A friend of mine runs a small legal firm and he was the victim of a ransom-ware attack. He decided not to pay and it took him two days to get his server up and running again, and the best part of a week to recreate documents that had not been backed up. It caused him a lot of worry and embarrassment with his clients, and it cost him money to pay for staff over time.
He doesn’t know definitively how it happened, he suspects a phishing attack on a user account with system level access. No it shouldn’t be that easy for hackers but unfortunately it is – in millions of small businesses worldwide. I’ve recommended that he commences a periodic audit to ensure it does not happen again and I’ve suggested a tool that he can use to make the task quite easy.
A few weeks ago I was privileged to be able to make an industry award at the EIC 2016 conference in Munich. I like industry awards because they help me stay abreast of developments in the IT security sector, something that’s invaluable to my consultancy work. The award for best innovation was won by the STIX, TAXII and CybOX initiative.
- STIX defines a structure to describe a threat. It allows for the definition of a threat, a threat actor, an incident type and a course of action, amongst other attributes. Tactics, Techniques and Procedures (TTPs) are also defined.
- TAXII defines how threat information should be exchanged and publically available servers sharing threat information and now being trialled.
- CybOX provides a structure for measuring and reporting on events related to cyber security such as the generation of a registry key or activity on a specific IP port.
Together they offer a lot of hope in the fight against malware infestation and potentially against phishing attacks. The idea is STIX defines a standard format of a malware signature and TAXII helps us communicate notifications. If organisations, when they identify a malware attack, make information publically available in a useable format, other victims could be avoided, and if the attack could be mapped to a phishing attempt the attack could be stopped within a few minutes, mail servers could drop the messages saving storage space and significant bandwidth.
Now, this has nothing to do with the kerfuffle that happened in the US last year regarding the Cybersecurity Information Sharing Act (CISA) which got bogged down and diluted by concerns that the government was extending disclosure regulation and that organisations would be forced into potentially embarrassing disclosure on successful attacks against their infrastructure. CISA assumes a rich sharing environment with participants choosing a methodology for exchange of documents regarding attacks and a trust framework that explicitly identifies trusted parties. There’s no definition as to how automated exchange of data should occur and no definition of the communication mechanisms that would allow any automated or even fast response to identified threats.
In contrast STIX and TAXII provide the means whereby an organisation can match activity on their networks to known attack signatures and automatically quarantine threats to shut down the spread of the threat. In the event that at malware attack is identified a STIX record would be generated. This requires a system admin to complete the pertinent elements in the record and it would then be submitted to a TAXII server to be made publically available. Other organisations monitoring, or subscribing to the service would then use the STIX record to match against activity on their networks and avoid becoming a victim.
Collaboration between governments, companies and organizations is a pre-requisite; CIOs and CISOs must be willing to contribute as well as utilise threat definitions. But there are no “disclosure” issues and no risk of corporate embarrassment to impede the deployment of such a model.
As Benjamin Franklin once said, long before the rise of millennials, “An ounce of prevention is worth a pound of care”. Working together we can snuff out this insidious activity and save millions of dollars.
And my friend can go back to lawyering.
Graham Williamson is Senior Analyst at KuppingerCole and covers the areas of Identity-as-a-Service, Dynamic Authorisation Control and Privacy. He has consulted in the Identity Management sector for 15 years and is the author of the book “Identity Management: A Primer”. Graham holds a bachelor of Applied Science degree from the University of Toronto and an MBA degree from Bond University. He has practical experience in the identity management and access control industry having completed assignments in the academic, government and large corporate industry sectors across three continents.