Collaborative Cyber Threat Intelligence Collaborative Cyber Threat Intelligence Detecting and Responding to Advanced Cyber Attacks at the National Level Edited by Florian Skopik CRC Press Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2018 by Taylor & Francis Group, LLC CRC Press is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S. Government works Printed on acid-free paper International Standard Book Number-13: 978-1-138-03182-1 (Hardback) This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged, please write and let us know so that we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www.copy- right.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. Library of Congress Cataloging-in-Publication Data Names: Skopik, Florian, editor. Title: Collaborative cyber threat intelligence : detecting and responding to advanced cyber attacks at the national level / [edited by] Florian Skopik. Description: Boca Raton, FL : CRC Press, 2017. Identifiers: LCCN 2017025820 | ISBN 9781138031821 (hb : alk. paper) Subjects: LCSH: Cyber intelligence (Computer security) | Cyberspace operations (Military science) | Cyberterrorism--Prevention. | National security. Classification: LCC QA76.9.A25 C6146 2017 | DDC 005.8--dc23 LC record available at https://lccn.loc.gov/2017025820 Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the CRC Press Web site at http://www.crcpress.com Contents Foreword ............................................................................................................vii Preface ................................................................................................................ix Acknowledgment................................................................................................xi About the Editor ..............................................................................................xiii Contributors ......................................................................................................xv 1 Introduction ...........................................................................................1 FLORIAN SKOPIK 2 A Systematic Study and Comparison of Attack Scenarios and Involved Threat Actors .........................................................................19 TIMEA PAHI AND FLORIAN SKOPIK 3 From Monitoring, Logging, and Network Analysis to Threat Intelligence Extraction .........................................................................69 IVO FRIEDBERG, MARKUS WURZENBERGER, ABDULLAH AL BALUSHI, AND BOOJOONG KANG 4 The Importance of Information Sharing and Its Numerous Dimensions to Circumvent Incidents and Mitigate Cyber Threats ................................................................................................129 FLORIAN SKOPIK, GIUSEPPE SETTANNI, AND ROMAN FIEDLER 5 Cyber Threat Intelligence Sharing through National and Sector-Oriented Communities ...........................................................187 FRANK FRANSEN AND RICHARD KERKDIJK 6 Situational Awareness for Strategic Decision Making on a National Level ..................................................................................225 MARIA LEITNER, TIMEA PAHI, AND FLORIAN SKOPIK 7 Legal Implications of Information Sharing........................................277 JESSICA SCHROERS AND DAMIAN CLIFFORD v vi ◾ Contents 8 Implementation Issues and Obstacles from a Legal Perspective ........313 ERICH SCHWEIGHOFER, VINZENZ HEUSSLER, AND WALTER HÖTZENDORFER 9 Real-World Implementation of an Information Sharing Network: Lessons Learned from the Large-Scale European Research Project ECOSSIAN .........................................................................................355 GIUSEPPE SETTANNI AND TIMEA PAHI Index ...........................................................................................................421 Foreword This book provides a valuable foundation for the future development of cyberse- curity information sharing both within and between nation-states. This work is essential—unless we can identify common threats and share common mitigation then there is a danger that we will become future victims of previous attack vectors. Without shared situation awareness, it is likely that different organizations facing the same threat will respond in inconsistent ways—and the lessons learned in com- batting earlier incidents will be repeated and repeated until we develop more coor- dinated responses. There are further motivations for reading this work. Existing standards across many industries and continents agree on the need for risk-based approaches to cybersecurity. Too often these are based on subject introspection; they can be little more than the best guesses of chief information security offi- cers. If we can encourage information sharing, then our assessments of probability, consequence, and our identification of potential vulnerabilities can be based on previous experience. All of these benefits will only be realized if we can address a number of barri- ers to information sharing. First, it is clear that there may be limited benefits from sharing information about every potential attack. The sheer scale of automated phishing and DDoS (Distributed Denial-of-Service Attacks) means that without considerable support we may lose cyber situation awareness as we are overwhelmed by a mass of well-understood incidents. Second, the focus must never be on record- ing the incidents—the utility of these systems is derived from the decisions that they inform. We must allocate resources to identifying mitigations and preventing future incidents. Third, a host of questions must be addressed about the disclosure of compromising information and the violation of intellectual property through incident reporting. Simply revealing that an organization has been the target of an attack may encourage others to focus on them. Fourth, there are questions about what should be shared. The information needs are different both horizontally— between companies in different industries—and vertically between companies addressing different needs within the same supply chain. Finally, we must be sen- sitive to the limitations of incident reporting—it can be retrospective, focusing on gathering information about the previous generation of attacks rather than the next—which may be very different especially when state actors are involved. vii viii ◾ Foreword The chapters of this book provide, arguably for the first time, a coherent and sustained view of these many different opportunities and potential pitfalls. It inves- tigates the potential benefits of peer-to-peer systems as well as the legal obstacles that must be overcome. It looks at the key determinants of situation awareness at a national level and beyond. It does all of this in an accessible manner—focusing on generic issues rather than particular technologies. I recommend it to you. Chris Johnson Head of Computing Science at Glasgow University Glasgow, UK Preface The Internet threat landscape is fundamentally changing. A major shift away from hobby hacking toward well-organized cybercrime, even cyberwar, can be observed. These attacks are typically carried out for commercial or political reasons in a sophisticated and targeted manner and specifically in a way to circumvent common security measures. Additionally, networks have grown to a scale and complexity and have reached a degree of interconnectedness, that their protection can often only be guaranteed and financed as a shared effort. Consequently, new paradigms are required for detecting contemporary attacks and mitigating their effects. Information sharing is a crucial step to acquiring a thorough understanding of large-scale cyber attack situations and is therefore seen as one of the key concepts to protect future networks. To this end, nation-states together with standardiza- tion bodies, large industry stakeholders, academics, and regulatory entities have created a plethora of literature on how cybersecurity information sharing across organizations and with national stakeholders can be achieved. Shared information, commonly referred to as threat intelligence, should comprise timely early warn- ings, details on threat actors, recently exploited vulnerabilities, new forms of attack techniques, and courses of action on how to deal with certain situations—just to name a few. Sharing this information, however, is highly nontrivial. A wide variety of implications, regarding data privacy, economics, regulatory frameworks, organi- zational aspects, and trust issues need to be accounted for. This book is an attempt to survey and present existing works and proposes and discusses new approaches and methodologies at the forefront of research and development. It provides a unique angle on the topics of cross-organizational cyber threat intelligence and security information sharing. It focuses neither on vendor- specific solutions nor on technical tools only. Instead, it provides a clear view on the current state of the art in all relevant dimensions of information sharing, in order to appropriately address current—and future—security threats at a national level. Regarding the intended readership, I foresee the book being useful to forward- looking practitioners, such as CISOs, as well as industry experts, including those with deep knowledge of network management, cybersecurity, policy, and compli- ance issues and are interested in learning about the vast state of the art, both in prac- tice and applied research. Similarly, I suggest the book has value for academics and ix