Two pretty common questions we hear from prospective members is “Why do I need CI-ISAC when I have a brilliant cyber team” and “Why would I need to know about cyber threats from other sectors” .
TLDR:
Working in a cyber team, regardless of how brilliant they are, is akin to playing ‘whack a mole’ – you’re dealing with a constant onslaught of cyber threats (moles) and doing your best to swat these away with the resources you have available to you. Building a Threat Intelligence function is expensive, and If you’re only focussed within your own sector then you’re missing valuable insights on relevant threats from other sectors and companies of our national critical infrastructure, that underpins the Australian economy.
Putting things in perspective
Some cyber teams have significantly more resources than others; however regardless of maturity, most teams are unlikely to have all the resources they need, which means they need to employ what they have as economically as possible. Cyber Threat Intelligence (CTI) is a capability that enables teams to understand cyber adversaries and their techniques to more effectively and economically defend against them.
Financial Services organisations spend millions of dollars a year investing in both technical and human threat intelligence resources, all with the aim of becoming more proactive in understanding the current and future threats to their environments. Other, larger companies may invest in a subset of technical threat intelligence capabilities and if they’re well resourced, a human or two who can attempt to filter and analyse the ‘fire hose’ of information they’re paying for.
For the majority of Australian companies, cyber defences are limited to generic security controls (technical and procedural) based on frameworks like The Essential 8, NIST, ISO 27001, AESCSF and the hope that these will be sufficient to protect against the threats they face.
Work smarter, not harder
The real value of threat intelligence is only realised when timely, relevant and actionable insights are generated from analysed data. The challenge is that the majority of ‘intelligence’ is actually raw information that still needs technical specialists to analyse it before cyber teams assess the risks against their own environments and determine effective mitigation actions.
If we now rewind to why cyber teams need CI-ISAC, the answer lies in their requirement to understand what threats to focus their efforts on, noting the dynamic nature of the threat environment. To be successful, cyber teams need to be focussed on building defensive capabilities, but also ensuring these continue to operate effectively as threats evolve. CI-ISAC does the heavy lifting of understanding, contextualising and articulating relevant threats to Australian entities in non-technical language, enabling members to focus their efforts on addressing their own risks that their business leaders can understand. This obviates the need for them to individually analyse and understand the same threats as everyone else, which simply duplicates effort across the ecosystem.
Getting ahead of future threats
While threat intelligence helps you understand threats, and where to focus your cyber resources, intelligence sharing enables you to build a picture of what’s going on around you that is affecting others. Currently, information sharing mainly takes place in silos (individual sectors), which is good, but misses the opportunity to learn from other sectors by understanding the cyber incidents they’re experiencing.
Australia’s largest companies are already doing this – for example, when Medibank, Optus, Latitude or DP World incidents hit the news, their threat intelligence teams mobilise to gather information on the attack, and feed the analysis into their cyber defence teams with the aim of ensuring the same type of incident would not bypass their security controls.
Enabling a trusted ecosystem to facilitate the sharing of cyber threat intelligence from across all Australian CI sectors and conducting intelligence analysis centrally is critical in making Australia one of the most cyber secure nations in the world. This is a fundamental aspect of CI-ISAC; one that enables members to focus their cyber teams on assessing the risk to their environments and initiating effective response activities. A single, joined-up approach removes silos, and analysing member-shared intelligence centrally removes duplication of effort. Larger, more mature members lead the sharing of cyber threat intelligence, enabling CI-ISAC to learn from the mature end of town to benefit all members, regardless of size. In essence, this is all about deriving synergy from an integrated and unified effort.
Conclusion:
Cyber criminals have evolved their operating models to form specialist task forces based on skillsets: Initial access brokers break in and establish a foothold within networks, which is then handed-off to hackers specialised in spreading across networks and elevating privileges. A third team may then analyse and exfiltrate sensitive data for future extortion, before encrypting assets. This is an over-simplified example, but cyber criminals have improved their effectiveness by moving away from generalist approaches to co-operating and expanding their options when attacking targets.
Defenders need to adopt a similar approach, specifically in relation to cyber defences. Threat Intelligence is key here as it represents an ability to focus resources and teams on threats to an organisation. If employed correctly, this can save time, effort and money but most importantly, threat intelligence enables more effective risk management and more effective mitigation. Teams gain actionable information to assess threats against their own environments, and obtain recommendations to uplift their security controls and other measures, which is at the heart of CI-ISAC’s contextualised CTI sharing.
Leveraging CI-ISAC, empowers your cyber teams with a holistic understanding of threats to your national assets, informed through local CTI sharing that also includes global perspectives.
Originally published on LinkedIn, 12th December 2023
