If you were able to detect an attacker before they made their malicious effort, would that be a practical way to defend your network and perimeter?
The concept, according to Anomali CEO Hugh Njemanze, is similar to that of the No-Fly List, where people are blocked from using air travel in or out of the United States. This is a ‘Cyber No-Fly List’ if you like, but built on the use of shared threat intelligence.
Njemanze told Infosecurity that a Cyber No-Fly List would evaluate events to give enterprises visibility of known security threats, and the intelligence to know in advance who existing and potential foes are, and take proactive steps to stop them from passing through their gates.
He said: “A person can smash a window or pick a lock and that is how they breach you, but it is a powerful technique to be able to figure out who is doing it. The idea of the Cyber No-Fly List and threat intelligence in cybersecurity is to identify not just what the activities are on your network, but identify who is visiting your network and get information to start to make countermeasures and raise alerts and figure out what your mitigations would be.”
He explained that this essentially gives the defender the opportunity to have an early warning on activity that may look benign, but if it is from an actor who has a bad reputation for having an agenda against your company, then the benign activity becomes a concern.
Njemanze used the analogy of a bank robbery. In the days leading up to the incident the perpetrator would look at the layout of the branch; this could be determined to be the activity of any regular citizen, but if they have attempted a robbery in the past and are on a list, the bank can figure out that a robbery attempt will be made.
“So if you have a list with their prior activity, it is less about profiling and more about having a historical record.”
This also fits with the concept of threat intelligence and information sharing, as if you have 100 banks sharing information and then one is breached, they can notify the others to be on lookout for similar behavior or actors. This prevents the element of surprise for the bad actor, and gives the upper hand to the defender.
So how can you determine what is good and bad? Njemanze used the analogy of a house, where you have tools that directly detect an intrusion (like a sensor on a window) so you want to use both types of tools in tandem: know when a window breaks and know who broke it.
“There are tools like intrusion detection that are detecting activity on a network, and firewalls and switches and routers that are sources of information, and if you can detect on the log you can determine what activity is going on.”
He claimed that if an organization were diligent, it would lead to new information being added to the Cyber No-Fly List.
Talking to such a company, Jessica Ferguson, director of information security architecture at Alaska Airlines, said that an information sharing agreement comes down to building a community of trust.
“To take another Cyber No-Fly List analogy: if you look at the TSA, they share information with another national border security team and there is a trust factor that has been built between the different groups, and there may be higher level organizations too like Interpol [with access to that data], so it is similar to us in the airline space as different industries have different ISACs and I share data with the community,” she said.
“When a new thing pops up on the Cyber No-Fly List, if it is high level we may share it with our community. We may also share more detail at a more detailed level with airlines who are classified as defense contractors in the US government, and we provide some info to different government groups and there are protocols set up to anonymize that data.”
Ferguson used drug traffickers as an example, saying they adapt their tactics to smuggle drugs. Therefore a border patrol has to become wise to the change in tactics and adapt how they search.
Njemanze said that threat intelligence is becoming more and more mainstream and a reason why is because there are many information sharing centers in many verticals, and a lot of enterprises belong to one or more of these groups, and it is productive to share information.
Ferguson added: “We look for behavioral indicators, and when I move to contain and mitigate a situation I’ll look at a pattern of behavior. As someone who does remediation, I’ll never know who executed an attack, but the “who is behind it” is only really secondary to containing and mitigating the situation, but I can use that behavioral data to identify classes of groups versus the specific threat actor.”
In the case following the breach of Virgin America in 2017, the airline that Alaska Airlines acquired in 2016, Ferguson said that her team were able to identify the toolkit being used and share that with her peers who could look across their infrastructure to pay attention to that specific toolkit.
“If a threat actor targets a vertical like maritime, as an aviation company I may care but may not pay attention, but if there is a history and a pattern for this group to target all aviation we will put extra emphasis on it,” she said.
“I do think threat intelligence sharing works and I receive intelligence from a different ISAC and other airlines that may prove useful in identifying actors who may be looking at targeting our environment.”
In terms of sharing intelligence with competitors, Ferguson said that Alaska “don’t win if they get breached” as the model is built on trust over time.
As with the official No-Fly List, details of the Cyber No-Fly List would likely remain classified and only visible to members approved to view and use those details, but if it helps defenders stay one step ahead of attackers, then it can only be a good thing.