How CI-ISAC fits into the broader cyber threat sharing landscape

One of the most common questions we get asked when speaking to prospective CI-ISAC members is:

“Why CI-ISAC… what about the ACSC, TISN, or <insert name here> group that’s already sharing intelligence?”

Before we get into how CI-ISAC enables it’s members to defend themselves more effectively from cyber-attacks, let’s look at how we fit into the broader Australian intelligence sharing landscape, which can be broadly categorised into three main groups:

• Government Initiatives (TISN, ACSC CTIS, ACSC Partner network, State Government sharing).
• Local Groups/Associations (AUShield Defend, CISO Lens, Interbank, Informal sharing groups, etc.).
• International ISACs (FS-ISAC, H-ISAC, Aviation-ISAC, etc.).

All these entities focus on sharing information among participants, with the majority focusing on a single sector or subset of companies. The US-focussed ISACs (FS-ISAC, H-ISAC, etc.) bring a wealth of sector-specific information, albeit with the vast majority being contributed by overseas entities. The information flow within traditional ISACs is generally high in volume, with many feeds generating up to 100 alerts a day, requiring every recipient to triage, analyse and action the information themselves.

At the other end of the spectrum are communities that meet/report infrequently and provide limited structure around the information exchange - again, putting the onus on participants to filter information relevant to them and to determine the action required and carry that out. Technical indicators from a cyber-attack may provide an initial clue if present in a recipient network; however, without the capability to analyse and build context, the entity is inhibited from making an informed cyber response.

Other communities/groups have specific entry criteria (size, sector, cost), which limits the ability of non-qualifying entities to participate in the information exchange. All these factors raise the barrier for entities to effectively participate, with the single biggest inhibitor being their maturity/resources to derive maximum value.

CI-ISAC was designed from the outset to lower the barrier for members to participate and maximise value, while still augmenting the numerous information sharing initiatives in existence. CI-ISAC aims to drive operational outcomes regardless of member size, by taking care of the heavy lifting required to gather, triage, analyse and produce actionable intelligence for members.

The current cyber skills shortage and intense competition for quality staff means that by CI-ISAC providing central capabilities, while also providing a trusted ecosystem to share information, we can build context (to aid prioritisation) and provide actionable recommendations. This structured and unique approach enables members to quickly assess the risks to their individual environments and pass the recommendations to technical (not cyber) teams for actioning.

The attraction of this model is that it removes the duplication of effort, where historically each participant has had to spend time assessing the technicalities of threats, resulting in less time on the tools defending their organisations.

As with any good security program, there is no single silver bullet and CI-ISAC aims to complement existing initiatives and adopts a ‘partner first’ approach to build value for members. An example of this is the ACSC’s CTIS where more mature players may choose to connect directly, while CI-ISAC provides a trusted interface for less mature entities, translating relevant technical information into threat advisories with actionable recommendations.

As our capability evolves, CI-ISAC members will have the ability to ‘enrich’ their hits on technical indicators, enabling a better understanding of the actual threats they face and how best to respond. Blocking an indicator that an organisation has been alerted to is fine insofar as it goes; however, if the organisation doesn’t understand what the threat (and risk) actually relates to and what else may be going on in its environment, then that organisation risks not containing the threat completely.

As our resources grow, CI-ISAC aspires to further complement Federal initiatives such as TISN an the Cybermerc Pty. Ltd. AUShield Defend platform. We are uniquely placed to provide sector briefings and situational awareness on the cyber threats observed from across the 11 SOCI sectors and provide specialist Cyber experience to augment the cyber and information area of the ‘all hazards’ approach to Critical Infrastructure risk management and consequent resilience.

Phase two of CI-ISAC’s operational maturity, which is rapidly approaching, will harness our non-competitive ecosystem to build a suite of technical capabilities and resources to assist members in their cyber maturity journeys. Because we are a member-owned, not-for-profit entity, we can capture the lessons from across our diverse membership and curate this into a form that can benefit multiple CI entities across multiple sectors who are all evolving their own defences.

In the spirit of true Collective Defence, our first Industry Advisory Group (IAG) will be convening in November to start the process of planning priority capabilities to assist all members as they work to mature their cyber capabilities and more effectively defend themselves and our Nation’s Critical Infrastructure.

David Sandell