September 2018 marked the one-year anniversary of the UBF-Tasharuk, an Information Sharing and Analysis Centre (ISAC) formed by the UAE Banks Federation (UBF), the representative body of the banking industry in the United Arab Emirates (UAE), powered by the Anomali Threat Platform. Initial membership consisted of 13 UAE-based banks partnering to equip internal cyber security teams with timely, relevant, accurate, and complete intelligence that advances the collective’s ability to identify, protect, detect, and respond to cyber-attacks. By establishing the importance and value of seamless collection, sharing, and analysis of threat data and the thematic trends observed within the banking sector in the UAE and global financial industry, members of the UBF-Tasharuk enhanced their situational awareness facilitating more informed decision making.
In this post, the Anomali Threat Analysis Center (A-TAC) reflects on the past year highlighting the achievements, challenges, and offers a projected outlook for 2019 and beyond.
A trusted and successful ISAC is nothing without individual membership and as the UBF-Tasharuk concluded the first year of operation, membership soared to over 130 users across 33 member banks. Each member has access to the dedicated UBF-Tasharuk Anomali ThreatStream instance that provides the ability to share, search, and discuss all types of cyber threat information and intelligence:
Technical indicators which suggest that an attack is imminent, in progress, or may have previously occurred. Common observable types are:
- Malware File Hash
- Infected Bot IP
- Phishing URL
- Malware C&C IP
- APT Email
- Exploit Kit IP
There are currently ~930k active Observables in the UBF-Tasharuk platform which provides look-up, enhanced context and enrichment, and the ability to export for further consumption and ingestion.
Investigations allow a UBF-Tasharuk member to create and track cyber threat intelligence investigations which can then be assigned and shared among other users, enhancing the opportunity to collaborate, monitor, and resolve.
The Threat Bulletin section is the most valuable part of the platform. From experience, the ability to produce and share a narrative on the “how and what” of threat actor/campaign activity is extremely powerful. Threat Bulletins permit the UBF-Tasharuk membership to detail suspect/malicious observations from their own environment (with the appropriate Traffic Light Protocol-TLP classification) and link relevant analysis and research from the wider security community. To date, 125 Threat Bulletins have been published covering topics such as ATM malware, spear-phishing incidents, remote access Trojans (RATs), and the tactics, techniques, and procedures (TTPs) of relevant threat actors. Thus far, multiple Threat Bulletins have been corroborated and actioned by member banks resulting in thwarted attack proliferation and impact reduction across the community. This is one of the resounding success outcomes from the initiative and demonstrates the wider acknowledgement that trusted sharing and collaboration works.
Membership engagement is stimulated by the UBF-Tasharuk Roundtable calls, which are coordinated by the A-TAC and scheduled on a fortnightly basis with a defined agenda. Furthering this, community members resoundingly agreed to host bi-annual workshops to engender greater communication and trust. On June 26th, 2018, the UBF hosted the inaugural UBF-Tasharuk Workshop in Abu Dhabi. Participants consisted of UBF stakeholders, member banks, and representatives from the A-TAC and Anomali Customer Success Organisation (CSO). The workshop provided an opportunity to highlight the UBF-Tasharuk’s main objectives, provide a roadmap status update, and most importantly, it was used to create and build new connections amongst the membership. The second workshop is scheduled for the end of October 2018 in Dubai with an emphasis on reviewing the priority intelligence requirements (PIRs) and other relevant updates.
The biggest and one of the most common challenges observed across all ISACs, ISAOs, and other Security Interest Groups, is fostering collaboration and encouraging member communication from those members who seldom participate. It is widely accepted, observed, and commonly referenced how cyber threat actors and groups share tactics, techniques and procedures (TTPs); therefore, active participation should always be encouraged to replicate this from the defender perspective. The NIST Special Publication 800-150 ‘Guide to Cyber Threat Information Sharing’ illustrates the benefits of sharing and collaboration and why it matters, notably;
- It provides the foundation to leverage a collective knowledge, experience, and analytic capability across a vertical and/or region
- There is a focus on continually improving security posture, adopting a kaizen approach to optimising security controls, highlighting detection and/or protection gaps, and advancing cyber resilience
- Ultimately, collaboration progresses knowledge maturation throughout the community
There is obviously an opportunity cost assigned to any work task and duty, and effective time management is vital to a successful cyber security function. However, the A-TAC firmly believes that allocating time each week specifically to sharing and collaboration should be prescribed and rewarded appropriately.
Building trusted relationships is pivotal and I am encouraged that the Roundtable calls, local meetups, and active A-TAC outreach has had a positive impact for the membership and to the overall industry resilience. We look forward to continuing the delivery of actionable, relevant, and timely intelligence to mitigate threats against the UAE banking sector. The contribution to, coordination with and management of ISACs and Sharing Communities is a core focus area for Anomali and the A-TAC remain committed to helping facilitate the continued success of UBF-Tasharuk and other sharing communities for the remainder of the year, throughout 2019, and the years thereafter.