CSO Perspectives (Pro) 6.6.22
Ep 79 | 6.6.22

Intelligence sharing: A Rick the Toolman episode.

Transcript

Rick Howard: In the classic J.R.R. Tolkien novel "The Fellowship of the Ring," Gandalf the Grey, after months of research and analysis, made a discovery. He realized that the Bilbo Baggins magic invisibility ring - the one that Bilbo used to trick Gollum into showing him the way out of the caves underneath the Misty Mountains back in "The Hobbit" - is, in reality, the One Ring to rule them all.

(SOUNDBITE OF FILM, "THE LORD OF THE RINGS: THE FELLOWSHIP OF THE RING") 

Ian Mckellen: (As Gandalf) In the common tongue, it says, one ring to rule them all, one ring to find them, one ring to bring them all and, in the darkness, bind them. This is the one ring. 

Rick Howard: This is the singular weapon that the big bad guy Sauron could use to defeat Middle-earth... 

(SOUNDBITE OF ARCHIVED RECORDING) 

Tim Allen: Oh, no. 

Rick Howard: ...But if destroyed by the good guys could take Sauron off the board. 

(SOUNDBITE OF ARCHIVED RECORDING) 

Tim Allen: Oh, yeah (laughter). 

Rick Howard: This makes Gandalf the Grey, by the way, the first intelligence analyst ever portrayed in a fantasy novel. I'm just saying. Gandalf and his elf friend Wizard Elrond make the extraordinary decision to share that intelligence with a loose group of frenemies - select members of the White Council, various elf clans, hobbits, dwarves and men. And this group represents a set of competing interests. The participating members don't hate each other per se, but also don't invite each other to dinner parties either. Let's just say that they agree to disagree on most things. But in this one thing, this singular, monumental task - the destruction of Sauron - their interests are completely aligned. It makes total sense to share that key piece of intelligence to facilitate working together in order to accomplish it. 

Rick Howard: And that, my friends, is the perfect analogy to the current state of cybersecurity intelligence sharing today. Even if we compete in the business world on all things, we can come together and cooperate to defeat a common threat. In the business world, for example, a set of banks ruthlessly battle against each other in the marketplace. But criminals engaged in cybercrime and cyberfraud don't just impact a single victim bank. When they are successful, they impact the entire industry. It causes customers to lose faith in the system, to be afraid of it, to not spend their money in it. The same is true for nation-states trying to ruin or degrade their enemies by attacking the country's financial system. Those attacks don't just hurt the victim bank and the financial sector, it reverberates across the entire nation. It makes people start to distrust the entire banking system. That's why it makes total sense for the banking community and the government to share cyberthreat intelligence with each other so that they can work together to defeat this common-to-all enemy. 

Rick Howard: Now, all of that sounds great when you say it fast, but there is friction in the system. Just because we all agree that there is a common threat doesn't negate the trust issues we have with our frenemies. It's tough to hold these loose intelligence-sharing alliances together or make them useful. Even the Fellowship of the Ring in the Tolkien story disbanded at the end of the first book because of trust issues. The question then is, what is working today in cyberthreat intelligence sharing, what is the current state and what are the next steps in making the system more useful? It's time to break out the Rick-the-Toolman toolbox and look under the hood. 

Rick Howard: My name is Rick Howard, and I am broadcasting from the CyberWire's Secret Sanctum Sanctorum Studios, located underwater, somewhere along the Patapsco River near Baltimore Harbor. And you're listening to "CSO Perspectives," my podcast about the ideas, strategies and technologies that senior security executives wrestle with on a daily basis. 

Rick Howard: At around 8:30 p.m. on November the 2, 1988, a 23-year-old Cornell University graduate student named Robert Tappan Morris released the Morris worm. Here's a clip from a 2019 documentary called "The World's First Cyber Crime: The Morris Worm." 

(SOUNDBITE OF DOCUMENTARY, "THE WORLD'S FIRST CYBER CRIME: THE MORRIS WORM") 

Fahmida Rashid: There was weird log messages showing up in their sendmail log that computers slowed down. 

Lacey: On Wednesday, November 2, 1988, internet-connected computers began to fail across the country. 

Fahmida Rashid: Once it launched, it kind of goes on and on - university, the military, defense. They were all suddenly saying, wait a minute. I can't check my email because my computer can't do anything else. 

John Markoff: There was alarm because we didn't know what was going on. There was some concern that this might be some kind of a military attack on the United States. 

Fahmida Rashid: And it just got to the point where administrators were like, we have to shut down these computer. 

Spencer Michels: Surviving on soft drinks and junk food, they battled the virus through the night of November 2 and into the next day. 

Phil Lapsley: It was sort of a bunker mentality, in that you were sitting here and very much felt like you were under attack. To some degree, we were kind of scared because we didn't know. In the next five minutes, it could suddenly turn nasty and start removing users' files. 

John Markoff: The internet had just been created the previous year, and so nobody really knew what it was. 

Lacey: By the weekend, the worst of it had passed. 

Fahmida Rashid: Berkeley was able to release a patch within 24 hours. 

Lacey: But people were scared. 

Fahmida Rashid: The GAO had estimates of anywhere between a hundred thousand to a million dollars in damages. 

John Schoch: They apparently got surprised at how quickly it spread. 

Marc Weber: I think some of the surprise was how big the internet had gotten. Wow, there are machines connected to the internet everywhere. 

Rick Howard: According to the FBI, within 24 hours, 10% of the existing 60,000 internet-facing computers at the time became incapacitated. The Morris worm marked the first global use of a destructive internet worm, and it was clear that nobody had anticipated that bad guys would use the entire internet for malicious purposes. Impacted administrators were mostly on their own to deal with the problem because no formal relationships had been established yet to deal with incident response at this scale. And they couldn't communicate anyway because their internet connection was down. 

(SOUNDBITE OF DIAL-UP INTERNET CONNECTING) 

Rick Howard: This was the shot heard round the world. In the aftermath, DARPA - the Defense Advanced Research Projects Agency - a science and technology organization of the U.S. Department of Defense, sponsored Carnegie Mellon University to establish the initial CERT/CC, or Computer Emergency Response Team Coordination Center, in 1988 to orchestrate and share information regarding incident response for global events. And the idea of CERT started to catch on. They became so popular that by 1990, the first organization was founded to coordinate incident response and security teams from every country across the world. 

Rick Howard: According to Rich Pethia, the very first CERT/CC director at Carnegie Mellon, one of his missions was to help the military services build their own CERTs, which they did. The U.S. Air Force established the AFCERT - Air Force Computer Emergency Response Team - in 1993. The other services followed suit soon thereafter. By 1998, the military CERTs contributed to the eventual stand up of the Joint Task Force Computer Network Defense, or JTF-CND. By the late 1990s, though, many security practitioners began realizing they needed a more robust information sharing framework, something that was bigger than just responding to global incidents like the Morris worm. Y2K was approaching, and it represented another global existential threat, not only to the internet but to business computing in general. 

Rick Howard: According to Investopedia, Y2K or Year 2000 referred to the anticipated, quote, "widespread computer programming shortcut that was expected to cause extensive havoc as the year changed from 1999 to 2000," end quote. COBOL programmers in the early days used only two digits to represent dates, not four. And IT experts expected that millions of lines of business logic code would break on the new year, essentially turning the clock back from 1999 to 1900. In anticipation of Y2K and other factors, like the Solar Sunrise attacks earlier in the year, where hackers targeted a number of Department of Defense networks, the military gave it the cool codename of Solar Sunrise and originally attributed the attack to Iraq. But it turned out to be two high school students from Cloverdale, Calif. Who knew? 

Rick Howard: Still, the attacks validated the findings of a red-teaming exercise conducted the year before called eligible receiver. The Department of Defense Networks had huge gaping holes. So U.S. President Clinton established the ISAC system - the Information Sharing and Analysis Center Framework - when he signed Presidential Decision Directive 63 on May 22, 1998. He aligned the ISAC specifically around designated critical infrastructure sectors and intentionally didn't mandate specific requirements in order to encourage innovative information sharing approaches. Out of all the ISACs that formed in those first years, the FS-ISAC - the financial sector ISAC - emerged as the most organized and most resourced in the next decade. Leadership from across the banking sector lended their big thinkers and doers to the project. 

Denise Anderson: I am Denise Anderson. I am president and CEO of the Health Information Sharing and Analysis Center, or Health-ISAC. And I have been here since July of 2015. 

Rick Howard: Today, Denise is in charge of the Health-ISAC. But back in the day, she was employee No. 2 at the FS-ISAC after the organization hired its first CEO, Bill Nelson. Bill hired Denise as a kind of COO to corral all the cats. 

Denise Anderson: Bill Nelson, who was president at the time, liked that fact that I was a volunteer firefighter, EMT and instructor at the Fairfax Fire Academy. 

Rick Howard: Yeah. 

Denise Anderson: So he liked my emergency management experience, and that's one of the reasons he hired me. But I was hired to do pretty much all the administrative tasks of getting members on board, running our conferences, creating services for the members. 

Rick Howard: According to Denise, the success of the FS-ISAC depended on visionary leaders who believed in the concept of information sharing and insisted that their organizations contribute, and they let everybody know when they did. 

Denise Anderson: While we were doing some information sharing, we weren't doing the level of information sharing that the ISAC now experiences today. And there were a lot of reasons for that. First of all, there were a lot of concerns about sharing with attribution. One of the first things we did was we had the platform where people could submit their sharing information anonymously through the ISAC, and then that made them feel a little bit more comfortable about sharing, and so they did that. What was really amazing was that it wasn't until we started sharing with attribution that the sharing really took off. 

Rick Howard: People like Byron Collie, working for Wells Fargo at the time and later Goldman Sachs; Jason Healey and Phil Venables, both at Goldman Sachs; Mark Clancy and Gary Owen, both at Citigroup, led by example and insisted that their organizations share intelligence with the FS-ISAC membership and took credit for it when they did. 

Rick Howard: I know how important leadership by example is in this regard. I helped found the Cyber Threat Alliance back in 2012, the first information sharing and analysis organization, or ISAO, for security vendors. More on ISAOs in a bit. But one of the guiding principles of the Cyber Threat Alliance was that every member had to share intelligence every day, and we kept track of how much. The mandate I gave to my team at Palo Alto Networks was that we would always be the No. 1 contributor at the end of the day. When I got the daily numbers report each day, I would publicly make fun of the other alliance members for being contributing slackers. The next day, they would be atop the leaderboard making fun of me. That's how we showed trust in the system with each other. 

Rick Howard: Errol Weiss today is the chief security officer for the Health-ISAC and works for Denise. But back then, he was also part of the original group that stood up the FS-ISAC. He worked for SAIC at the time, running the contracted SOC for the FS-ISAC. 

Errol Weiss: I was actually at one of the government contractors, SAIC, and I was doing just commercial work there. We were a small team that was doing information security consulting for banks and insurance companies and manufacturing companies and pharma back in the early days. When that presidential decision directive came out, it motivated the banking and finance sector to huddle together and try to figure out what they were going to do. The way I remember it is they basically approached SAIC and asked if they would be interested in helping to create and run that first ISAC, the Financial Services-ISAC. So I was on the team at SAIC that was responsible for building it. I'm actually one of the four patent holders. We got - we filed a patent for information sharing. We went operational on October 1, 1999. I was sitting in the U.S. Treasury's conference room the day that that was announced, and we went live that day. We were really the operational arm that fielded and deployed it, everything from that to member recruiting, we - the team was running everything. You know, the model changed a few years later where ISACs became their own legal entity, and then maybe some of them, like financial services, contracted out for some of the SOC services. But in the beginning, we were doing everything. 

Rick Howard: And to prove the point that the infosec community is a small place, SAIC vacated the SOC contract in 2006 to be filled by Verisign/iDefense, an organization that I was just hired to run. Errol and I just missed working together at iDefense by inches. That said, Errol went on to work for Mark Clancy and Gary Owen at Citigroup and followed their lead about building trust with the FS-ISAC members. Even with Citigroup, Goldman Sachs and Wells Fargo leading by example, establishing trust between FS-ISAC members was a difficult task. According to both Denise and Errol, one of the key innovations that helped was the formalization of the Traffic Light Protocol. 

Rick Howard: The National Infrastructure Security Coordination Center in the U.K., now called the Center for the Protection of National Infrastructure, CPNI, developed the Traffic Light Protocol, or TLP for short, as a method for labeling and handling shared sensitive information. Bill Nelson and Byron Collie attended a meeting in London at MI5, heard about the protocol and brought it back to the FS-ISAC. According to Eric Luiijf and Allard Kernkam in a paper titled, "Sharing Cybersecurity Information Good Practice Stemming from the Dutch Public-Private-Participation Approach," TLP provides a simple method for labeling and handling shared sensitive information. Quote, "one of the key principles of the TLP is that whoever contributes sensitive information also establishes if and how widely the information can be circulated. The originator of the information can label the information with one of four colors," red, restricted to a need-to-know subset of the group; amber, adding additional members who need to take action; green, everybody in the group; and white, or public information. Here's Denise. 

Denise Anderson: So basically, when we put those markers out and people could say, OK, I want to share this as TLP amber, for example, it made them feel a little bit more comfortable, but it also - with the attribution, they could see who was sharing. And that actually built a relationship, and sharing is all about relationships. And so people started to build that trust with each other, knowing, hey, Joe is sharing with me, so I want to share back with him because he really helped me out. And that's kind of how it all started. And it just really, really took off with the attribution, and I found that very interesting. 

Denise Anderson: We went through a whole process of what the Traffic Light Protocol would look like and what it would mean. The board of FS-ISAC was very supportive and very instrumental in helping make sure - it was kind of a little bit of a tedious process, believe it or not, to make sure that everything was marked with the TLP, every communication, so that people started seeing it and then it became rote. That was huge. But then the CERT community actually copied us. So FS-ISAC really put the branding on it, and then DHS and US-CERT, I think, were the first to kind of really take it from there. And then FIRST adopted as well. And so FS-ISAC doesn't get the credit for that, but they really were the ones who kind of made that happen. 

Errol Weiss: The whole idea about establishing what TLP red, amber, green and white, what that meant and the whole information classification protocol and how that would work. And so Byron and Bill Nelson brought that to FS-ISAC in 2006. That was one of the definite factors that enabled better information sharing because now people would know that if I shared something, it would be protected at what - at the level that the originator designated, and then people who received it would know what to do with it and what they could do with it in terms of sharing more broadly or not. So that really helped quite a bit. 

Rick Howard: According to Denise and Errol, Jim Routh, the CISO at the Depository Trust and Clearing Corporation at the time, was instrumental in formalizing the FS-ISAC Traffic Light Protocol. That meant that every communication between members through the FS-ISAC portal had to be labeled with the proper color. By doing so, every FS-ISAC member felt less anxiety about sharing intelligence with the group because they all saw that there were formalized processes for handling sensitive information. According to Denise, with the success of the TLP, the FIRST organization, the coordinator for all CERTs internationally, picked up the best practice for their incident response missions. Today, TLP is a standard best practice for most sharing organizations. And according to Errol, at this point, all ISACs were sharing information on cyber incident response events, best practices around combating existential threats like Y2K, and general best practices for what everybody else was doing in the space. 

Rick Howard: With the formalized procedures in place to share intelligence with other members - the how - the next question was, what? What are they going to share? In other words, what was going to be the reason that members joined the FS-ISAC in the first place? According to Denise and Errol, Jason Healey and Byron Collie established the foundational FS-ISAC threat intel committee in the early 2000s, a convergence of threat intelligence and SOC operations. This influential group provided the value that all FS-ISAC members wanted with an information-sharing group. Byron, after many years of working on the front lines of the FS-ISAC, has stepped back to an advisory role these days. And today, he is an executive director at JPMorgan Chase. Here's Byron talking about his fortuitous meeting in the early days with Jason Healey. 

Byron Collie: Jay was at Goldman back in 2001. And so I went to our first FS-ISAC members meeting, and I didn't know Jay was going to be there. And I ran into Jay, who I'd known from some of my military work back from Australia when he was with the Air Force over here. Jay was running an initiative around cyberthreat intel. I was running an initiative around security operations and threat detection - what you would call hunting today. And we decided that, like, there was enough overlap between what we're looking at that we could combine the two groups. So that's actually what led to the formation of the threat intelligence committee of the FS-ISAC that Jay and I - Jay, who was at Goldman - Jay and I ended up co-chairing the threat intel committee. And so that became, you know, a really kind of foundational group for the FS-ISAC. 

Rick Howard: The U.S. Congress passed the Intelligence Reform and Terrorism Prevention Act in 2004 to provide regional situational awareness and analysis, including cyber, at both the state and city levels. The nexus for that activity in each location is called a fusion center. According to the Florida Department of Law Enforcement this year, in 2022, quote, "Fusion centers were established following the terrorist attacks of 9/11 to connect the dots between critical information housed in different agencies and share information and intelligence to aid in protecting communities," end quote. As of this writing, 79 fusion centers have been established in the U.S. 

Rick Howard: Arguably, the FBI founded the first Information Sharing and Analysis Organization, an ISAO, in 1996, although the community wouldn't have a name for it until two decades later. They called it the InfraGard National Members Alliance, or InfraGard National, and designed it to facilitate information sharing between law enforcement and the private sector. InfraGard isn't a CERT, although it does some of the things a CERT does, and it isn't an ISAC because it doesn't serve as one of the U.S. government's critical infrastructure sectors. It's a different thing. The FBI was way ahead of its time in establishing InfraGard by realizing that other communities of like-minded people might want to share intelligence on their communal set of existential threats - in this case, cybercrime. 

Rick Howard: In 2015, U.S. President Obama signed Executive Order 13691, establishing the Information Sharing and Analysis Organization framework that made it legal to share information about cybersecurity incidents without fear of prosecution. ISAOs are sector-agnostic and can be any group of like-minded organizations, like the Cyber Threat Alliance. The Executive Order also established a funding path for an ISAO standards organization. I actually worked as the co-chair to the Security and Privacy Committee that helped get it started back in the day. As of this writing, there are just over 90 ISAOs officially registered with the ISAO standards body. 

Rick Howard: According to Bruce Bakis and Edward Wang over at The MITRE Corporation, the Department of Homeland Security, DHS, is the epicenter of the U.S. cyber information-sharing ecosystem. In 2018, U.S. President Trump signed into law the Cybersecurity and Infrastructure Security Agency Act, which, as you might guess, established the Cybersecurity and Infrastructure Security Agency, CISA, inside of DHS. According to the department's official website, CISA coordinates cybersecurity defense for the federal government, acts as the incident response executive arm for the national cyber defense and owns the responsibility of intelligence sharing. The National Cybersecurity and Communications Integration Center, the NCCIC, and the United States Computer Emergency Response Team, the US-CERT, both work for CISA. CISA manages four formal information-sharing programs, one at the senior leadership level, the Joint Cyber Defense Collaborative or JCDC and three at the operator level. No. 1... 

(SOUNDBITE OF ARCHIVED RECORDING) 

Paul Winchell: (As Mr. Owl) One. 

Rick Howard: ...The JCDC. It was established in August 2021 to enhance collaboration with the private sector, one of the six pillars of the Cyberspace Solarium Commission. The members are a group of public and private sector organizations, as well as federal, state, local, tribal and territorial government entities. The cool kids call these folks SLTTs for short because, you know, government acronyms. It is designed to bring senior leaders from the government and the commercial sector together to collaborate on global issues. Their first success story was how the group responded to the Log4j crisis in 2021 and 2022. No. 2... 

(SOUNDBITE OF ARCHIVED RECORDING) 

Paul Winchell: (As Mr. Owl) Two. 

Rick Howard: The Enhanced Cybersecurity Services, or ECS. It initially was intended for communication service providers. President Obama's Executive Order 13636 in 2013 expanded the service to the 16 critical infrastructure sectors and to their corresponding customer bases. In this program, DHS shares sensitive and classified cyberthreat information with accredited organizations through some automated means. No. 3... 

(SOUNDBITE OF ARCHIVED RECORDING) 

Paul Winchell: (As Mr. Owl) Three. 

Rick Howard: The Cyber Information Sharing and Collaboration Program or CISCP. DHS shares unclassified information in this program through trusted public-private partnerships across all critical infrastructure sectors. And finally, No. 4... 

(SOUNDBITE OF ARCHIVED RECORDING) 

Unidentified Person: Four. 

Rick Howard: The DHS Automated Indicator Sharing program, or AIS. It provides unclassified, again, bidirectional, machine-to-machine sharing of cyberthreat indicators between the NCCIC and the private sector, ISACs, ISAOs, the public sector and international partners and companies. All four of these government programs are great mechanisms to share and collaborate on threat intelligence between the U.S. government and the private sector. The criticism of these programs is that the intelligence that is shared by the government hasn't been that useful and is mostly manual. For example, the AIS program automated the process with STIX and TAXII. But the quality of the intelligence was so low from the government side that most commercial organizations don't bother with it. Another example - the JCDC is a collection of high-end security and cloud providers - like AWS, Cisco, CrowdStrike, Microsoft and Palo Alto Networks - as of this writing, 21 in all. But the information-sharing mechanisms are Zoom calls and email. There has to be a better way. 

Rick Howard: The bulk of information sharing even today centers around identifying new tactical threats like zero-day vulnerabilities and exploits, new malware and other kinds of ephemeral indicators of compromise or IOCs, like bad IP addresses. These are not useless, per se, but they are endless, likely have no bearing on what our cyber-adversaries are actually using. Or the adversaries change them so often that blocking them is not helpful. For example, according to Barclay Ballard at TechRadar last year, 2021, out of the 18,000+ vulnerabilities discovered in 2019, only 473, quote, "were exploited in a way that was likely to impact business," end quote. For the math-challenged out there, that's only 3%. If the primary purpose of our infosec program is to patch vulnerabilities as they were discovered, all 18,000 of them, we might be wasting resources on stuff that doesn't matter. The cybersecurity community started rethinking that idea starting in 2010 with the Lockheed Martin kill chain paper. The researchers realized that adversaries have to string a bunch of actions together in order to be successful. If we can break the chain, the kill chain, anywhere along that sequence, we could defeat the adversary. In other words, we should be designing defenses to defeat the adversaries' objectives, not stop every potential malicious tool that pops up. The intelligence we should be sharing with each other is the attack sequence for all known adversary groups. 

Rick Howard: In 2011, the Department of Defense published their Diamond Model paper that outlined adversary activity events as relationship pairs to each phase of the kill chain across four elements - adversaries, capability, infrastructure and victims. This gave intelligence analysts a roadmap for what they should be collecting intelligence on. Finally, in 2013, MITRE rolled out the first version of the attack framework, standardizing the language we all use to describe adversary behavior, but also publishing a free-to-use, open-source collection of all known nation state adversary playbooks. In other words, they published the tactics, techniques and procedures for the known nation state actors like Fancy Bear and Sandworm and a host of others, all across the intrusion kill chain. All we have to do now is start sharing intelligence with that in mind. As a community, though, we were slow to respond and adapt to this new paradigm. We continued to simply share IOCs because that's easier to do. That started to change in 2018. The FBI indicted the Russian military personnel responsible for the hacks against Secretary Clinton, the Democratic National Committee - or DNC - and the Democratic Congressional Campaign Committee, the DCCC, in 2016. In the indictment, in an unprecedented release of government intelligence, the FBI laid out the complete set of tactics, techniques and procedures across the intrusion kill chain that the main intelligence directorate of the Russian General Staff, the GRU, used in the attacks. That's progress. 

Rick Howard: In February 2022, two days after Russia began its military invasion of Ukraine, CISA released its first shields-up warning for U.S.-based organizations. Here's Jen Easterly, the director of CISA, getting interviewed by the CBS News program "60 Minutes" immediately after. 

(SOUNDBITE OF TV SHOW, "60 MINUTES") 

Jen Easterly: We are seeing evolving intelligence about Russian planning for potential attacks, and we have to assume that there's going to be a breach. There's going to be an incident. There's going to be an attack. 

Bill Whitaker: Jen Easterly is director of the Cybersecurity and Infrastructure Security Agency. Known by its acronym, CISA, the agency helped secure computer networks in 16 sectors deemed vital to national security, like energy, finance and communications. 

Jen Easterly: Anything that can impact critical infrastructure. 

Bill Whitaker: When you've got someone like Vladimir Putin, who just doesn't seem to care about norms, how do you protect against that? 

Jen Easterly: I think we are dealing with a very dangerous, very sophisticated, very well-resourced cyber actor. And that's why we've been telling everybody, consistently, shields up. What does that mean? It means assume there will be disruptive cyber activity, and make sure you are prepared for it. 

Rick Howard: In March, in another unprecedented release of government intelligence, CISA released the entire Russian adversary playbook, everything the Russians have done in cyberspace to the U.S. and international energy sector from 2011 to 2018 across the intrusion kill chain using the MITRE ATT&CK framework model. And in May, they updated the Russian playbook with new intelligence regarding multifactor authentication protocols. This is the kind of intelligence we need to share. As of today, June 2022, the MITRE ATT&CK framework tracks some 150 nation-state actor groups. Microsoft, last year, said that they track about a hundred different cybercrime groups. 

Rick Howard: Imagine if we as a community could automatically keep both databases up to date in real time by collecting Diamond Model level of intelligence across each phase of the intrusion kill chain. Once established, each organization, like the CyberWire, could automatically download updates to each new tactic, technique and procedure discovered and automatically deploy prevention and detection controls to whatever we have deployed in our own security stack. The U.S. government would automatically share new adversary playbook intelligence with the JCDC, the ISACs, the ISAOs and the fusion centers through their various information sharing programs. Now, to be fair, we have made progress in automating the sharing of this kind of intelligence, but it's mostly IOCs, and those aren't that helpful. Here's Errol. 

Errol Weiss: I would say that STIX and TAXII have been around for a long time, and I was actually really impressed when I got to help ISAC with how much automated indicator sharing was happening within the health sector when I got here. And today we've got roughly half of our member organizations that are actively using our automated indicator solution, and I'm, you know, really thrilled with that. To me, that's the basic level of sharing that everybody should have and take advantage of today in order to, you know, know what adversary issues are - what IP addresses, for example, they ought to be blocking or looking for in their environment to see if they've ever been, you know, recently attacked by them or not. But as we know - right? - it's the easiest part of the chain for the adversary to change, and they can come from different addresses or whatnot. So we ought to be kind of, you know, working on sharing the TTPs, the behaviors at some point. So for me, I see that kind of as the future of ISAC sharing. 

Denise Anderson: You know, you were mentioning the next big thing, and we're certainly - ironically, through the National Council of ISACs we do share with each other, but we don't do it as robustly as we should. And so that's one big project that we're working on. And actually, Errol has been pretty instrumental in trying to make that happen, where we're all sharing automated indicators through, ideally, one platform. 

Rick Howard: According to both Denise and Errol, automating the sharing of known adversary groups' tactics, techniques and procedures is the thing we have to get done. This kind of automation is the next big thing and something we all should be striving for. That would be nirvana. 

Rick Howard: And that's a wrap. One last thing - I wrote a companion essay for this show, as I do for all shows, but at the end of this one is a small timeline of the history and evolution of information sharing. You can find the link to it in the show notes. 

Rick Howard: This week, the CyberWire staff is traveling to San Francisco in our annual pilgrimage to the RSA Conference. If you are joining us, come by the press pavilion and say hello. We'd love to see you. Also, the cybersecurity canon committee will be out in force. We will be performing concierge duty at the RSA Bookstore Tuesday through Thursday from 2 p.m. to 3 p.m. So if you're looking for recommendations on what to read next, stop by the bookstore, and one of us will guide you. My day is Wednesday, and I would love to see you, so please stop by. 

Rick Howard: Next week on "CSO Perspectives," we're doing the next cyber sand table exercise, this time on the Colonial Pipeline attacks of 2019. You don't want to miss that. And as always, if you have thoughts about this week's show or any thoughts in general, send them to csop@thecyberwire.com. That's C-S-O-P - the @ sign - thecyberwire - all one word - dot com. 

Rick Howard: The CyberWire "CSO Perspectives" is edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions, remixed by the fabulously talented Tre Hester this week, standing in for Elliott Peltzman, who also does the show's mixing, sound design and original score. And I am Rick Howard. Thanks for listening.