CTI improvements in Lithuania - SOCshare and beyond

TL;DR: The sharing ecosystem and culture in Lithuania has grown greatly over the last years, both with efforts from individuals and organizations. However, is the current state sustainable in the long-term, or should more be done to get organizational buy-in??

For the last 1.5 years, NRD Cyber Security and the Vilnius City Municipality Administration (VMSA) have been partnered on the SOCshare project, with the long-term aim of making Europe safer and more resilient to cyber-attacks, by increasing Lithuania’s Cyber Threat Intelligence Maturity. Now, that sounds like a big task, and it is! We’re not trying to single-handedly grow new CTI businesses, train analysts at the national level, etc., but by increasing the maturity of our own organizations – our clients and subsidiary institutions of the VMSA will also reap the benefits. And looking past our own maturity improvements – a key point of the project is to foster a culture of sharing.??

Has it been easy? Not at all. Have we created an incredible sharing culture that can serve as a model for the rest of the EU? Not even close (at least not yet). But we can still reflect on our efforts, inspect the changing landscape, and provide insights to help other EU members grow their sharing community with lessons learnt from the SOCshare project, as well as by reflecting on other sharing initiatives in Lithuania.?

At the heart of it, threat intelligence is about data, so it would be amiss to not share any data about our sharing efforts and engagement. Together with the VMSA, we have published just over 300 MISP events, none of which are automatically created. These events all come from existing detection methods and are verified as true positives before being selected for further processing. Just between these 300 events – there are over 60+ correlations, meaning that even with the limited information from our SOC teams and what is being manually selected – we can see a lot of recurring indicators. Of particular interest are correlations that we see in a large timeframe, ex.: the exact same web-exploit attempts occurring nine months apart, from a Cloudflare IP address that is otherwise not known for any scanning activities, against different organizations. This kind of data is exactly what sharing and ISACs can help create.?

In addition to structured information sharing, the SOCshare project also focuses heavily on unstructured sharing – through media articles, threat intelligence meetings with partners, and quarterly threat intelligence meetings open to all.?

Among the threat intelligence sharing articles for situational awareness, we do not see any notable trends in engagement depending on the type of content – whether we share indicators and brief summaries of activities detected that month, present relevant process improvement questions, or collaborate with public institutions to inform on national capabilities.?

At our quarterly threat intelligence meetings, we have had over 120 unique participants, representing around 70 unique organizations! At the start of the project, it’s natural that there was a need to build trust and credibility before expecting everyone to jump in and share their own insights and data, so we presented our own data and insights, and organized expert speakers to present their own research or to share resources and teach the community. And while the interest in events, we continue to hold them in a presentation-style format, since there has been little to no interest from participants to publicly share their own experiences, data, insights.?

Alongside of SOCshare, there’s been a notable rise in engagement of the Lithuanian cybersecurity community in a variety of ways and topics. For a more detailed list, I recommend visiting Kajus ?e?tokas‘ blog https://kajus.io/posts/viskas-ka-reikia-zinoti-apie-kibernetini-sauguma-lietuvoje/.??

On a national level – Rasa Mon?iunskait? and Dominykas Kugelevi?ius created a plan for a Lithuanian Cyber Campus as part of their Kurk Lietuvai project at the National Cyber Security Center. During the presentation of this project the idea of working groups composed of various experts of the community from various sectors was presented. Amongst these working groups – a separate CTI working group is envisioned.??

The National Cyber Security Center has also started (a very succesful) series of Cyber Breakfast on various cybersecurity topics – with registration usually filling up within an hour of announcement! The thirst for information and discussions from trusted sources is there. On December 3rd, their Cyber Breakfast session focused on CTI. Additionally, during our quarterly SOCshare threat intelligence meetings it became evident that the community needed more dialogue or clarity from the NCSC on the topic, and we were very happy to host Inga ?ukauskien?, the director for the Regional Cyber Security Center (heading up the national CTI initiativess), for fruitful discussions on what could be done to improve CTI capabilities nationally.??

And from an individual level - we’re seeing an interesting trend of people sharing unstructured findings and public awareness announcements on LinkedIn, notably a mix of structured and structured data published by Lukas Apynis on his LinkedIn and Github (https://github.com/Wortexz).??

Going beyond CTI – the monthly InfoSec meetups were not very widely known when first started, but when Aurimas Rudinskis (Engineering Manager @ Vinted) shared this initiative on LinkedIn over a year ago – 30+ security specialist publicly expressed interest in joining these expert TLP:RED sessions, with even more joining over time. However, as something we see repeating throughout the various initiatives – most meet-up attendees listened silently with their cameras off, while a core group of enthusiasts traded insights, questions, and experience. And so, the meetings naturally shifted to a lightning-talk format to ensure at least some level of engagement and knowledge sharing.?

Overall, we can see one key thread connecting all cybersecurity sharing initiatives locally, not just CTI: they’re carried on the shoulders of passionate, enthusiastic champions and service matter experts. But lives change, priorities drift, people grow and change. Perhaps NIS2 will achieve this over time, but right now – I believe that we’re missing buy-in from organizations. And of course, organizations without mature cyber security programs will not invest in CTI, so we cannot simply expect everyone to do so voluntarily and proactively of their own volition. Together with the implementation of NIS2, we have a chance to help organizations join in sharing their information, but for that they need:?

• to be shown how CTI is helpful in increasing the cybersecurity posture (of their organization and on a national/international level)??

• to have an easy way to share data in a standardized way, without needing to have dedicated CTI or even SOC staff?

• to be incentivized (rather than forced) to share?

• If anyone else has good experience on how to effectively manage this without actively limiting access to information for those that might not have the capability to share (yet) – I’d be really interested to see your cases. It may be viable in smaller CSIRT/ISAC’s to mandate, expect, and control mandatory active participation to be able to receive the data/knowledge, but it seems na?ve to expect to be able to do this on a national or international level?

• Also, while part of me believes that the only way to increase sharing is through legislation that would require it – I’d rather have less good data, than more bad data.?

• to know that there will be no negative repercussions for sharing?

• it’s especially essential for us to share information regarding major, complex incidents – so if an organization shares this information to help others be safe, but is then punished in some way for sharing – will the next organization share? Probably not.?

From our experience – the bar for entry for sharing needs to be as low as possible, simply because there is not enough CTI capability, maturity, expertise and capacity. As of publishing this article – we have yet to receive a single formal inquiry about joining our SOCshare ISAC. Some experts expressed interest at the start of the project but cannot get buy-in from their organizations. Others were willing to join but changed employers, and their new employers weren’t too happy with sharing information. Some work for international companies whose policies forbid them from sharing such information. And in some cases, when working with cybersecurity or data-related companies – they’d be giving away their proprietary information. Many organizations are not mature enough to have a TISP that they could use to get the data, or to even have any way to easily use the data.?

And finally - so many are afraid to share their information – fearing their competitors will use it against them, fearing leaks to the press, and most of all – fearing scrutiny of public institutions responsible for national cyber security and data protection. And on a personal level – people are tired. So if it’s not in your direct goals and responsibilities to improve your organization’s CTI – why give yourself more work? Even if you’re passionate about it – you’ll have to prove it’s worth to your stakeholders and investors. So, out of fear (no matter what they fear) – very few get involved, and those that do – prefer to do so passively. But instead, shouldn’t we be afraid of letting attackers get through our defenses, because we didn’t share??

My personal fear? That the current system, where initiatives are driven mainly by individuals and where people are in fear of the wrong things, is not viable in the long-term. And as we face ever-increasing, complex, and hybrid threats – we need to have as much data and knowledge sharing as possible to be able to effectively identify, detect, defend, protect, and even mitigate these attacks. It’s not enough for major SOCs to share data on cyber incidents – we need to begin thinking larger.??

While we cannot help solve all these issues mentioned earlier – we’re hoping to be a piece of the puzzle to create a mature and self-sufficient sharing eco-system and culture in Lithuania. That is precisely why we’re trying to build out standardized sharing structures and methodologies and encourage the sharing culture – to make it as easy as possible for everyone to help each other be safe. So, if you are even remotely interested in joining our ISAC – let me know. We’re happy to help in any way – from helping you choose the right TISP for your case, giving tips (pardon the pun) on integrating with your defenses, or provide training and resources related to CTI – we’ll do our best to help, because it makes us all safer. And in the meanwhile, we’ll continue to produce and share CTI free-of-charge, keep talking about its benefits, continue to share our lessons-learnt, and will keep encouraging you all to join and share.?

This article is part of the SOCshare project, which aims to promote more effective sharing of information on cyber threats and how to detect them. Project co-funded by the European Union. The project is funded under Grant Agreement No. 101127977 and is supported by the European Cybersecurity Competence Centre.?The views and opinions expressed are those of the authors alone and do not necessarily reflect those of the European Union or the European Cyber Security Centre of Excellence. Neither the European Union nor the European Cyber Security Centre of Excellence can be held responsible for them.?