Successes in Information Sharing
Updated: Jul 8, 2019
Welcome to the first installment of the IT-ISAC blog. This is the first of what will be a regular set of blogs from the IT-ISAC, our members, and guests focusing in relevant security, technology and public policy issues impacting the information sharing community.
For this first blog, we are focusing on successes in information sharing. Last month David Turetsky with the State University of Albany’s Emergence Preparedness, Homeland Security and Cybersecurity program hosted a conference that focused on identifying success stories in information sharing. We were honored to participate in this program and appreciate the work David and his team of researchers are doing.
This got me thinking about some of the successes the IT-ISAC has achieved since our founding in 2000. Looking in the archives, there were quite a bit to choose from. We have responded to some of the most significant incidents to effect cybersecurity since our founding in 2000, from Code Red, NIMDA, Conficker, and the DNS Cache Poisoning vulnerability, to the more recent WannaCry and Petya/not Petya.
But there are countless other events that impact our members that are not as nearly high profile and do not get wide spread media attention. These incidents are the daily grind of SOC response. It is worth picking a couple of these and briefly highlighting the successes we had, working with our members and partners.
Compromised Credentials: One of our members came across account credentials belonging to employees of member companies that were compromised through a hack of a third-party. To be clear, these were credentials that employees of certain member companies used to access third party accounts. The breach was not the member companies themselves, but the corporate email addresses of employee emails that were associated with the compromised third-party accounts. We worked with our member to notify and securely share with impacted member companies these compromised credentials so that they could inform their users and take additional security measures to protect their enterprise accounts.
Malicious Wire Transfer Scam: One of our members identified a new wire transfer scam that was deploying a Remote Access Tool (RAT). We were able to share the details of this scam, including analysis and indicators, with our members and partner ISACs to provide early warning.
Masquerading Domains: We received a report from a partner ISAC that one of their members identified domain registrations that were suspected of masquerading legitimate brands. The partner ISAC shared that information with us, which we then shared with our members. One of our members looked at these domains and identified DNS and proxy traffic associated with these domains. For example, one domain offered a fake virus warning that tried to trick people into installing bogus (and potentially malicious) AV Software. This information was shared with all IT-ISAC Members and was shared with our partner ISACs in the National Council of ISACs.
APT Campaign: A member company shared with us a suspicious IP found on their network. We reached out to others and a partner identified 6 – 10 instances of the IP address trying to communicate with their own network. Through analysis, we discovered that the IP was an indicator used to exploit a known vulnerability. Through further analysis with members and partners, we suspected that this was an APT actor scanning networks for the unpatched vulnerability. We identified additional indicators associated with this attack and shared the information with our members and partners.
SamSam Ransomware: A member company reached out to us asking for information about a specific threat actor. Through discussions with the member, we were able to confirm that they were seeing active indicators associated with SamSam Ransomware. We received and shared with members threat reports that contained IoC’s. The value to the company is that by sharing they learned that the indicators were associated with an active, ongoing attack that was impacting other organizations. By collaborating with the IT-ISAC, we were able to confirm the actor and provide indicators associated with the active campaign.
Ransom Payment Demand: A member company forwarded to us a suspicious email that asked for a ransom payment to prevent the email sender from launching an DDoS attack against the company. We reached out to IT-ISAC members and partner ISACs. Through this collaboration, we were able to conclude that this was a hoax email. Having confidence that the email was a hoax enabled the company to make an informed decision on how to proceed.
These are but a handful of examples of how we collaborate daily with members and partners in a common mission to manage risks to our members and across the critical infrastructure community. Examples of such collaboration exist across each of the ISACs. If you are not already a member of your sector’s ISAC, you should reach out to them to better understand how they can help your company manage risks to your enterprise.
Scott C. Algeier is the Executive Director of the IT-ISAC.