As first responders and defenders of information infrastructure, cyber security professionals play an increasingly important role in maintaining the national and to a wider extent global economic order. The job is a tough one though and it seems to only get harder, but for some reason it would seem that cyber security professionals continue to operate from an isolated position. In warfare, this in itself is a vulnerability, where one can be overwhelmed easily by opposing forces. In this case, those opposing forces are hackers and insiders.

Cyber Security Professionals vs Average Hackers

The lack of collaboration and organization is the inverse of how hackers often organize their efforts. Among hackers there are guides, forums, alerts, bulletins, mailing lists, code sharing platforms and all sorts of other information sharing schemes. This is because among hackers they operate alone but build on top on a wider network of hacker’s efforts to build more stronger cyber weapons. The other thing to understand about hackers is that they often practice some of the most effective cyber security practices as well. This is often to prevent sabotage by another hacker whom they may be engaging with, but don’t fully trust yet. It’s very similar to how open source developer organize their efforts and improvements. Despite both sides being decentralized, one side (hackers) have built up an extremely effective means of transparent information exchange while remaining anonymous.

Usually the term information asymmetry applies to transactions in the marketplace, where one party has more information that can affect the outcome of the transaction. However, in this case one party (hackers) has a significant shared information advantage against cyber security professionals. In many cases, hackers have an advantage over even whole governments.

Mafia Style Hacker Organization

Digital organized crime has certainly become a problem; however, it can be hard to determine how much of an impact they’ve had in advancements in malware developments. These organizations operate very much like legitimate businesses and often have markets that are as extensive and lucrative as the official economy. In one interview between Deloitte and Marc Goodman, global security strategist; Goodman had stated:

“We used to think of computer hackers as 17-year-old kids living in their parents’ basements. Today, the average age of a cyber criminal is 35, and 80 percent of black hat (e.g., criminal) hackers are affiliated with organized crime. In other words, people are choosing this as a profession. That’s a radical shift, and it’s led to the creation of increasingly sophisticated criminal organizations that operate with the professionalism, discipline, and structure of legitimate enterprises.”

In this statement, Goodman was citing data from a 2014 study conducted by a research team from RAND Corporation. The same study also determined that only 20% of the black market for hackers was operated by organized crime organizations. The other 80% seems to be organized by small groups of people and individuals.

Current Information and Threat Sharing Efforts

From the information above, you can see there’s clearly a coordination gap between cyber security experts and threat actors. Between the government and some sections of the cyber security community there’s been an effort to coordinate information and threat sharing. Since as early as 2003, some cyber security experts have been calling for collaboration as a means to protect the information infrastructure that upholds the physical and monetary networks of the world.

DHS Cyber Information Sharing and Collaboration Program

The Department of Homeland Security in the United States has attempted to develop an information sharing platform for cyber security called the National Cyber Security and Communications Integration Center (NCCIC) which hosts the Cyber Information Sharing and Collaboration Program (CISCP). The CISCP is a membership bas bi-directional information platform that anonymizes information for analysis but other members. The current features of the platform include indicator bulletins, analysis reports, priority alerts, and recommended practices. The program seeks to protect member’s by removing identifying information when they do report a breach.

MISP: Malware Information Sharing Platform and Threat Sharing

The open source project now known as MISP was started by Christophe Vandeplas who didn’t like the sharing method used to distribute indicators of compromise (IOC). At the time, it was primarily by email and PDF, so he developed CyDefSIG. This program was first picked up by Belgian Defence and then later by NATO. Upon use by NATO, the code was improved and renamed MISP and became an open source project a few years later.

MISP allows users to structure their IOCs in a predefined format that makes them searchable. The core of the program is centered around sharing, so there are also communities of organizations who also use the software to aid them in their cyber security efforts.

Collaboration is the missing ingredient that will convert cyber security from a reactive force to a proactive one. If cyber security experts and the organizations they serve don’t collaborate then hackers will always hold the information edge, thus allowing attacks to scale when they could easily be avoided if cyber security experts would coordinate with each other.

How do you think cyber security collaboration can be improved?