Tag Archives: FS-ISAC

Coopetition and sharing threat intelligence

Posted on 2012-05-08 | 4 Comments

Imagine a street market with lots of vendors hawking their wares. Customers wander in and out of the market, some of whom you don’t see every day while you know others as regular visitors. Perhaps you are one of several selling coffee beans1. Now imagine that you’ve realized that there’s a thief in the market, and you know more or less what he looks like or perhaps a little about his modes of operation. It’s in your interest to let the other coffee bean sellers (and perhaps even other vendors) know, along with perhaps the local police, because you don’t want that thief robbing you, your suppliers, or your customers – nor your competition.

Some of my recent thinking about sharing and cooperation stems from recent discussions about the CISPA and similar initiatives, while some of it stems from thinking about the fact that, in many areas of business, we frequently compete with organizations whose employees we may consider friends. And of course, competition in business should only go so far. I subscribe to the belief that “there’s no such thing as business ethics” in the most positive sense: we cannot simply limit our ethical behavior to certain areas of life, then turn around and act unethically in other areas.

Sorry baby! Gotta go save the Internet!All of that musing sets the stage for thinking more about sharing threat intelligence. Clearly, we never want to share threat intelligence with the adversaries that may pose a threat to us. This explains why most experienced incident responders recommend not sending malware samples immediately to an antivirus vendor, particularly during an open investigation: that intelligence can easily leak back to the attacker and compromise your operational security. At the same time, we can find benefits in sharing data with our ostensible competition. For example, payment processors have formed a group within the FS-ISAC to share “information about fraud, threats, vulnerabilities and risk mitigation in the payments industry”. Yes, this means that corporations that compete doggedly for merchant accounts and transaction fees will help each other with security intelligence, since that information has more value when aggregated: each processor gets more intel from the group than they put into it. As a result, the marketplace can function more cleanly, to the benefit of all (honest) participants.

That doesn’t mean that an organization should share all of its security secrets. Generally speaking, we can say that the operational security risk from sharing intelligence has an inverse correlation with the specificity of the intelligence. So discussing the (fairly well-known) idea that a lot of fraud originates in Russia and Eastern Europe doesn’t increase the risk to an organization. Sharing information about specific BINs with extremely high fraud levels might incur slightly more risk, but not much (and that primarily from an operational or possibly legal perspective, rather than technical). When we start sharing indicators of compromise and known attacker addresses, then we have to take greater care to ensure that the information doesn’t leak to the adversary. But again, the adversary here isn’t the company next door trying to expand their market share, possibly at the expense of yours. The adversary wants information from both of you, to the detriment of others in the marketplace like cardholders, merchants, and so on.

I don’t quite know what I think about how this might extend to groups (including vendors) whose business includes collecting and selling threat intelligence, including my own employer2 and other companies with which I’ve maintained good working relationships. But I do think that there’s value in some level of cooperation even among these groups, and I’m interested to know what others think.

1: Despite my surname, I don’t have any affiliation with Maxwell House Coffee, and I don’t even drink their stuff. I just like thinking about coffee. Mmm, coffee.
2: To repeat what should be obvious, my opinions here are my own, if anyone’s. Sometimes I end up not even agreeing with myself, so don’t expect that anybody else will!

→ 4 Comments

Posted in Notes

Tagged , ,

Data flow for personal consumption

Posted on 2011-11-15 | 2 Comments

This post is mostly for my benefit as I’m sorting out my information flow and consumption. But in addition to the meta-cognition of thinking about what I’m thinking about, I thought I might get some ideas from people. If this seems boring or overly pedantic, feel free to skip it, but I enjoy these sorts of things from time to time.

Input

So, like almost everybody else, I have a surplus of incoming data. The firehose unleashes as soon as I wake up:

  • Work email
  • Personal email
  • Twitter
  • Google+
  • Blogs
  • Reddit / Hacker News / occasional forum usage

Meatspace interactions should probably count here as well, but talking with my wife and kids, or the friendly barista who brews my soy latte, don’t need the same sort of management process. Depending on how much time I spend on the items in that list, or rather how much energy I choose to devote to them, that can become overwhelming. Some of them offer more value or take higher priority. For example, work email gets much more of my attention than Reddit (most days).

Tools

In order to handle that flow, I have several tools with which I’ve grown comfortable (and a few others that I use for experimentation).

This lets me filter and organize diverse inputs, possibly collating them into several tools (e.g. blogs -> RSS feeds -> Google Reader) or even structuring data that may not be presented as such. Yahoo! Pipes in particular may need replacement soon, as I haven’t set up any new projects with it in a while.

Outputs

Sometimes, I want to share what I’ve come across. This might be for fun or it might be due to work needs. Other times, I end up producing something as I integrate and synthesize this information (like in a blog post or internal analysis).

  • Work email
  • Personal email (rare)
  • Blog post
  • Internal document or other work product
  • Sharing (Google+, Twitter)
  • Link blog / social bookmarking

I notice that nothing here really comes from Reddit and Hacker News. That stuff mostly just goes straight to internal consumption; I certainly don’t share back there much except for the occasional comment and really occasional link submission.

Process

I really need to stay focused on continual improvement here, because the real bang for the buck comes from focusing on things that matter. The best example of this? Eliminating almost all Internet fora (message boards) has helped, not just in terms of time spent but also in my general mental state.

However, I make a point of starring things in Twitter or Reader that deserve more attention than I can give at the moment. Emails get flagged for attention so that they show up in my Outlook Tasks, or perhaps get added to my personal kanban. If I’ve read it and think it might be worth someone else’s time, I’ll share it via Delicious. If I think I’d like to invite some discussion on it or find it particularly awesome, I’ll share on Twitter or Google+ (rarely both as I don’t have much intersection between my networks).

When I notice that some class of input seems to require more manual processing than it should, I look for ways to streamline it. That might mean a rule in Outlook or assigning an OIB label, or finding an appropriate method to automate its processing. Like any other optimization process, this usually involves looking for the best bang for the buck — including possibly dropping the input altogether if it doesn’t give enough value.

As part of my job, I often handle incoming threat (or risk) intelligence, including via internal methods like an FS-ISAC alert or via my own open source monitoring. That’s a special case and one I’ll tackle in a future article due to its sensitive and specialized nature.

→ 2 Comments

Posted in Notes

Tagged , , , , , , , , , , , , , , , , ,