What is Gov't Role in Info Sharing?Researcher Says Private Sector Input Will Hinge on Trust
This year could mark a turning point for the sharing of threat intelligence, but only if the government is able to provide a framework that the private sector can trust, says Lance James, head of cyber-intelligence at the consultancy Deloitte & Touche.
"The Cyber Threat Intelligence Integration Center [announced Feb. 25 by President Obama] may be the way to get that national security agenda to finally put some of these guidelines for information sharing on paper and say 'This is what we need to do,'" James said in an interview at Information Security Media Group's Fraud Summit in Los Angeles. "But also, going forward, there are very big complications and sensitivity areas, such as file-handling and non-disclosure agreements that we have with clients" that have to be addressed.
During his presentation at the Fraud Summit, as well as a similar presentation he hosted the following day at ISMG's Global APT Defense Summit, James stressed the importance of open-source intelligence gathering and attack attribution.
Gathering open-source intelligence, also known as OSINT, involves scanning the Web to learn what is being said about a company or business in the public domain that could suggest a potential motive for attack, James says. "This allows you to prep for the [threat] campaign that you might have to deal with."
And that same kind of public-domain information, if shared with other organizations, could help separate real threat actors from those who are innocuous, James notes.
"Certain groups will never follow up with action," he says. "You may find a group that has been making claims. But if we do information sharing, someone else might contribute and say, 'Well, we've never seen them actually execute on their claims in the past,' where someone else might say, 'This information is a cyberthreat.'"
OSINT also will help organizations learn more about the actors making threats against them, which will improve attack attribution, James says.
"In the wake of all of the breaches that have been occurring in the last year or so, attribution has become a big play and it has changed how we look at things," he says. "There have obviously been debates about some of the accuracy related to who's doing what in these breaches. But I think the attainment of attribution, and understanding that actor, is what goes back into the operating model or security posture model."
During this interview, James also discusses:
- The increasing risks posed by nation-state actors;
- How tracking specific attacks can help organizations connect the dots back to specific threat actors; and
- Why OSINT will get more private-sector buy-in in 2015.
James is an internationally known information security expert who has more than 15 years of experience in programming, network security, digital forensics, malware research, cryptography design, cryptanalysis, attack protocols, and information security. Credited with the identification of Zeus and other malware, James has authored and co-authored several technical e-crime books.