Threat sharing evolution: How groups offer less risk and better intelligence to members
Mitch Mayne: Threat sharing between the public and private sectors has evolved significantly since 2015 when the Cyber Security Information Sharing Act was signed into law. The driver behind the law was the notion that if organizations both public and private, share threat information across groups, everyone has a clearer picture of the threat landscape and with it the ability to better defend against increasingly sophisticated threat actors. Eight years later, and we have a thriving network of threat sharing groups like the Joint Cyber Defense Council and the National Artificial Intelligence and Cybersecurity ISAO offering platforms where member organizations can both share threat information and gain access to the larger collection. Despite the surge, challenges still exist when it comes to the perception of threat sharing groups. These include both liability and confidentiality concerns with some organizations wondering if information shared inside a group can be traced back to and then used against the organization that shared the data in the first place. In this episode, I talk to Michael Michael Thiessmeier. Michael is the co- founder and executive director of the US National AI and Cybersecurity Information Sharing and Analysis Organization. We take a look at the history of threat sharing and how the public good has benefited. We also explore perceived hurdles to entering threat sharing groups and whether or not those are legitimate concerns. Last we take a look at policy measures being put in place to encourage participation and examine whether more needs to be done on the policy front. Join us as we enter Into the Breach. So Michael, thank you for joining Into the Breach. You're a bit of an interesting character. If you look at your LinkedIn profile, you've got a pretty interesting background and you're running this new threat sharing information group. So tell me about you and tell me a little bit about the group.
Michael Thiessmeier: Yeah, thank you so much. So first off, thank you for having me. My name is Michael Thiessmeier. I'm the executive director of the US National AI and Cybersecurity Information Sharing Analysis Group. I was originally born in Germany, moved to the US in 2005. I worked in resort tourism management for SaaS company that was having a product there. I worked for PlayStation. I've been around FinTech, retail tech, and I've also worked a lot as a volunteer or I was expert, delegate expert to the International Standards Organization on the US National delegation to them, which of course writes the ISO 27000 standard series. I've been on a lot of think tanks and most recently we founded, three years ago I think, the ISAO, the US NAIC-ISAO. So that's me in a nutshell.
Mitch Mayne: All right, that's a lot of letters of the alphabet there, but it is a cool organization. So let's talk specifically about threat sharing. It's not necessarily new, but there's been a new emphasis put on it I think in the last couple of years, starting with several organizations coming out, promoting it and promoting the reasons why we should have it. Do we know, have there been any notable wins as a result of groups sharing intelligence like the JCDC, your group in particular? And I know wins probably come in the form of things we've avoided, so it's kind of hard to quantify, but what are your insights here?
Michael Thiessmeier: Well, I think you're right that we have come a far away when it comes to threat information sharing. In the beginning it was all between peers, peer- to- peer sharing, and then through presidential executive order, we started having ISAOs as a defined form of NGO, of Public- Private Partnership, ISACs. And with that, we really started changing the way threat information sharing was done. If we're talking about successes of those, well, it depends on what you define as success. The first thing is, I would not only look at the prevention of events as success metrics, but also building the networks, reaching out, getting in front of potential members and building information networks and self aid networks even beyond the actual scope of the ISAO. So when we're talking about with partner organizations that might be overseas when we're talking about Certs collaborating with each other, I think those are big wins as well. And even just getting recognized by the government itself as a valuable partnership is a win. If we're talking about direct wins in terms of events that were prevented, well, we can go back in time. We had, I think in 2014 we had the GameOverZeus botnet that was taken down by a collaborate effort. It was law enforcement, private sector and academia. 2017 we had the WannaCry ransomware response. But more recently, if you're talking about JCDC, there was a recent event where Chinese threat actors were targeting the SSLT community and this was also mitigated by work of the JCDC membership. So I think there's actually a lot of those success stories. Now the challenge is a lot of things that happened in cyber are still hush hush as well. I was recently at a defense summit and one of the things that a very senior, former elected officials said former, was that cyber didn't play, for example, a role in Ukraine. And I think this has to do with the fact that cyber means also different things for certain people. For some people they really just look at information systems being taken down and then preventative prevention thereafter is a success. For some other people, we are also talking about cyber enabled information gathering, and I think a lot of this has happened recently as we talk about the conflict in Ukraine and the JCDC itself lists the response to the threat caused by the conflict in Ukraine and the increased activity of threat actors as a success story for themselves. I think this is very valid.
Mitch Mayne: Wow, that is actually a really big win. And I do agree with you on the intelligence gathering side. I had no idea that it happened, but thank you for sharing that. So if I am the leader of a private organization and I have access to threat intelligence and I'm considering joining one of the groups, or I am a member of one of the groups, what information should I consider sharing inside my group?
Michael Thiessmeier: Well, there's the core piece of information that an information sharing group works with. We have indicators of compromise. This is the standard stuff, IP addresses, domain names, file hashes, and all the other good indicators associated with threats. Then you could share if you have this information available, TTPs, that's a big acronym, which means tactics, techniques and procedures used by threat actors that you have observed. If you've done that, really depends on the maturity and size of the organization. Otherwise you specifically, if you are a software vendor that's part of an organization, you might help giving out early vulnerability and patch information or you might share, and this is I think really valuable, lessons learned from incidents. I think this is one thing that is sometimes not highlighted enough. We're all focusing on those IOCs and TTPs, it's the sharing of best practices and lessons learned. As well as if you are engaging in research, that research itself, I think it is okay to expand the information of what information is being traded by those information sharing organizations like ourselves.
Mitch Mayne: Well, it's interesting that you should mention lessons learned because that is a little more qualitative than quantitative, but it's also very important. So we in X- force created what we call the Incident Command, which is our response to things like WannaCry and NotPetya. And one of the really key things that we do is the lessons learned afterwards and we've got a woman, really sharp woman who runs those here and she does not let us off the hook, man. It's like if we want to close this out, she will make us do the lessons learned and it's good to feed that information back in and it makes us sharper. So excellent points. So again, thinking like someone who is potentially in one of the groups or wants to be, organizations historically have had liability and confidentiality concerns about data sharing. Those include lack of anonymity, whether or not the information can be traced back to me or used against me. How legitimate are those concerns?
Michael Thiessmeier: Well, first off, I think it's a good sign that somebody has liability concerns as they relate to data sharing, that's already a thumbs up. It means your mindset isn't the right area, but I think while they're legitimate, there's a lot of mitigating aspects to take into consideration. Let's start with somewhat detailed things that are really easy. Well, first off is that right? Threat information sharing groups like ourselves, we have methods to maintain that and an anonymity and then protect sensitive information. So this has to do with anonymizing submissions or just also minimizing the amount of data that we are actually storing and for how long we are storing and how they're being stored. It's traditional, it's saying data secure, data privacy by design. But beyond that, what you should be aware of is the Cybersecurity Information Sharing Act, CISA, not the agency, the act and that act actually contains a wide variety of protections for organizations involved in fed information sharing. As long as you share information according to the act within the guidelines and in good faith, you are protected against lawsuits, whether those are lawsuits for damages or anything else. And even if you did report inaccurate information, information that included errors. On top of that, the information that you provide is not to be allowed to be used by regulators, for example, in order to go in and create legislations or regulations specifically targeting an information sharing and organization and its members for the purpose of doing enforcement actions or penalties. Also, biggest thing usually coming up is what is called the waiver of privilege, and that is your concern about your potential IP. And by sharing information you are not giving up in no way under the CISA your protection under federal, state or local laws, the protection of his trade secrets. So I would also take that into account that the C- I- S- A, the Cybersecurity Information Sharing Act provides you with a lot of protections.
Mitch Mayne: So we do have significant guardrails up there. So those concerns may be a little bit dated. It sounds like. Let's go back in time. You mentioned a time machine earlier. So let's get back in the time machine. Let's talk about our friend Edward Snowden and that issue. Now that derailed information sharing efforts for years and arguably depending on who you ask, can be credited for the birth of GDPR and also the ongoing European issues with US companies being close to NSA. Has trust been restored that government and companies are actually doing the right thing and that information sharing isn't just an invasion of privacy or surveillance?
Michael Thiessmeier: Obviously you will get a different opinion on this based on who you will ask, and obviously some of those concerns, you know what? Actually it's good to have them because they're democracies and being concerned about what information is being shared, who has access to it, I think generally speaking is a good thing. But if we're talking about the trust between private sector and government entities, while I wouldn't say that it is at an all time high, I will say that it has improved and that collaboration has improved quite a bit. And that is because everybody sees how useful and how crucial this is. We have a massive mission statement, which is protecting our societies, not only critical infrastructure, and we all know due to supply chain attacks that defining what is critical infrastructure or not and what you need to protect is difficult by itself. The only way we can harden what I would call the soft underbelly of society in a time where information technology, data- driven decisions, AI is being used everywhere, is if public sector, academia and private sector work hand- in- hand and are sharing information with each other.
Mitch Mayne: Well, I love your passion about this stuff. So I'm going continue to pick on the trust issue and we're going to talk about the Pentagon leaks and now it depends on who you ask. Again, some people think this is a simple insider threat actor. Some people think it is an incident that could affect threat sharing. So I've heard rumblings on both sides of the fence. Does the Pentagon leak, does that change the conversation about threat sharing and should it even be a consideration or a concern in your opinion?
Michael Thiessmeier: Well, in my opinion, I will always tell people right now, because A, we are in the age of great power competition, and B, we are going through a major land war that's being fought in Europe, that I always use it and say, " Things matter now." What I mean with that is that maybe in the past sometimes the attitude towards classified information was a little bit laissez- faire at times. Now it matters, okay, but this doesn't mean that these leaks are a thing that is brand new that they've just, were happening right now. I mean, just read books about the history of intelligence services. They've happened all the time. The only difference is that now in modern times there's more awareness to them. We are living in hyper awareness culture. So for me, this is nothing new. I'm concerned about a leak. Yeah, of course. Am I concerned about the information that was shared there and who might suffer from this from the results of that information being leak? Yes, of course. But I would say there's no reason to panic here. It's a natural part of doing business as a information sharing analysis organization that these incidents will happen as a government, as intelligence service, that these things will happen, and all we have to do is continue to involve, continue to adapt our operating procedures and create mitigations for these things. As long as we are aware, as long as we keep improving, we got this.
Mitch Mayne: Good perspective. I am kind of the same mindset as you on this one. So let's talk about attacks. We are in an era where attacks are, I mean, you're in the business, I'm in the business, we both know they're becoming more frequent. Their focus is intensifying and that scope goes from private business to government services to infrastructure as you mentioned. These are all being targeted more regularly and far more aggressively. So the need for threat sharing has never been greater. What's being done or could be done to provide incentives to share threat information?
Michael Thiessmeier: Well, there are several things here. So first off, again, we have legal protections and maybe we need to better up and shore up some of those legal protections for organizations that are involved in sharing that protection threat intelligence. The second is financial incentives. Now this is difficult. I'm not saying the government should give companies necessarily money, even though maybe there is an opportunity for tax breaks for companies that engage in certain activities. But what I'm talking about is, well, cyber insurance, right? If I give you a break on your premiums because you're involved in those type of activities, that is definitely a way to get organizations involved. Then beyond that, of course there's government support and general encouragement for the private sector, whether that is that we find a way to make this lucrative for the individual set up part of the process. So if you're a CISO, if you're an architect, if you're a cybersecurity engineer, there is a set way on how to make your participation good for your resume, whether it is educational credits or something else, or whether we are dealing with just the government actually giving companies the tools to act on the information. Because there's one thing if I give you information, the other thing is, specifically for small and medium sized businesses, to make this actionable. And there might be a need to do some handholding or what I call capacity building. And that is, I think something really new for information sharing and analysis organizations where they need to consider whether capacity building should be part of their mission statement, which helps them bore up the cyber defenses of the members beyond just providing standard taxi- based information indicators about threat actors.
Mitch Mayne: Well, those are some super creative solutions, and I like those, and it makes me actually want to do an entire episode on cyber insurance. More to come on that one. Let's talk about actually a little bit of a change that just came out from the Department of Defense. The defense department just proposed a new rule to expand what it calls the Defense Industrial Base cybersecurity, which is DIB. So many acronyms, that information sharing program and the expansion includes more contractors who hold sensitive data for the services and DOD agencies. This of course, was in response to an increased interest in wider community participation. How do you think proposals like this are going to benefit the intel community? Should we expect more like this?
Michael Thiessmeier: Well, I think this is highly beneficial. The first thing is, one of the big challenges of I'm a startup today and I want to work with the US government, or I want to be part of the defense industrial base. I might think about this twice because we have CMMC, all of these requirements, and I might not see a light at the end of the tunnel in terms of how do I get my company to comply all of this. This goes back to, again, a small entity might have issues, even consuming information. So by expanding this and by helping and providing information to those type of organizations, you are getting them into the position where they can actually hopefully better comply with the requirements you impose on them. So that's one thing that I'm thinking about.
Mitch Mayne: So I like that. I also want to talk about that consumption issue, that data consumption issue, because you mentioned it earlier here and making that data actionable to end users. So there's this saying in the Intel community that you've probably heard and that I've heard multiple times, and it goes a little something like, " Hey, well, it's great the data's free, but if it causes me too many false positives, it's too expensive for me, so why bother?" So how are groups working to address that quality issue?
Michael Thiessmeier: Well, so first off on our end it is by implementing measures that allow us to vet information to make sure that things that aren't up to standard, don't make it into the actual dataset. The second piece, I think actually has to do with enabling and helping the member to use it. So not only are you taking the information and you're just providing it, you're dumping data at them, but you are also providing intelligence products, which is the analysis, the context of this information, and you're creating action plans based on that data that they consume. The final step, and this goes back to the DOD role that we discussed about a second ago as well, is I think there's an opportunity here to be better when it comes to communication for both that intel sharing groups as well as the government to make smaller businesses aware of all the various free aids that are available to them. I think CISA has a lot of services they offer, for example, to smaller entities that they can use to do some of those activities that might be too complex or too expensive for them. At the same time, we can redevelop and rethink what cyber capacity development again means, and then add that in order to help smaller organizations make use of the information.
Mitch Mayne: I particularly like the notion that we can help smaller organizations actually use the data that we supply them. I think that's really important because there is a bit of a perception out there. It's like it's way too much. We don't know what to do with it. So knowing that those processes are actually in place or becoming to be in place is really helpful. So I would be remiss if I didn't ask about this because I'm a complete nerd about intel, but you do this really kind of cool newsletter that I subscribe to on LinkedIn. I'm going to give you a chance to do a little promo of that because it's a really, really interesting piece of literature.
Michael Thiessmeier: So we do release three types of information products. The first is called the Weekly Intelligence Briefing. The Weekly Intelligence Briefing is a analysis of the three top items that you should be aware of in the cybersecurity world, mostly with focus on cyber threats. And we try to make this a little bit interesting, so it's not just IOCs or anything, but actually an analysis of what is going on and what is happening. We also inform people about some of the programs that we have with the ISAO, overseas activities, which events we will be presented at and why we're doing so. The other two products are Flash reports. Flash Report is basically breaking news. This is happening. There is a massive data breach at company X, Y, Z, or a Zero- day has been reported with the following outcomes. Then we have Spotlight. Spotlights are in- depth and analysis of specific topics. We are just a newsletter, and the amount of information we can put in there is not enough. So this would be whether it is a in- depth analysis of a new regulatory change of a specific attack that has happened or a specific situation. So that is what we are releasing, and it's on LinkedIn, and if you are looking me up on LinkedIn, you can subscribe to that.
Mitch Mayne: Yeah, and I strongly suggested you do if you're listening to this podcast, because you're probably a little bit of an intel nerd, and you will enjoy it. I did have to chuckle, Michael when I was reading the comments on your latest intel newsletter, and somebody said, " Oh my gosh, man, do you ever sleep?" Do you ever sleep?
Michael Thiessmeier: I don't. I don't know. Sleep is... Well, okay, I do sleep, but definitely the circadian rhythm, I got rid of that. I don't know when it's day or night anymore. I don't do time zones. There's either work or there's no work, and a lot of time, sadly, there is work.
Mitch Mayne: Yeah, this is the one that never ends. So, all right, so let's end with this. You are a champion for threat sharing and you're a well- known name and you've got a lot of credibility. Tell us why this is important to you and tell us why this needs to be important to the rest of us.
Michael Thiessmeier: All right, very simple analogy. Imagine you're talking about your own neighborhood. Each house has a security system. Now imagine if there was a way that each house owner could communicate with each other about things that have happened in the neighborhood. Maybe some burglar decided to break into a house and use a specific set of tools or likes to go into a specific type of house. Wouldn't it be great if you could share this information with your neighbors? Well, actually, in real life, you're probably going to do it. If there's a good relationship in the neighborhood, right? You're going to talk about it with your neighbor across the fence, you're going to say like, " Hey, by the way, yesterday somebody broke into my shed. I think they're after power tools." And then the neighbor's going to say, and it's going to like, " Oh wow, I have a shed too, and I have power tools in there. I better come up with a solution. Maybe I'll move them out of the shed for now until the police has done their job." That makes sense, right? Well, cyber threat information sharing, it's the same thing, just at a way bigger scale and focus on cyber threat. So if the little story I told you makes sense, then get engaged in cyber threat info sharing.
Mitch Mayne: Well, I think that's a great pitch. I personally, I'll admit, I am both a nerd and a fan of threat information sharing because if all of us know the same information, we're all smarter, and if we're all smarter, we can protect ourselves better. So there you go folks. Michael, I want to thank you for being on Into the Breach. We appreciate your time. You are actually in Lafayette right now, and it's what, 8: 30 PM there. So I was going to say, it's time for you to go to bed, but now we already know that you don't sleep, so I won't even talk about that. So thank you again for joining us. We're glad to have you on the show.
Michael Thiessmeier: Thank you so much for having me.
Mitch Mayne: A special thanks to our guest, Michael Thiessmeier for his time and insight for this episode. If you want to hear more stories like this, make sure to subscribe to Into the Breach on Apple Podcasts, Google Podcasts, and Spotify. You've been listening to Into the Breach and IBM production. This episode was produced by Zach Ortega, and our music was composed by Jordain Wallace. Thanks for venturing Into the Breach.
DESCRIPTION
It’s been eight years since the Cybersecurity Information Sharing Act was signed into law, and today we have a thriving network of public/private threat sharing groups—like the Joint Cyber Defense Counsel (JCDC) and National Artificial Intelligence and Cybersecurity ISAO (NAIC/ISAO), offering platforms where member organizations can both share threat information and gain access to the larger collection.
Yet, perception challenges still exist for threat sharing groups. These include both liability and confidentiality concerns, with some organizations wondering if information shared in a group could be traced back to—and used against—the organization that shared the data in the first place.
In this episode, host Mitch Mayne talks with Michael Thiessmeier, Co-founder and Executive Director of the NAIC/ISAO, about the history of threat sharing and how the “public good” has benefitted. They also explore the perceived hurdles to entering threat sharing groups and explore whether or not those are legitimate concerns.
Things to listen for:
- [00:05 - 01:41] Introduction
- [03:23 - 05:54] Notable wins as a result of groups sharing intelligence
- [06:19 - 07:23] What information to consider sharing in an information-sharing group
- [11:00 - 14:03] Has trust been restored that the government does the right thing in terms of privacy and surveillance?
- [20:09 - 21:23] Michaels information products
- [22:15 - 23:20] Why threat sharing is important