement common standards and best practices for cyber threat sharing, such as data formats, protocols, taxonomies and quality criteria, to ensure consistency, compatibility and reliability of the shared information.
- Provide and seek feedback and recognition for cyber threat sharing contributions and outcomes, such as acknowledgment of sources, information validation, reporting the impact, reward of efforts.
- Foster and sustain a culture of trust and cooperation among cyber threat sharing participants, such as promoting mutual respect, understanding and learning, as well as resolving conflicts and disputes in a constructive and timely manner.
Sharing agreements, for instance, are formal or informal arrangements that specify the terms and conditions of cyber threat sharing among the parties involved. Sharing agreements can help to establish trust and confidence among participants, as well as to clarify expectations, obligations and responsibilities of each party. Sharing agreements can also help to address some of the legal and regulatory issues that may arise from cyber threat sharing, such as liability, consent, disclosure and compliance. Sharing agreements can vary in their scope, level of detail and enforceability, depending on the involved parties’ needs and preferences. Examples of sharing agreements are Memoranda of understanding (MOUs) or memoranda of agreement (MOAs), Non-disclosure agreements (NDAs), Data sharing agreements (DSAs), Service level agreements (SLAs) and Terms of use (TOUs) or terms of service (TOS).
What’s next?
Cyber threat sharing is a valuable and necessary practice for the enhancement of cybersecurity in organisations and society as a whole. However, this practice also requires a careful and deliberate approach to ensure its effectiveness and efficiency. By using a platform like MISP and by building a trusted shared environment, users can leverage benefits and overcome relevant challenges. Within the academic European space GÉANT has started coordinating the creation of an R&E Security Intelligence Hub – a virtual organisation that aims to create, collect, analyse, classify and share actionable security intelligence for the international R&E sector.
Read or download the full magazine here
