Elsevier

Computers & Security

Volume 60, July 2016, Pages 154-176
Computers & Security

A problem shared is a problem halved: A survey on the dimensions of collective cyber defense through security information sharing

https://doi.org/10.1016/j.cose.2016.04.003Get rights and content

Abstract

The Internet threat landscape is fundamentally changing. A major shift away from hobby hacking toward well-organized cyber crime can be observed. These attacks are typically carried out for commercial reasons in a sophisticated and targeted manner, and specifically in a way to circumvent common security measures. Additionally, networks have grown to a scale and complexity, and have reached a degree of interconnectedness, that their protection can often only be guaranteed and financed as shared efforts. Consequently, new paradigms are required for detecting contemporary attacks and mitigating their effects. Today, many attack detection tasks are performed within individual organizations, and there is little cross-organizational information sharing. However, information sharing is a crucial step to acquiring a thorough understanding of large-scale cyber-attack situations, and is therefore seen as one of the key concepts to protect future networks. Discovering covert cyber attacks and new malware, issuing early warnings, advice about how to secure networks, and selectively distribute threat intelligence data are just some of the many use cases. In this survey article we provide a structured overview about the dimensions of cyber security information sharing. First, we motivate the need in more detail and work out the requirements for an information sharing system. Second, we highlight legal aspects and efforts from standardization bodies such as ISO and the National Institute of Standards and Technology (NIST). Third, we survey implementations in terms of both organizational and technological matters. In this regard, we study the structures of Computer Emergency Response Teams (CERTs) and Computer Security Incident Response Teams (CSIRTs), and evaluate what we could learn from them in terms of applied processes, available protocols and implemented tools. We conclude with a critical review of the state of the art and highlight important considerations when building effective security information sharing platforms for the future.

Introduction

The smooth operation of critical infrastructures, such as telecommunications or electricity supply, is essential for our society. In recent years, however, operators of critical infrastructures have increasingly struggled with cyber security problems (Langner, 2011). Through the use of standard Information and Communications Technology (ICT) products and increasing network interdependencies (Rinaldi, 2004), the surfaces and channels of attacks have increased significantly. New approaches are required to tackle this serious security situation. One promising approach is the exchange of network monitoring data and status information (Hernandez-Ardieta et al., 2013) of critical services across organizational boundaries with strategic partners and national authorities. The main goal is to create an extensive situational awareness picture about potential threats and ongoing incidents, which is a prerequisite for effective preparation and assistance in large-scale incidents. Collaboration based on threat information sharing is believed to be effective in a multitude of cyber security scenarios including financially driven cyber crimes, cyber war, hacktivism, and terrorism (see Denise and James, 2015 and Dacey, 2003). The attack morphology can be different depending on the scenario, e.g., cyber crime might use stealthy advanced persistent threats (APTs) to steal intellectual property, while cyber war or terrorism uses botnets to run DDoS attacks. However, information sharing enables the victims to run coordinated and effective countermeasures, and provides preventive support to potential future targets on how to effectively protect their ICT infrastructures (see NIST, 2014b).

We argue that since attacks are becoming increasingly sophisticated, customized and coordinated, we also need to employ targeted and coordinated countermeasures. Typical commercial-off-the-shelf (COTS) virus scanner and firewall systems appear incapable of sufficiently protecting against APTs (Tankard, 2011). The rapidly growing complexity of today's networks, emergence of zero day exploit markets (Miller, 2007), and often underestimated vulnerabilities, e.g., due to outdated software or policies, lead to novel forms of attacks appearing daily. Thus, numerous information security platforms and knowledge bases have emerged on the Web. From there, people can retrieve valuable information about identified threats, new malware and spreading viruses, along with information about how to protect their infrastructure (e.g., see national Computer Emergence Response Teams).1 However, this information is usually quite generic, not shaped to particular industries and often lacks in-depth knowledge.

In order to make such platforms more effective, sector-specific views along with rich information and experience reports are required to provide an added value to professional users. Many standardization bodies, including NIST, 2014a, ITU-T, 2012 and ISO (2012), have proposed the establishment of centrally coordinated national cyber security centers, which are currently emerging all over the world.

However, effective cyber security centers are hard to establish and often neither governmental bodies nor companies and customer organizations are well prepared to run and use them. The challenges are grounded in the fact that cyber security information sharing requires a great deal of multidisciplinary research. Although the setup of such systems is often reduced to addressing technical aspects, it is a similarly significant challenge for legal experts, standardization committees and social as well as economic scientists. For example, questions dealing with the sharing process design, i.e., who is allowed to share what and when in a corporate environment, legal dependencies and regulatory compliance, as well as what can we learn from existing implementations of CERTs, are of equal importance.

Moreover, while there are many works that deal with information sharing among CERTs, such as ENISA (2011a) and ENISA (2013a), there is little experience so far with peer-to-peer sharing of such information among companies. This is for numerous reservations (ENISA, 2010), such as low quality information, reputational risks, and poor management. Raising awareness of these issues and providing an overview of potential solutions are two of the goals of this paper.

It is therefore critical to take a closer look into all of these aspects in a structured form – from the economic motivation (and requirements) on information sharing, over legal and regulatory aspects, to structural and technological matters. Therefore, the contributions of this survey article are as follows:

  • Holistic Picture of Cyber Security Information Sharing. We shed light on the numerous economic, legal, and regulatory aspects that, besides the technical dimensions, are often neglected.

  • Survey on existing Methods, Technologies, Protocols and Tools. We survey existing approaches and solutions as a prerequisite to identify open gaps.

  • Evaluation of the State-of-the-Art and Key Findings for Future Systems. We critically evaluate the current situation and emphasize likely future developments regarding standards, norms and technologies.

The remainder of this paper is structured as follows: Section 2 provides an overview of related work. Since this is a survey paper, we mainly refer to other survey papers here, and omit works that is cited in the the other sections. Section 3 is about the various dimensions that need to be considered when it comes to cyber security information sharing. For that purpose, we group all relevant aspects into five distinct categories. After that, relevant regulations, standards, concepts, supporting tools, and protocols that are essential for setting up effective information sharing procedures are discussed. In particular, Section 4 outlines cooperation and coordination aspects and presents some sample sharing scenarios. Section 5 reviews existing regulatory directives and legal recommendations. Subsequently, Section 6 refers to well-recognized standards in this area, while Section 7 covers concrete implementations in terms of organizational structures. Section 8 deals with technologies, tools and applicable protocols. After this survey, we critically review the applicability of existing solutions in a large-scale national security information sharing network (as set up in the context of a number of projects together with national stakeholders) in Section 9. Finally, Section 10 concludes the paper.

Section snippets

Related work

Cyber-attacks are becoming increasingly sophisticated, targeted and coordinated, resulting in so-called advanced persistent threats (Farwell, Rohozinski, 2011, Tankard, 2011). Consequently, new paradigms are required for detecting and mitigating these kinds of attack (Virvilis and Gritzalis, 2013), and eventually to establish situational awareness (Jajodia et al, 2010, Sarter, Woods, 1991, Tadda et al, 2006). Many of these tasks are currently performed within individual organizations only, and

The dimensions of information sharing

A multitude of dimensions need to be considered in order to realize effective information sharing. In contrast to many others who primarily focus on the technical aspects, we argue that the biggest challenges are not entirely located in this area, but mainly span the different dimensions of technical, legal, regulatory and organizational means.5

Dimension I: efficient cooperation and coordination

The increased presence of information technology in modern critical infrastructures has stimulated the proliferation of a significant number of new types of threats. These threats are global in nature and are shifting in focus and intensity, exploiting opportunities enabled by new technologies. Mitigation measures exist to respond to these evolving threats, but in most of the cases technological means need to be supported by cross-organizational (and even cross-border) collaboration to be

Dimension II: legal and regulatory landscape

Internationally, critical infrastructure (CI) cyber security has become a fundamental as well as delicate subject in the last years. The European Union and the United States are becoming increasingly sensitive to this topic, which has resulted in the release of indications, publishing strategies and the issuing of directives that regulate a secure digital environment for their Member States.

The European Commission, together with the High Representative of the Union for Foreign Affairs and

Dimension III: standardization efforts

A wide variety of official recommendations from standardization bodies, such as NIST or ENISA, exists, which are a valuable source of information when setting up information sharing procedures.

Dimension IV: regional and international implementations

CERTs are a vital part of every regional cyber security ecosystem. They collect information on new threats, maintain mailing lists to issue early warnings and, in certain cases, provide help on request. CERT cooperation has proved to be the most effective within regions. This can be easily explained, as short travel times and overall relatively low costs stimulate more frequent personal meetings. Another important aspect is the similarity of the cultural backgrounds of the participating teams

Dimension V: technology integration into organizations

As described in the previous section, much progress has been made recently in establishing national/governmental cyber security centers worldwide. All these entities are at different maturity levels and face the challenge of coordinating responses to global cyber attacks not only within national boundaries, but also at a cross-border level. Cooperation between many of these centers has led to visible results (TF-CSIRT, CEENET, North America CSIRT meeting, FIRST SIGs, and E-COAT are examples of

Review of cyber incident information sharing aspects

Incident information sharing is a vital effort for future infrastructures. However, a multitude of quite diverse aspects need to be considered in order to implement and run effective systems, which have been addressed in this paper. The following section sums up the most important findings, of both technical and non-technical nature, derived from our survey, and provides recommendations for future developments.

Conclusion

In practice, security information sharing is usually accomplished via ad-hoc and informal relationships. Often, national CERTs assume the role of a contact point for coordinating and aggregating security incidence reports. However, the information that is provided is usually not targeted to particular vertical industry sectors. We suggest that sector-oriented views, along with rich information and experience reports, are required to make such platforms more effective. Furthermore, there is a

Acknowledgments

This study was partly funded by the Austrian FFG research program KIRAS in course of the projects CIIS (840842) and CISA (850199) as well as the European Union FP7 project ECOSSIAN (607577).

Florian Skopik Senior Scientist of the research program “IT Security”. Current research interests include the security of critical infrastructures, especially in course of national cyber defense. Before joining AIT, Florian was with the Distributed Systems Group at the Vienna University of Technology as a research assistant and post-doctoral research scientist where he finished his PhD studies. Florian further spent a sabbatical at IBM Research India in Bangalore for several months. He

References (74)

  • R Clarke

    China cyberassault on America

    Wall Street J

    (2011)
  • R Dacey

    Homeland security: information sharing responsibilities, challenges, and key management issues

  • L Dandurand et al.

    Towards improved cyber security information sharing

  • R Danyliw et al.

    Rfc 5070: the incident object description exchange format (IODEF)

  • A D'Amico et al.

    Achieving cyber defense situational awareness: a cognitive task analysis of information assurance analysts

  • Z Denise et al.

    Cyber threat information sharing

    (2015)
  • Department of Homeland Security

    Enhanced cybersecurity services program

  • ENISA

    CSIRT legal handbook

  • ENISA

    CERT cooperation and its further facilitation by relevant stakeholders

  • ENISA

    Incentives and challenges to information sharing

  • ENISA

    Practical guide/roadmap for a suitable channel for secure communication: secure communication with the CERTs & other stakeholders

    (2011)
  • ENISA

    Proactive detection of network security incidents

  • ENISA

    Detect, share, protect – solutions for improving threat data exchange among CERTs

  • ENISA

    Enisa threat landscape mid year 2013

    (2013)
  • ENISA

    Flash note: can recent attacks really threaten internet availability?

    (2013)
  • ENISA

    Cyber security information sharing: an overview of regulatory and non-regulatory approaches

  • European Commission

    Cybersecurity strategy of the European Union: an open, safe and secure cyberspace

  • European Commission

    Proposal for a directive of the european parliament and of the council concerning measures for a high common level of security of network and information systems across the union

  • JP Farwell et al.

    Stuxnet and the future of cyber war

    Survival (Lond)

    (2011)
  • D Fernandez Vazquez et al.

    Conceptual framework for cyber defense information sharing within trust relationships

  • FireEye

    Advanced targeted attacks. How to protect against the next generation of cyber attacks

  • E Gal-Or et al.

    The economic incentives for sharing security information

    Inform Syst Res

    (2005)
  • CB Gibson et al.

    Virtual teams that work: creating conditions for virtual team effectiveness

    (2003)
  • P Golle et al.

    Incentives for sharing in peer-to-peer networks

  • K Harrison et al.

    Information sharing requirements and framework needed for community cyber incident detection and response

  • U Helmbrecht et al.

    ENISA: cybersecurity cooperation: defending the digital frontline

    (2013)
  • JL Hernandez-Ardieta et al.

    Information sharing models for cooperative cyber defence

  • Cited by (0)

    Florian Skopik Senior Scientist of the research program “IT Security”. Current research interests include the security of critical infrastructures, especially in course of national cyber defense. Before joining AIT, Florian was with the Distributed Systems Group at the Vienna University of Technology as a research assistant and post-doctoral research scientist where he finished his PhD studies. Florian further spent a sabbatical at IBM Research India in Bangalore for several months. He published around 80 scientific conference papers and journal articles, and is a member of various conference program committees and editorial boards. Florian is IEEE Senior Member.

    Giuseppe Settanni joined AIT in 2013 as scientist and is currently working on national and European applied research projects regarding security in communication and information systems. Before joining AIT, Giuseppe Settanni worked for 2 years at FTW (Telecommunication Research Center in Vienna), as a communication network researcher, on the development of a network-based anomaly detection tool in the context of DEMONS European Project. His current research interests include security of critical infrastructures, information sharing and anomaly detection in national cyber defense.

    Roman Fiedler is Scientist at the AIT Austrian Insititute of Technology and runs projects in the areas of telehealth and ICT security. Roman has got a decade of experience in network security and operations. He finished his Master studies in the domain of bio-chemistry at the University of Technology Graz.

    View full text