Collective defence and the rise of organised cyber-crime

Dan Bridges at Cyware describes how a collective defence approach can be used to tackle cyber-criminal gangs

 

For too long cyber-security resilience has been diminished by outdated ways of working and siloed security teams. Preoccupied with protecting their own critical assets, and constrained by limited resources, organisations have often overlooked the value of threat information sharing, both internally and externally.

 

Unlike cyber-criminals 

Cyber-criminals have been joining forces, cooperating with other bad actors to trade stolen data, credentials, and security insights. Many are starting to operate along the lines of conventional businesses, according to research from IBM and Google. Employing CEOs, project managers and staff working regular shifts with weekends off, they have highly organised structures. This can include subcontracting jobs outside of their skill sets to third parties and placing ads on the dark web to recruit specialists.

 

It all goes to show just how sophisticated their operations have become. And legitimate organisations need to take note, as fighting cyber-crime in isolation is an uphill struggle that is only going to get harder and more complex. However, a wider collective effort would benefit every law-abiding organisation.

 

Acting for the greater good

On the plus side, there’s a longstanding ecosystem of cyber-security communities acting for the greater good, publicising best practices and disseminating details about threats and remediation. This includes the Open Source Security Foundation (OpenSSF), a great example of a cross-industry forum dedicated to combatting security challenges. It develops frameworks to address diverse issues such as threats posed by suppliers and other third parties, and strategies for mitigating them.

 

In the same vein, the Open Cyber-security Alliance (OCA), a nonprofit coalition, encourages cyber-security professionals to work together by reducing technical barriers to sharing expertise. It supports an open ecosystem so cyber-security tools can interoperate without the need for customised integration.

 

While encouraging, there’s a considerable distance to go before organisations start interacting directly with each other to deliver the concept of ‘collective defence’. This would involve unassociated entities sharing resources and adopting NATO-like principles, treating an attack on any ally as an attack on all. Instead of fragmented efforts, a truly collaborative approach would ensure that no organisation, regardless of size or capability, would be left out in the cold, creating a more secure digital environment for everyone.

 

This would signal to the criminal fraternity that the status quo had changed irrevocably, and that any attack would be met with a unified and relentless response.

 

Collaborative action gets results

Leading the charge on this front are a number of initiatives. These include the collaborative legal action against malicious use of Cobalt Strike taken by Microsoft’s Digital Crimes Unit (DCU), cyber-security software company Fortra, and the Health Information Sharing and Analysis Centre (Health-ISAC).  This forward-thinking endeavour is proactively taking down infrastructures and connections used by criminals to distribute malware.

 

Trailblazers like these highlight how the combined power of collaboration compared to disparate efforts can undermine criminal activity. However, collective action depends on coordinated cyber-security strategies, encompassing a range of diverse organisations, all partnering together with legal agreements, clarification of roles and responsibilities, and commitment to operational transparency. 

 

It also relies on participants having the capability to share threat and defence intelligence resources effectively, including indicators of compromise (IoCs), tactics, techniques, and procedures (TTPs), as well as threat hunting and incident response playbooks.

 

Sharing in-house threat intelligence

Realistically, organisations already benefitting from sophisticated in-house intelligence pooling and automation will find it relatively straightforward to extend processes and best practices externally.

 

For those currently lagging behind, bogged down with too many security alerts from unconnected tools and lacking cross-communication within security and IT teams, there are modern solutions available that can overcome these all-too-common frustrations.

 

Real-time threat intelligence platforms (TIPs) can provide an automated means of consolidating diverse intelligence sources and formats into actionable insights that can be shared systematically. They facilitate faster communication and greater collaboration to gather in-depth knowledge of the threat landscape.

 

This speedy aggregation of threat data equips IT and security teams company-wide with vital information to improve overall situational awareness and resilience. And it enables users to stay ahead of rapidly escalating situations, helping analysts distil what’s most relevant from large volumes of security and remediation information.

 

Setting up collective defence

Taking this approach one stage further are ready-made hyper orchestration platforms that provide all the benefits of a TIP, but additionally enable seamless, secure communication and cooperation with external partners.

 

Built-in functionality helps facilitate the set-up of a collective defence network with business units, vendors, supply chain, and community partners to collectively fight cyber-threats and share information at scale. This includes automatically distributing insights from deployed security tools, advisories, and crisis alerts gleaned from analysis and external feeds.

 

The most advanced platforms also support the creation of working groups for combined internal and external team analysis of threat handling, mitigation strategies, and incident resolution.

 

Working together via a centralised platform, organisations could create formidable defences that malicious actors would find extremely challenging to breach. But, at the moment, cyber-criminals are thriving by exploiting the isolation of security teams and the vulnerabilities missed when entities operate in silos.

 

Going it alone is no longer viable in the face of relentless cyber-threats. It’s time to stand together and embrace collective security.

 

---

 

Dan Bridges is Technical Director - International at Cyware

 

Main image courtesy of iStockPhoto.com amd gremlin