The Power of Active Collaboration in ISACs, ISAOs and Security Interest Groups

<p>During <a href="https://www.defcon.org/" target="_blank">DefCon 26</a> held in August 2018, on the subject of “Securing our Nation's Election Infrastructure”, Jeanette Manfra, Assistant Secretary, Office of Cybersecurity and Communications from the Department of Homeland Security (DHS) emphasized the need for public and private sector collaboration and the importance of sharing information.  Ms. Manfra stated, “instead of thinking of individual risk and your own part, try to think about enterprise and government as a whole.” Earlier in 2018, the <a href="https://www.enisa.europa.eu/" target="_blank">European Union Agency for Network and Information Security</a> (ENISA), also amplified this message in their most recent <a href="https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-2017" target="_blank">Threat Landscape Report.</a>  ENISA asserts that, “CTI sharing is key for all kinds of players involved in the creation, dissemination and consumption of threat intelligence.”  These concepts are also embossed by Anomali as part of our company’s core operational strategy where we have undertaken the task of coordinating with, contributing to, and managing the technology used by ISACs, ISAOs and Security Interest Groups (SIGs) to create a trusted information sharing environment that fosters sharing and collaboration amongst the community of interest groups.</p><p>As an Anomali Threat Analysis Center (A-TAC) team, we strongly believe that sharing relevant observables and threat intelligence reports in a timely manner within and across industry verticals is a necessary component in thwarting cyberattacks on a global scale.  An observed challenge amongst information sharing groups is fostering and maintaining participation as well as engendering input from all member participants and organizations. In the spirit of information sharing and improving collaboration amongst all organizations, we have outlined a recent real world example where a financial institution shared intelligence of a phishing campaign targeting their organization allowing community members to detect and block the campaign in its early delivery stage.  This post represents the first in a continuous series of blogs where we highlight the importance and benefits of information sharing while providing guidance on improving our collective security in order to become disruptive agents in the fight against cyberattacks.</p><p><em>Note: All entities involved in this case study have been sanitized to protect the security and privacy of the organizations</em></p><h3><u><strong>Case Study: Phishing Email Attack Collaboration</strong></u></h3><p><strong>The Event</strong></p><p>A bank member of a financial ISAC created and shared a Threat Bulletin within the Anomali Threat Platform detailing a phishing email attack targeting a number of employees within their organization.  In the email, the malicious sender impersonated a partner financial institution using a SWIFT payment-themed message to request payment from the target organization (See Figure 1). The sender attached a weaponized macro-enabled Microsoft Office Excel file which upon opening would request user interaction, triggering the infection chain.  </p><p><img alt="" src="https://cdn.filestackcontent.com/M1eBJrCKScCCSUlY33PE"/></p><p style="text-align: center;"><strong>Figure 1. A sanitized copy of the SWIFT payment-themed phishing email</strong><br/>  </p><p><img alt="" src="https://cdn.filestackcontent.com/ZR4J0nFRNi28rI2MpvWg"/></p><p style="text-align: center;"><strong>Figure 2. Screenshot of the weaponized Microsoft Excel file attachment</strong></p><p style="text-align: center;"><br/> <img alt="" src="https://cdn.filestackcontent.com/HurAnFOR5G1zHr2K4wtf"/><br/> <strong>Figure 3. Low detection ratio of weaponized file attachment on <a href="https://www.virustotal.com/" target="_blank">VirusTotal</a></strong></p><h3><br/> <strong>CTI Analyst Actions</strong></h3><p>Fortunately, the phishing email attempt was blocked by the target organization’s email gateway defense systems.  Upon triaging the email-based attack, the in-house cyber threat intelligence (CTI) analysts gathered and shared all technical indicators and narrative surrounding the phishing attempt with their ISAC member organizations.  The motivator behind the CTI analysts proactively sharing details on the attack were:</p><ul><li>The intended recipients and assumption that other regional Financial Institutions could be targeted in a similar manner;</li><li>Style and craft of message with consideration for susceptibility elsewhere</li><li>The potential impact from the attached payload and limited detection ratio (less than 25%) of the attachment across endpoint protection vendor solutions (See Figure 2)</li></ul><h3><strong>ISAC Community Response</strong></h3><p>Within minutes of publishing the Threat Bulletin, a fellow ISAC member read the report, extracted the indicators of compromise (IOCs), and searched their internal logs to find presence of the phishing emails.  Unbeknownst to them, the ISAC member found the threat actor had targeted their employees working in similar roles with the same message. Unfortunately, this time around, the phishing emails and malicious file attachment were not detected by their email security controls and the weaponized file was mistakenly classified as benign; therefore, causing them to initiate their internal incident response procedures.  With manual intervention, the security personnel were able to recall the phishing email before it reached the intended targets; thereby, neutralizing the threat prior to any potential infection of the host or network. Subsequently, the ISAC member conducted outreach to their email gateway and endpoint security vendors to ensure signature definitions were updated and applied to block future attacks involving this specific malware family.  A tertiary effect of information sharing amongst industry vertical organizations led to an increased detection and protection of cross-sector organizations as the security vendor serves thousands of companies worldwide.</p><p><img alt="" src="https://cdn.filestackcontent.com/pQeROqoSTCFplPfo4Cc2"/></p><p style="text-align: center;"><strong>Figure 4. Five-step Process from a Single Threat Bulletin to Global Immunity</strong></p><p style="text-align: center;"> </p><h3><strong>Conclusion</strong></h3><p>Encouraging and supporting information sharing and collaboration within and across industries is a vital component for security programs worldwide.  Making information on threats discoverable and accessible using the appropriate medium within a timely and secure manner will help minimize the impact and effectiveness of cyberattacks for all organizations.  For organizations not already members of a sector-specific ISAC, ISAO, or SIGs, we implore you to visit the <a href="https://www.anomali.com/isacs-sharing" target="_blank">ISACs sharing page</a> on Anomali’s website and take the first step in joining or building a community powered by Anomali’s flagship product ThreatStream.  If you are already a member of one of these communities, we hope through this and future examples, it will assist with increasing collaboration and information sharing amongst all organizations.</p>