One of the key benefits derived from outsourcing a SOC to a Managed Security Service Provider is that the organisation can immediately learn from and respond to intelligence gained across the MSSP’s customer base. Lessons learnt protecting one customer can be rolled out at pace to all the other teams and customers, ensuring that incidents do not reoccur and that the organisation is better prepared to deal with the emerging threats. Within the MSSP itself, it’s easy to share detailed information without compromising customer confidentiality. It is also important to share honestly and openly without the fear of losing face because sometimes, mistakes do happen and those lessons are valuable – again, this is much easier to overcome when sharing between teams within the same MSSP.
This is different from the sharing of formal threat intelligence which has been solved at scale, for example subscribing to threat intelligence feeds that describe various indicators of compromise – IPs, hashes, attacker tactics, etc. The most valuable cyber incident and near miss stories include how the organisation responded, what impact was experienced and the broader lessons that have been learnt across the entire incident response lifecycle – perhaps controls that worked, controls that didn’t work and why, unexpected knock-on effects and whether our industry risk management strategies need to be updated in the face of the emerging threat.
People learn from and respond to interesting stories, not indicators of compromise.
Consider some of the most valuable conference talks or the presentations that you’ve attended in the past – where you have left with an action plan of two or three things to pick up urgently when you get back into the office. Typically, the presenter has opened up honestly, been vulnerable and shared detailed stories that outlined impact and their reflections on what could have been done differently. Although sharing at this level is hard, it is not impossible and imagine the value we could derive as an industry if more teams opened up and shared on a regular basis.
Within government, sharing information between departments is further hampered by security classifications and other protocols. To address this, the UK National Cyber Security Centre is developing a program known as the “Defend as One” initiative which will help to collect incident response and near miss stories from contributors, anonymise them to be shared and distribute those stories, impacts and lessons learnt to subscribers. Several incident stories have been shared anonymously through this initiative and have been well received by and to the benefit of the audiences.
Interestingly, the process solves the problems described above for private sector MSSPs too who previously haven’t had a neutral ground where they could share their insights. The “Defend as One” community is open to both public and private entities who have been onboarded onto the CISP platform, where stories from both groups are shared anonymously to the benefit of all, in regular “Incident Insight” sessions hosted by the NCSC. Talanos have successfully contributed a number of anonymous stories which have generated interesting discussions and additional insights from which people could learn.
A call for Incident Insights.
The easiest way to contribute is to share your incident story via the NCSC’s public facing incident reporting platform, found here:
The report can be raised as an “Information Only Report” and should follow some basic guidelines to be turned into valuable, shareable insights:
- No need to attribute the incident to an actor – it doesn’t matter who it is but rather what they did and what can be learnt from it.
- Keep it anonymous – be only as specific as is needed to convey the impact message and the lesson, and no more.
- Talk about impact – the story matters because that is what people respond to, but don’t share confidential information.
- Not about generating IoCs – there are better channels for sharing conventional threat intelligence and this doesn’t replace that.
- Not part of the incident response process – share the lesson when it is safe to do so for the benefit of the community.
The “Defend as One” team have also created a simple Microsoft Form that can be completed to feed insights directly into the program which can be used instead of the formal incident reporting platform link above. It’s the fastest way to contribute towards the community and can be found here:
https://forms.office.com/e/4LJVTWEZm2
The success of the community depends wholly on its contributors and the more that people share, the more others will come forward and share. Members can only benefit from the growth of the community and so if there are insights to share, please do so. The “Defend as One” initiative is proving that sensitive information can be transformed into valuable insights, shared anonymously to bridge the gap between entities and between the public and private sector.
