Sharing computer security threat information is now an established practice in IT. Whether automatically or manually, the primary motivator to pool resources is to improve your own capabilities and those of your peers for responding to security threats and incidents.
Another factor that can significantly improve your ability is sharing knowledge and experiences. As it happens, there are organizations designed explicitly for that: information sharing and analysis centers (ISACs).
What is an ISAC?
The first ISACs were formed in the U.S. in the late 1990s, and many more have been established to build and strengthen cooperation between organizations since then. It’s a central resource for gathering and facilitating exchanges of information on computer security threats, best practices and common approaches between the private and the public sectors.
Additionally, some ISACs will share common analysis capabilities. They can be seen as trusted entities that connect peers in their sectors and inform them of critical information for dealing with computer security incidents. An extension of ISACs are information sharing and analysis organizations (ISAOs), which focus primarily on protecting shared personal and proprietary information from disclosure.
There are three common types of ISACs:
- Sector-based: These ISACs focus on organizations within the same sector — usually critical or vital sectors — and are mostly facilitated by the sector itself or by the government.
- Country-based: These ISACs focus on cooperation and collaboration within a specific country and are most often governed by a computer security incident response team (CSIRT).
- International: These ISACs connect key persons for computer security from organizations across national borders.
It’s important to note that ISACs can focus on one specific sector and also be internationally oriented. An excellent example of this setup is the European FI-ISAC for financial institutes.
The National Council of ISACs provides an overview of the different sector-based ISACs in the U.S., including the financial services sector (FS-ISAC), information technology sector (IT-ISAC), water and wastewater utility management sector (WaterISAC) and oil and natural gas sector (ONG-ISAC). The European Union Agency for Network and Information Security (ENISA) provides ISACs across sectors in the E.U., including the energy sector (EE-ISAC), financial institutes sector (FI-ISAC) and aviation sector (ECCSA).
The initiative to create ISACs can come from the government or as an initiative from private partners within the same sector. For the latter, the government can sometimes play the role of a facilitator.
You don’t have to wait for others to establish ISACs. If you feel there’s a strong need for more collaboration with your sector peers, then you should reach out to them. You can ask your national CSIRT or cyber-competence center for support or rely on existing resources from ENISA.
Joining an ISAC comes at a cost: It requires either financial or human resources from your organization. This means there must be a strong motivation to join an existing group or to potentially lead the establishment of a new one.
There are a few fundamental driving forces to join or establish one:
- Share knowledge about incidents and threats: Information sharing helps you to raise awareness among your constituency, fine-tune your detection techniques and improve your capabilities for responding to incidents.
- Increase your maturity level: By having access to shared experiences from your peers and understanding which approaches work or fail, you can improve your own security maturity level more quickly. Being part of a group enables you to validate your ideas and experiences with other organizations within the same sector.
- Network and develop contacts: Especially in the case of larger incidents, it is essential to exchange information. Your CSIRT can coordinate this, but some incidents require that you reach out directly to a security counterpart in another organization in the same sector. These meetings would allow you to get to know these people in person.
- Join forces: Not every organization can keep a fully staffed forensic- or threat-intelligence team. If the ISACs provide shared analysis capabilities, members can benefit without having to deploy these capabilities on their own.
An essential factor for successful ISACs is equal participation from all members. This means that you cannot (or shouldn’t) join if you aren’t willing (or allowed) to actively contribute. This also requires that you have some form of support (or mandate) from your organizational management to discuss the security incidents your organization has experienced.
Note that the shared information is almost always subject to the Traffic Light Protocol (TLP). This is a set of designations, indicated by four colors, that are used to ensure that sensitive information is only shared with the appropriate audience.
There are some key elements that you need to start one or ensure that it remains fully operational.
The core element of successful ISACs is trust. If the members of the group don’t trust each other, then it will be challenging to exchange sensitive information on security incidents.
Besides the more formal aspects of development within ISACs, it’s important that participants get to know each other. This bonding can happen during meetings — but don’t underestimate the power of organizing social events or joint workshops. Building trust is sometimes more easily accomplished in a less formal environment.
Attendance and Committed Resources
Success will be a challenge if the composition of the group is imbalanced between technical, management and non-IT people. You can only participate and interact with other members if the discussed topics are of interest to you.
Before joining, make sure you know the foreseen level of attendance. Some groups also provide individual tracks for different target audiences.
Governance and Collaboration Models
Bringing together a group of people and providing the right services requires some form of governance. The exact model will be dependent on the size of the group, the focus of its members and its objectives.
One way to govern is making use of a secretariat. The secretariat is ideally a permanent body and can be an external or a government organization. Having a secretariat ensures that members can focus on the content — and not on the administrative part of running the group. The secretariat will often play the role of the facilitator by arranging meetings and preparing the agenda.
A volunteer-run ISAC can, in some cases, be more flexible, but special care must be taken to ensure that the tasks are performed equally by all participants and not by a limited number of participants.
Terms of Reference
Regardless of the collaboration model’s structure or flexibility, it’s necessary that all members have a solid understanding of the common rules for participation and working procedures of the group.
A document formally approved by the group members, such as a terms of reference, can describe these rules and provide guidance on the collaboration. This document should also outline how new members can be introduced or vetted and explain how the group can review the membership of existing participants.
Joining comes at a cost for your organization, but further funding will be needed to organize meetings and workshops and provide documentation. Similarly, as with the governance model, the funding will depend on the type of group.
The funding may come from voluntary contributions or mandatory fees, but you can also request support from governments. Private sponsoring or imbalanced mandatory fee models (i.e., gold, silver and bronze members) should be avoided.
The tooling that will probably be used the most by ISACs are email and teleconference infrastructure. Once it’s more established, the group can also make use of additional programs for collaboration and threat sharing, such as a Threat Information Platform (TIP) like MISP. Due to the nature of information being exchanged, it’s important that the participants honor the TLP codes and apply email encryption, such as Pretty Good Privacy (PGP), when necessary.
Joint Research and Analysis
Besides the sharing of knowledge and experiences, ISACs can also provide joint research and analysis services. A joint research project where the individual participants solve a problem together would greatly improve the level of trust between the different members.
Here are some common areas for such projects:
- Sector-targeted malware analysis
- Tuning of intrusion detection rules
- Analysis of malicious campaigns and threat actors
- Organizational approaches for dealing with the Internet of Things (IoT)
Results and Regular Review
It’s important the group publishes its results — preferably on a regular basis. These publications allow participants to demonstrate value to their management and justify further investments in participation.
These publications can cover the incidents discussed (stripped of confidential information), as well as the results of joint research and analysis.