Threat information sharing is key to the success of combating cyber attacks, says financial market clearing and settlement services firm Depository Trust and Clearing Corporation (DTCC).
This is one of three main challenges facing financial services and other organisations, said Mark Clancy, managing director and corporate information security officer at the DTCC.
The other challenges are the fact that there are many types of cyber attacker and that attackers can typically act more quickly than defenders, he told Computer Weekly.
The main threat actors, said Clancy, are criminals who want to steal money, hacktivists who want to make a political point, espionage actors who want to steal secrets for their nation or cause, and war-like actors who want to disable the function of infrastructures, for example.
“Organisations have to recognise that they face all four of those, although to differing degrees, and that they have to have a capability to address all the different actors and motivations,” he said.
The timescale problem refers to the fact that attacks are measured in seconds, minutes and hours, while it can take days, months or years for defenders to realise an attack has taken place, said Clancy.
“We have to change our approach so we can work in the same timescales as the attackers,” he added.
Part of the challenge is to identify when data has been stolen, which is difficult, he said.
“If robbers break into your house and steal your china and silver, you know about it instantly because it is gone, but when someone steals a digital asset, everything you had still appears present.
“We have to work in our capabilities to identify ways to shorten the time between the initial intrusion and awareness that the intrusion has taken place.”
Read more on cyber threat intelligence
- GCHQ launches pilot to share cyber threat intelligence
- Does your SIEM integrate threat intelligence feeds?
- Threat intelligence versus risk: How much cyber security is enough?
- Threat intelligence and risk: Why cyber security hangs in the balance
- Integrating intelligence key to better security, says FireEye
- Cyberthreat intelligence is getting crowded
- Infosec 2014: People vital to security intelligence, say experts
Allied both to dealing with a multitude of different attackers and the increasing speed of attacks, is gathering and sharing information about attacks that are taking place, said Clancy.
“If you can learn about attacks that were attempted elsewhere before they show up on your doorstep, you can be much better prepared to defend against those attacks and reduce the likelihood of their success.”
The financial services industry is working to share this information in order to devalue the infrastructure that attackers are using to increase the costs of attack, while decreasing the costs of defence, he said.
The financial services sector is often recognised as being one of the most advanced in sharing cyber threat intelligence, said Clancy, but there is still room for improvement.
“The main reason we tend to do it better than other industry sectors is that we started more than a decade ago and we decided that this is not an issue where we are competitive with each other,” he said.
The value in sharing threat intelligence stems from the fact that attackers typically target several financial institutions using the same techniques.
“We saw the direct benefit of sharing this information because we realised that if we were not a target today, we could be a target tomorrow,” said Clancy. “And the reason it works is that we built community around this issue.”
Because trust does not scale, there is a need to build peer-to-peer trust relationships, in which individuals can be sure that if they share information, it will be handled appropriately, he said..
“When you build that confidence, you can grow that community, and as the community gets larger, you have an increasing number of nodes of connectivity and more data flows.”
The next step in the evolution of sharing threat information in the financial services industry, said Clancy, is to share things that show up on networks in an automated way to increase the volume of data shared.
“We want to share cyber threat data as quickly as we process financial transactions,” he said. “This is where we and other industries need to go.”
At the same time, financial institutions should continually review their ability to share and consume cyber threat intelligence data, said Clancy.
“In our institution, for example, we had to completely re-tool our operations to take advantage of this information.
“Organisations have to assess their capabilities and figure out how they are going to operate them at scale, then they have to mature their operations to the point that they are able to identify new things happening in their environment and share those back to the community to make the community stronger.”
Clancy is one of the panellists in a debate on protecting the securities and derivatives markets from cyber crime at the UK Financial Services Cyber Security Summit in London on 15 July 2014.