A problem shared is a problem halved: A survey on the dimensions of collective cyber defense through security information sharing
Introduction
The smooth operation of critical infrastructures, such as telecommunications or electricity supply, is essential for our society. In recent years, however, operators of critical infrastructures have increasingly struggled with cyber security problems (Langner, 2011). Through the use of standard Information and Communications Technology (ICT) products and increasing network interdependencies (Rinaldi, 2004), the surfaces and channels of attacks have increased significantly. New approaches are required to tackle this serious security situation. One promising approach is the exchange of network monitoring data and status information (Hernandez-Ardieta et al., 2013) of critical services across organizational boundaries with strategic partners and national authorities. The main goal is to create an extensive situational awareness picture about potential threats and ongoing incidents, which is a prerequisite for effective preparation and assistance in large-scale incidents. Collaboration based on threat information sharing is believed to be effective in a multitude of cyber security scenarios including financially driven cyber crimes, cyber war, hacktivism, and terrorism (see Denise and James, 2015 and Dacey, 2003). The attack morphology can be different depending on the scenario, e.g., cyber crime might use stealthy advanced persistent threats (APTs) to steal intellectual property, while cyber war or terrorism uses botnets to run DDoS attacks. However, information sharing enables the victims to run coordinated and effective countermeasures, and provides preventive support to potential future targets on how to effectively protect their ICT infrastructures (see NIST, 2014b).
We argue that since attacks are becoming increasingly sophisticated, customized and coordinated, we also need to employ targeted and coordinated countermeasures. Typical commercial-off-the-shelf (COTS) virus scanner and firewall systems appear incapable of sufficiently protecting against APTs (Tankard, 2011). The rapidly growing complexity of today's networks, emergence of zero day exploit markets (Miller, 2007), and often underestimated vulnerabilities, e.g., due to outdated software or policies, lead to novel forms of attacks appearing daily. Thus, numerous information security platforms and knowledge bases have emerged on the Web. From there, people can retrieve valuable information about identified threats, new malware and spreading viruses, along with information about how to protect their infrastructure (e.g., see national Computer Emergence Response Teams).1 However, this information is usually quite generic, not shaped to particular industries and often lacks in-depth knowledge.
In order to make such platforms more effective, sector-specific views along with rich information and experience reports are required to provide an added value to professional users. Many standardization bodies, including NIST, 2014a, ITU-T, 2012 and ISO (2012), have proposed the establishment of centrally coordinated national cyber security centers, which are currently emerging all over the world.
However, effective cyber security centers are hard to establish and often neither governmental bodies nor companies and customer organizations are well prepared to run and use them. The challenges are grounded in the fact that cyber security information sharing requires a great deal of multidisciplinary research. Although the setup of such systems is often reduced to addressing technical aspects, it is a similarly significant challenge for legal experts, standardization committees and social as well as economic scientists. For example, questions dealing with the sharing process design, i.e., who is allowed to share what and when in a corporate environment, legal dependencies and regulatory compliance, as well as what can we learn from existing implementations of CERTs, are of equal importance.
Moreover, while there are many works that deal with information sharing among CERTs, such as ENISA (2011a) and ENISA (2013a), there is little experience so far with peer-to-peer sharing of such information among companies. This is for numerous reservations (ENISA, 2010), such as low quality information, reputational risks, and poor management. Raising awareness of these issues and providing an overview of potential solutions are two of the goals of this paper.
It is therefore critical to take a closer look into all of these aspects in a structured form – from the economic motivation (and requirements) on information sharing, over legal and regulatory aspects, to structural and technological matters. Therefore, the contributions of this survey article are as follows:
- •
Holistic Picture of Cyber Security Information Sharing. We shed light on the numerous economic, legal, and regulatory aspects that, besides the technical dimensions, are often neglected.
- •
Survey on existing Methods, Technologies, Protocols and Tools. We survey existing approaches and solutions as a prerequisite to identify open gaps.
- •
Evaluation of the State-of-the-Art and Key Findings for Future Systems. We critically evaluate the current situation and emphasize likely future developments regarding standards, norms and technologies.
The remainder of this paper is structured as follows: Section 2 provides an overview of related work. Since this is a survey paper, we mainly refer to other survey papers here, and omit works that is cited in the the other sections. Section 3 is about the various dimensions that need to be considered when it comes to cyber security information sharing. For that purpose, we group all relevant aspects into five distinct categories. After that, relevant regulations, standards, concepts, supporting tools, and protocols that are essential for setting up effective information sharing procedures are discussed. In particular, Section 4 outlines cooperation and coordination aspects and presents some sample sharing scenarios. Section 5 reviews existing regulatory directives and legal recommendations. Subsequently, Section 6 refers to well-recognized standards in this area, while Section 7 covers concrete implementations in terms of organizational structures. Section 8 deals with technologies, tools and applicable protocols. After this survey, we critically review the applicability of existing solutions in a large-scale national security information sharing network (as set up in the context of a number of projects together with national stakeholders) in Section 9. Finally, Section 10 concludes the paper.
Section snippets
Related work
Cyber-attacks are becoming increasingly sophisticated, targeted and coordinated, resulting in so-called advanced persistent threats (Farwell, Rohozinski, 2011, Tankard, 2011). Consequently, new paradigms are required for detecting and mitigating these kinds of attack (Virvilis and Gritzalis, 2013), and eventually to establish situational awareness (Jajodia et al, 2010, Sarter, Woods, 1991, Tadda et al, 2006). Many of these tasks are currently performed within individual organizations only, and
The dimensions of information sharing
A multitude of dimensions need to be considered in order to realize effective information sharing. In contrast to many others who primarily focus on the technical aspects, we argue that the biggest challenges are not entirely located in this area, but mainly span the different dimensions of technical, legal, regulatory and organizational means.5
Dimension I: efficient cooperation and coordination
The increased presence of information technology in modern critical infrastructures has stimulated the proliferation of a significant number of new types of threats. These threats are global in nature and are shifting in focus and intensity, exploiting opportunities enabled by new technologies. Mitigation measures exist to respond to these evolving threats, but in most of the cases technological means need to be supported by cross-organizational (and even cross-border) collaboration to be
Dimension II: legal and regulatory landscape
Internationally, critical infrastructure (CI) cyber security has become a fundamental as well as delicate subject in the last years. The European Union and the United States are becoming increasingly sensitive to this topic, which has resulted in the release of indications, publishing strategies and the issuing of directives that regulate a secure digital environment for their Member States.
The European Commission, together with the High Representative of the Union for Foreign Affairs and
Dimension III: standardization efforts
A wide variety of official recommendations from standardization bodies, such as NIST or ENISA, exists, which are a valuable source of information when setting up information sharing procedures.
Dimension IV: regional and international implementations
CERTs are a vital part of every regional cyber security ecosystem. They collect information on new threats, maintain mailing lists to issue early warnings and, in certain cases, provide help on request. CERT cooperation has proved to be the most effective within regions. This can be easily explained, as short travel times and overall relatively low costs stimulate more frequent personal meetings. Another important aspect is the similarity of the cultural backgrounds of the participating teams
Dimension V: technology integration into organizations
As described in the previous section, much progress has been made recently in establishing national/governmental cyber security centers worldwide. All these entities are at different maturity levels and face the challenge of coordinating responses to global cyber attacks not only within national boundaries, but also at a cross-border level. Cooperation between many of these centers has led to visible results (TF-CSIRT, CEENET, North America CSIRT meeting, FIRST SIGs, and E-COAT are examples of
Review of cyber incident information sharing aspects
Incident information sharing is a vital effort for future infrastructures. However, a multitude of quite diverse aspects need to be considered in order to implement and run effective systems, which have been addressed in this paper. The following section sums up the most important findings, of both technical and non-technical nature, derived from our survey, and provides recommendations for future developments.
Conclusion
In practice, security information sharing is usually accomplished via ad-hoc and informal relationships. Often, national CERTs assume the role of a contact point for coordinating and aggregating security incidence reports. However, the information that is provided is usually not targeted to particular vertical industry sectors. We suggest that sector-oriented views, along with rich information and experience reports, are required to make such platforms more effective. Furthermore, there is a
Acknowledgments
This study was partly funded by the Austrian FFG research program KIRAS in course of the projects CIIS (840842) and CISA (850199) as well as the European Union FP7 project ECOSSIAN (607577).
Florian Skopik Senior Scientist of the research program “IT Security”. Current research interests include the security of critical infrastructures, especially in course of national cyber defense. Before joining AIT, Florian was with the Distributed Systems Group at the Vienna University of Technology as a research assistant and post-doctoral research scientist where he finished his PhD studies. Florian further spent a sabbatical at IBM Research India in Bangalore for several months. He
References (74)
- et al.
Sharing information on computer systems security: an economic analysis
J Account Public Policy
(2003) Information sharing among firms and cyber attacks
J Account Public Policy
(2007)- et al.
Modeling and mining of dynamic trust in complex service-oriented systems
Inform Syst
(2010) Advanced persistent threats and how to monitor and deter them
Netw Secur
(2011)- et al.
Nurturing interpersonal trust in knowledge-sharing networks
Acad Manage Exec
(2003) - et al.
Information sharing across private databases
Port scanning/0 using insecure embedded devices
- et al.
Optimal policy for software vulnerability disclosure
Manage Sci
(2008) Spamhaus ddos grows to internet-threatening size
Asia-pacific cybersecurity dashboard – a path to a secure global cyberspace
China cyberassault on America
Wall Street J
Homeland security: information sharing responsibilities, challenges, and key management issues
Towards improved cyber security information sharing
Rfc 5070: the incident object description exchange format (IODEF)
Achieving cyber defense situational awareness: a cognitive task analysis of information assurance analysts
Cyber threat information sharing
Enhanced cybersecurity services program
CSIRT legal handbook
CERT cooperation and its further facilitation by relevant stakeholders
Incentives and challenges to information sharing
Practical guide/roadmap for a suitable channel for secure communication: secure communication with the CERTs & other stakeholders
Proactive detection of network security incidents
Detect, share, protect – solutions for improving threat data exchange among CERTs
Enisa threat landscape mid year 2013
Flash note: can recent attacks really threaten internet availability?
Cyber security information sharing: an overview of regulatory and non-regulatory approaches
Cybersecurity strategy of the European Union: an open, safe and secure cyberspace
Proposal for a directive of the european parliament and of the council concerning measures for a high common level of security of network and information systems across the union
Stuxnet and the future of cyber war
Survival (Lond)
Conceptual framework for cyber defense information sharing within trust relationships
Advanced targeted attacks. How to protect against the next generation of cyber attacks
The economic incentives for sharing security information
Inform Syst Res
Virtual teams that work: creating conditions for virtual team effectiveness
Incentives for sharing in peer-to-peer networks
Information sharing requirements and framework needed for community cyber incident detection and response
ENISA: cybersecurity cooperation: defending the digital frontline
Information sharing models for cooperative cyber defence
Cited by (0)
Florian Skopik Senior Scientist of the research program “IT Security”. Current research interests include the security of critical infrastructures, especially in course of national cyber defense. Before joining AIT, Florian was with the Distributed Systems Group at the Vienna University of Technology as a research assistant and post-doctoral research scientist where he finished his PhD studies. Florian further spent a sabbatical at IBM Research India in Bangalore for several months. He published around 80 scientific conference papers and journal articles, and is a member of various conference program committees and editorial boards. Florian is IEEE Senior Member.
Giuseppe Settanni joined AIT in 2013 as scientist and is currently working on national and European applied research projects regarding security in communication and information systems. Before joining AIT, Giuseppe Settanni worked for 2 years at FTW (Telecommunication Research Center in Vienna), as a communication network researcher, on the development of a network-based anomaly detection tool in the context of DEMONS European Project. His current research interests include security of critical infrastructures, information sharing and anomaly detection in national cyber defense.
Roman Fiedler is Scientist at the AIT Austrian Insititute of Technology and runs projects in the areas of telehealth and ICT security. Roman has got a decade of experience in network security and operations. He finished his Master studies in the domain of bio-chemistry at the University of Technology Graz.