The Value of Sharing Cyber Threat Intelligence

With the diversity, sophistication, and volume of cyber-attacks growing each day it would be unwise for Australia’s Critical Infrastructure companies to stand-alone. Sharing Cyber Threat Intelligence (CTI) helps them stand together and build collective cyber defence.

The need for sharing community-sourced CTI has increased as organisations have pursued digital transformation agendas, which will only accelerate with the use of new technologies such as AI and automation. This adoption will further exacerbate the digital footprints and attack surfaces of companies as technical vulnerabilities open up more ways for attackers to breach their perimeters and cause harm and disruption.

Gartner define threat intelligence as evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding response to that menace or hazard.

CI-ISAC argues that highly curated information is needed to make better decisions about how to defend an organisation from cyber-based threats. Some of the questions threat intelligence answers include:

• Who are my adversaries and how might they attack me, our industry or my partners and supply chain?
• How do these attack vectors affect the security of my organisation?
• What should my security operations teams be watching out for?
• How can I reduce the risk of a cyber-attack against my organisation?
• How can I respond more effectively when I detect an indicator of compromise in my environment?

Threat intelligence always has a purpose?–?to inform decision making and drive action to reduce fraud and cybercrime, to prevent data loss and protect Personally identifiable information?(PII) and reduce overall business risk.

The value of Threat Intelligence has been widely recognised and as such is increasingly adopted in standards, frameworks and best practices either as a mandatory control or recommendation; e.g., APRA CPS234, AEMO AESCSF. These are explained below.

The Australian Prudential Regulation Authority's (APRA) Information Security Standard CPS 234 institutes requirements around information asset identification and classification, information security roles and responsibilities, implementation and testing of information security controls, incident management, internal audit, and breach notification. It makes clear that the Board is ultimately responsible for information security. It calls for protective measures to be commensurate with the size of the organisation and the threats faced. It includes requirements around management of third party (supplier) risk management.?

The Australian Energy Market Operator (AEMO) uses the Australian Energy Sector Cyber Security Framework (AESCSF) Program to enable its Australian energy sector participants to assess, evaluate, prioritise, and improve their cyber security capability and maturity.

Defence Companies

The value of sharing community-sourced CTI is probably more important than it is in other critical infrastructure sectors because of the Defence Industry Security Program (DISP), which provides confidence and assurance in the secure delivery of goods and services to the Department of Defence when partnering with industry. DISP is a risk management program that strengthens security practices in partnership with industry, and enables members to have their security practices recognised by Defence and Defence’s international industrial security partners. DISP enhances Defence’s ability to manage risk in the evolving security environment and provides confidence and assurance to Defence and other government entities (either Australian or foreign) when procuring goods and services from industry members.

Drawing on several standards across the critical infrastructure sector and the expectations of defence companies under DISP, there are several areas that all critical infrastructure companies, and especially defence companies, should consider as they determine the extent to which they participate in CTI sharing to improve their cyber resilience and cyber risk management:

• Organisations should implement eight essential mitigation strategies as a baseline. The Australian Signals Directorate (ASD), through the Australian Cyber Security Centre (ACSC),?has released the Essential 8 to help build Australia’s cyber resilience and mitigate against common cyber threats.
• Organisations should understand the cyber-security risk to their operations (including mission, functions, image, or reputation), organisational assets, and individuals. Cyber threat intelligence should be received from information sharing forums and sources. Threats, both internal and external, should be identified and documented. Threats, vulnerabilities, likelihoods, and impacts should be used to determine risk.
• Organisations should obtain external guidance from government departments and agencies, and importantly Information Sharing and Analysis Centres (ISACs) and Information Sharing and Analysis Organisations (ISAOs) to understand their role in the larger ecosystem with respect to either their dependencies or dependants. Organisations should collaborate with or receive information from other entities regularly that complements internally generated information, and shares information with other entities (e.g., threat intelligence, best practices, technologies).
• Organisations should implement a threat awareness program that includes a cross-organisation information sharing capability for threat intelligence. They should employ automated mechanisms to maximise the effectiveness of sharing threat intelligence information.
• Organisations should leverage CTI to inform their risk assessment, as all-source intelligence should be used to assist in the analysis of risk. This also contributes to dynamic threat awareness in helping organisations determine the current cyber threat environment on an ongoing basis, as well as using predictive cyber analytics to predict and identify risks.
• CTI should inform an organisation’s threat hunting capability by searching for indicators of compromise (IoC) in its systems; and by detecting, tracking, and disrupting threats that evade existing controls.
• Contractual arrangements should be in place with partners including suppliers that provide for two-way sharing of cyber security threat information.
• High priority threats should be added to the company risk register.
• Contextualised information should be applied to remedy or mitigate risks arising from vulnerabilities.
• Boards should consider the sufficiency of their company’s information security capability in relation to vulnerabilities and threats, including timely identification and remediation of new threats and vulnerabilities. They should also devote attention to identified capability gaps and the status of remediation activities.

In addition to these areas from several standards, all critical infrastructure companies are now obliged to observe the new SoCI (Security of Critical Infrastructure) legislation and the three possible positive security obligations that can apply to certain classes of critical infrastructure assets:

1. Mandatory cyber security incident reporting to the Australian Cyber Security Centre;
2. Providing ownership, operational information, responsibilities, and direct interest holdings to the Register of Critical Infrastructure Assets; and
3. Having and complying with a Critical Infrastructure Risk Management Program (which was enacted on 17 February 2023).

The Australian Government’s articulated approach to cyber and information security recognises that all parties have an ongoing role to play in securing our digital future – a combined responsibility that is reflected in the recently updated SoCI legislation.

It is also important to note that risk profiles for CI providers may be very different. Not all digital and cyber risks are relevant for all CI stakeholders. The different risks that are relevant to information technology (IT) security may be quite different to the requirements to manage the risks associated with operational technology (OT). Further to this, given that IT and OT infrastructure architectures continue to converge and expand to include mobile, cloud, and internet of things (IoT) devices, the need for a robust risk-based approach and integrated cyber risk management plan is crucial to manage the security of Critical Infrastructure.

Sharing cyber threat intelligence is a key element of a robust risk-based approach and fundamental to an integrated cyber risk management plan. The Critical Infrastructure Information Sharing and Analysis Centre (CI-ISAC) can assist here by providing a platform and forum for companies to share cyber threat intelligence and to learn from others so cyber defences can be bolstered, thereby helping those companies to get ahead of the cyber attackers.

This article was co-authored by CI-ISAC strategic advisors, Dr Gary Waters and Kevin Vanhaelen .

For more information on CI-ISAC, email [email protected] or visit: www.ci-isac.org.au

#strongertogether #leavenoonebehind

?