NSA Advocates Data Sharing Framework

Fighting attackers needs a new approach that leverages a public-private data sharing framework, enabling immediate and collective responses.

NEW YORK–The economics of cybersecurity are skewed in favor of attackers, who invest once and can launch thousands of attacks with a piece of malware or exploit kit. That’s why Neal Ziring, technical director for the NSA’s Capabilities Directorate, wants to flip the financial equation on bad guys.

“We need to conduct defenses in a way that kills an adversary’s ROI,” Ziring said. “I want to get it down to the point where a threat actor says, ‘I better choose carefully where I throw this malware first, because I’m not going to get a third or fourth try.’ Today they don’t have that concern.”

In order to decimate a cybercriminal’s ROI on developing tools and attack playbooks, Ziring is calling on public agencies, companies and the security community to radically change the way they respond to cyberattacks.

In a keynote address Thursday at the Borderless Cyber conference, he said the cybersecurity community needs to work cooperatively to collectively respond to attacks in the same spirit they share threat intelligence. He argues, doing so will deprive cyber threat actors of the ability to use tools and tradecraft multiple times and starve criminals financially.

“The future of cyber defense is having a shared response or coordinated response,” Ziring said. “We need to break out of today’s enterprise mentality of every person for themselves.”

The type of framework Ziring describes doesn’t exist today, but two standards come close. Those are STIX (Structured Threat Information Expression) and TAXII (Trusted Automated eXchange of Indicator Information) which both deal with sharing data ahead of an attack. Neither address a key component that Ziring is calling for which is a public-private framework that creates a type of autoimmune system. If one node on the network is attacked, all other connected nodes are warned within seconds to defend against a similar attack.

“There is no technological reason why this couldn’t work. There are only practical obstacles like the need for interoperable standards that will enable us to do this in today’s heterogeneous environments. And that’s the bit we are solving right now with STIX and OpenC2,” he said.

Still early in development, OpenC2 is a language that would enable the coordination and execution of command and control of defense components between domains and within a domain.

Universal support for that type of framework will take a major shift in industry mindsets. As one conference attendee noted, today breach data is a carefully guarded secret for many companies. Ninety-five percent of the dozens of breaches the attendee said he helped mitigate over the past year were kept private for fear it might hurt share prices and the companies’ reputation.

Ziring said the industry does not need new regulations to mandate breach transparency. The upside to information sharing is the carrot that he hopes will lure companies, sectors and communities to be part of the sharing framework. He notes there are already several critical infrastructure sectors that are required to report breaches to the DHS.

“It would be better if we didn’t have to create more regulation. We’ll have to take a wait and see approach for now,” he said.

Currently, the type of framework Ziring describes is extremely rare. Within the financial services sector breach data is shared between members of a FS-ISAC (Financial Services Information Sharing and Analysis Center). When one member is attacked all other members are alerted and can fend off similar attacks before they happen.

Meanwhile, attack surfaces are growing with the rapid expansion of cloud, IoT and third-party services. Ziring said current defenses are not as scaleable as they need to be and can’t match the automated nature of cyberattacks.

Using FS-ISAC as a model, Ziring envisions a future where industry-focused communities share visibility into threats. When an attack occurred, top-level community members would analyze the threat and send out counter measures to community members inoculating them within seconds or minutes from similar attacks. “It’s unreasonable to ask small business to be ready fight off a nation state attack themselves,” he said.

To many in attendance, that “top-level” community member is the government. To that end, Ziring told attendees that NSA and DHS are committed to be a trusted partner in the framework through the development of standards such as OpenC2.

“The government has a unique authority in this area. We are doing a lot today within the DHS and FBI. I believe government has a responsibility to share. Culturally, it’s going to be tough. But we need to do it,” he said.

Suggested articles