Companies have long sought to balance what information about their vulnerabilities they must keep secret, and what information it would benefit them to share. The names of companies leaked in internal emails from HBGary, which were made public after the attacks last month by Anonymous, may change the calculus used to determine just how much we share.
Nothing in the emails changes anything about the attacks discussed - everyone who needed to know about those attacks already did, from a standpoint of incident response. However, when the activities of a cyber-security company are the target of memorable jokes on the Colbert Report, and the names of customers and hack targets become mainstream news, we have reached a unique opportunity in how companies share intelligence.
To Share, Or Not To Share
Sharing information with those in the industry - competitors, those in unrelated or even overlapping verticals - arguably acts as a force-multiplier of their own internal security resources. Simply put, if you're speaking with those who face similar threats to you, you're more likely to detect patterns of organized attacks such as those from those advanced, persistent adversaries we're all getting marketed about.
On the other hand, announcing your vulnerabilities allows enemies to infer or outright understand elements of your infrastructure which can be described as "core" or "competitive".
And who on earth wants to irritate shareholders and alarm customers with the news that you've been attacked? Who wants to take on bad press - or, conversely, have to spend boatloads of dosh to proactively create new marketing strategies that "pre-act" and react to the now-public information that you have been Pwn3d?
Striking the balance, then, of what to share, is a constant evaluation of these elements. What advantage do you get from sharing, and does that outweigh the damage sharing will cause?
From an information security standpoint, the former reason not to share - that enemies and competitors can suss out what's what in your infrastructure - may be most compelling, but to executives, it's the CNN Moment that causes the most angst. And here's where the breach of HBG email may provide some help that ultimately strengthens us all.
Also readCSO Publisher Bob Bragdon's Information sharing: Connecting the dots
Let's go back to the innocent days of yesteryear, when credit card and Social Security number breaches made front page news. The populace was in a state of panic about identity theft, and CEO after CEO did the walk of shame, explaining to CNN how they'd lost data on hundreds of thousands or millions of their customers' credit cards.
Throughout 2006 and 2007 this happened so frequently that the news moved from the front page to, if we're lucky, a mention on page D27 near the Junior Jumble.
This dynamic was exploited by some diabolically keen-minded marketing folks at Google, when they managed to turn an organized information-stealing attack into a public relations bonanza. "We've been attacked," they said smoothly, "Let's discuss just how, so that more can defend against this kind of thing." Brilliant marketing. But in the process they also managed to de-stigmatize in the public's mind the idea that a trusted supplier has been attacked.
Now lookie here at the HBG emails. When specific names of companies which have been the targets of successful attacks are mentioned in such a widely publicized fashion, those targets naturally get embarrassed. But have a closer look and you see discussion of these targets as victims, trying to do something. This is the stuff of which excellent counter-marketing programs are built.
It also demonstrates in a highly public way what is obvious to anyone in the security industry: everyone is a target. As Jeremiah Grossman recently said, even targets of opportunity can now suddenly find themselves targets of choice - case in point, HBGary.
This has the salubrious effect of making it, well, okay to have been the target of an attack as a company. If everyone's a target, then everyone has a stake in defense. This, I submit, should be considered by CISOs and other C-Level types when considering how they share information about vulnerabilities, breaches and other security incidents - how they share it with competitors, with researchers, with law enforcement.
I have long championed greater transparency and information sharing among security professionals for the purpose of developing intelligence that sees across stovepipes. I understand that few single incidents are sufficient to, forgive me, change paradigms. And I am not saying that the HBG breach is one of them.
What I am saying is that we as security professionals should sieze any moment that makes it safer for companies to share. In this case, I submit that public airing helps reduced the stigma of admitting weaknesses we all suffer. Let's ask the folks over at NetWitness or Solera or Niksun or ArcSight or Mandiant or Loggly how many of their customers had no evidence of successful attacks on their networks. Let's look at the excellent and growing Verizon Breach Investigations Report [PDF link] and VERIS project. That there is a need for them stands as testament to the fact that, if you're breached, you're not alone.
A famous security researcher once answered my question about how he avoids being hacked, "Hell, Nick, I get hacked all the time". He said it as if I were asking a really stupid question, because in fact, I was.
Admitting that we are all targets; admitting that we've all been hacked; admitting that we all face the same issues, means that we can move from psychological and marketing objections, and look instead to solving or at least addressing the logistical and pragmatic barriers to information and intelligence sharing.
That's time better spent.
Nick Selby is a cyber-crime consultant and a police officer. His new blog and podcast, Police-Led Intelligence, launches later this month.