Reactions to cyberattacks — and the demands for information they elicit — are personal and professional for cybersecurity experts.
Stephanie Carruthers, chief people hacker and global head of cyber range at IBM Security X-Force, wants to know everything when an incident impacts her personally.
But as a cybersecurity professional, Carruthers wants to know what the attackers did.
“I love to see as much information as possible, but I also understand from that business perspective they have to be very careful about what they share,” Carruthers told Cybersecurity Dive last week at the RSA Conference in San Francisco.
Most victim organizations want to share information up front, but have to be vague until they know what occurred, she said.
Organizations are under enormous pressure following an attack, and the potential risk of litigation or customer inquiries sometimes outweighs the cybersecurity industry’s high regard for information sharing.
“What we need to do is just come to terms with the value of information sharing without someone feeling like they’re going to be open and honest about something and then get whacked on the wrist for it,” said John Dwyer, director of security research at Binary Defense.
“The disconnect there is what we really need is the highly technical pieces of how the attack happened,” Dwyer said at the RSA Conference.
This is the type of intelligence defenders can learn from to help prevent other incidents and proactively build detections against going forward.
“Why they don’t share that information I think is far more complicated than most people understand,” Dwyer said. “I would love to see a way for organizations to anonymously share that information with the security community.”
Post-attack data bolsters detection and defense
Sector-based information sharing and analysis centers’ core mission is to collect and analyze threat information, correlate it and turn that knowledge into insights for their members.
The National Council of ISACs, formed in 2003, comprises 27 organizations today. These ISACs share information with government agencies and critical infrastructure organizations operating across multiple sectors, such as healthcare, automotive, communications, electricity and financial services.
Understanding that information and its criticality can help companies defend their networks, John Denning, CISO at FS-ISAC, told Cybersecurity Dive.
“If you’re able to do that well and quickly, and already have a distribution channel that’s already established and open and trusted, then you’re in a situation where you can do a lot of good for the sector,” Denning said.
Cybersecurity professionals acknowledge the power defenders can quickly gain with the right information and proper context, but that isn’t always in balance with the pressures confronting executives.
“We don’t necessarily have to seek out more information. We need to understand what is the most relevant information,” Denning said. “There’s volume and then there’s quality, and they both have their values. I would rather get more information than less information.”
When the hardware and systems that underpin business operations are hit, it’s often the customers who depend on their technology that are most impacted.
Some business leaders, including LastPass CEO Karim Toubba, are determined to improve their disclosure process as they learn from mistakes of the past.
After a cyberattack in 2022 exposed a cloud-based backup of the password manager’s entire customer vault database, the company was criticized for not sharing information more quickly as its investigation uncovered important details. Critical information trickled out over a 7-month period.
In the event of a future incident, which hopefully doesn’t occur, Toubba said LastPass will release rapid fire disclosure and bring that information to the forefront much sooner.
“I think there’s a real opportunity for all companies to adopt that kind of thinking,” Toubba said, “as difficult as it may be in the moment.”
