NCSAM – Week 3 – Recognizing and Combating Cybercrime
Week 3: October 17-21, 2016 – Topic: Recognizing and Combating Cybercrime
Cybercrime can take many forms, from targeted and sophisticated attacks against a carefully chosen target, to simple crimes of opportunity. It seems as if all networked devices are subject to endless probing and prodding from faceless criminals acting over the internet. Advanced, persistent threats may use highly technical methods for compromising a particular technology or individual, but the majority of cyber-criminals are akin to thieves feeling around in the dark for an unlocked door. No matter the techniques used to commit the crime, the cyber-criminal will almost always leave behind some form of digital evidence. Elements like IP addresses, domain names, malware signatures, and filenames are often written to log files in the wake of an attack, but what good is this information after the fact?
The problem is that most organizations are only considering internal sources of information when investigating an incident. Further, whatever is actually learned about the crime, or the attacker, rarely leaves the organization’s boundaries. However, consider that businesses in a given industry tend to use similar technologies and business structures. This means that information gathered from one incident in a given industry may be truly relevant to other businesses in that same sector. In an attempt to prevent the propagation of cybercrime across vulnerable organizations in a given industry, non-profit Information Sharing and Analysis Centers (ISAC) are being created across many industry verticals. Examples include FS-SAC (financial services), MS-ISAC (local governments), and AUTO-ISAC (automobile industry), as well as several related to critical infrastructure services.
Membership in one of these information sharing programs grants the organization access to real time alerts regarding current and emerging threats which are relevant to their industry. Organizations can receive alerts which contain not only narrative information regarding vulnerabilities and the types of attacks used to exploit them, but real data gathered from these information security incidents which can be used to mitigate similar attacks.. For example, a given ISAC alert may contain a list of domain names which are used by a new class of malware targeting a specific web application that is regularly used across a given industry. These domain names can then be blacklisted at the network perimeter to reject all communication, thus mitigating at least this class of malicious cybercrime before it occurs.
These ISACs are entirely reliant on industry participation to share the information which is used to analyze emerging trends in cybercrime. There are multiple mechanisms that can be used to share and receive data, based on how involved an organization wants to be in preventing further cybercrime in their industry. Simple email messages can be used to submit threat indicator and incident information to the ISAC, as well as receive alerts from the ISAC. However, in order to maximize the effectiveness of these programs, ISACs will often publish real time feeds which are constantly updated with fresh cybercrime information. Organizations can then subscribe to these feeds, organize the data as they see fit, and take action on the relevant indicators. This type of automated sharing is gaining traction since the Department of Homeland Security has created the Automated Indicator Sharing (AIS) program which seeks to share indicators of cybercrime between the public and private sectors.
ISACs allow organizations to focus on closing known attack vectors, rather than waiting to respond to the next incident. Don’t let the valuable information gained during attacks across an entire industry go to waste. Enroll in an ISAC which is relevant to your organization and begin receiving actionable information from your industry peers. Consider engaging in active information sharing, in order to maximize the effectiveness of these programs. Otherwise cyber-attacks which may have been prevented can affect the entire industry, rather than just a single organization.
For more information on cybercrime and how to avoid cyber-attacks, contact us today at (617) 471-1120.