The concept of collaboration against cyber crime and cyber criminals is very simple. Let’s assume there are two entities, “X” and “Y”, that are operating on the internet and each has data about the cyber criminal activity they are experiencing. They have the data, but each may only be able to determine a fraction of the actual cyber crime focused on them. If “X” and “Y” continue to operate individually on the internet, each faces the entire breath of cybercriminal activity alone.
The question then becomes one of how adept each is at detecting, in a timely manner, criminal activity focused on them. And how quickly each can execute remedial actions to both terminate that activity and correct any flaws in infrastructure, policy, or training that may have assisted the attackers.
However, each entity may collect different data and have different capabilities to interpret that data. If they share the data and interpretations with each other, each will have more data upon which to make vital decisions on the safety of each of their enterprises.
Collaboration is a force multiplier for each entity. If you bring hundreds of these entities together, collaboration provides a wealth of information to each of the participating companies.
This was the concept behind the industry-focused Information Sharing and Analysis Centers (ISACs) and the Information Sharing and Analysis Organizations (ISAOs). Members of an ISAO or an ISAC exchange data and information on the cyber criminal activity that each is seeing. These were early adopters of the concept. However, there are many dimensions to collaborative information and intelligence sharing – sharing among competitors in the same industry, sharing between enterprises and law enforcement agencies, sharing between companies and vendors, sharing with open source resources, and sharing on technical data. This only scratches the surface of the many ways in which data could be shared.
But how effective is this process?
On a Monday in 2010, I received a call from the Security Operations Center (SOC) stating it was seeing cyber criminals attempting to commit credit card fraud in several of our clients’ accounts. I contacted other members in the Financial Services ISAC and verified they too were seeing the same activity. We immediately reported the activity to law enforcement. By Wednesday of that week, we had put mitigating processes in place and had mapped out the 50+ banks the criminals were using to support their activities. This data was forwarded to law enforcement. The following week we were invited to the United States Secret Service Headquarters to brief them on the criminal activity. We found out later that one of the criminals was questioned in the process of trying to withdraw money from one of the Latvian banks.
Not all collaboration is as effective as the case above. Often, as participants in a collaborative team, we may never know the outcome of sharing data. But that is not as important as the fact that we share our knowledge of cyber criminal activity.
To increase our effectiveness in understanding the threats and risks facing us, NTT Security is working to establish relationships with many organizations and agencies. In fact, just last month, we signed an agreement with Europol’s European Cybercrime Centre (EC3) to share strategic threat intelligence to assist in the effort to prevent global cyber crime. NTT Ltd is also participating with the Cyber Threat Alliance and the Red Sky Alliance to share threat intelligence across many different industries. We continue to address which partnerships would enhance our security and intelligence effectiveness and with whom we can share our perspectives.
Collaboration is not just sharing information with external resources. We obtain that same force multiplier effect working with groups internal to NTT. Cyber threat data and threat intelligence shared internally among regions, countries, and business entities, helps us build a more effective defense against adversaries, shifting attack vectors, and malicious malware campaigns. Attack data from one part of the world can help us prevent attacks in all parts of the world. The more we share data and information, both internally and externally, the more we as a company advance the science of cybersecurity - and, the more we focus on how determined the adversaries are, the more we can do to protect “X”, “Y”, and ourselves.