Providence Consulting Group is excited to announce that we are teaming up with CI-ISAC, an innovative Australian industry leader enabling threat-informed cyber risk management, to join efforts in building resilience, reducing security risk and enabling owners and operators of critical infrastructure assets to comply with the obligations of the Security of Critical Infrastructure Act 2018 (SOCI Act).
Providence and CI-ISAC jointly bring diverse professional experience and expertise in critical infrastructure security.
Why bother with sharing threat intelligence? We’ve got this cyber thing covered.
Two pretty common questions we hear from prospective members is “Why do I need CI-ISAC when I have a brilliant cyber team?” and ‘Why would I need to know about cyber threats from other sectors?“.
Working in a cyber team, regardless of how brilliant they are is akin to paying ‘whack a mole’ – you’re dealing with a constant onslaught of cyber threats (moles) and doing your best to swat these away with the resources you have available to you. Building a Threat Intelligence function is expensive and if you’re only focussed within your own sector then you’re missing valuable insights on relevant threats from other sectors of our Australian economy.
Putting things in perspective
Some cyber teams have significantly more resources than others, however, regardless of maturity, most teams are unlikely to have all the resources they need, which means they need to employ these as effectively as possible. Cyber Threat Intelligence (CTI) is a capability that enables teams to understand cyber adversaries and their techniques to more effectively defend against them.
Financial Services organisations spend millions of dollars a year investing in both technical and human threat intelligence resources, all with the aim of becoming more proactive in understanding the current and future threats to their environments. Other, larger companies may invest in a subset of technical threat intelligence capabilities and if they’re well resourced, a human or two who can attempt to filter and analyse the fire hose of information they’re paying for.
For the majority of Australian companies, cyber defences are limited to generic security controls (technical and procedural) based on frameworks like The Essential 8, NIST, ISO 27001, AESCSF and the hope that these will be sufficient to protect against the threats they face.
Work smarter, not harder
The real value of threat intelligence is only realised when timely, relevant and actionable insights are generated from analysed data. The challenge is that the majority of ‘intelligence’ is actually raw information that still needs technical specialists to analyse it before cyber teams assess the risks against their own environments.
If we now rewind to why cyber teams need CI-ISAC, the answer lies in their requirement to understand what threats to focus their efforts on. To be successful, cyber teams need to be focussed on building defensive capabilities, but also ensuring these continue to operate effectively as threats evolve. CI-ISAC does the heavy lifting of understanding and articulating relevant threats to Australian entities in non-technical language, enabling members to focus their efforts on addressing their own risks, rather than duplicating effort by trying to analyse and understand the same threats as everyone else.
Getting ahead of future threats
Threat Intelligence helps you understand threats, and where to focus your cyber resources, however intelligence sharing enables you to build a picture of what’s going on around you. Typical information sharing takes place in silos (individual sectors), which is good, but misses the opportunity to learn from other sectors by understanding the cyber incidents they’re experiencing.
Australia’s Big-4, amongst others are already doing this – when Medibank, Optus, Latitude or DP World incidents hit the news, their threat intelligence teams mobilise to gather information on the attack, and feed the analysis into their cyber defence teams with the aim of ensuring the same type of incident would not bypass their security controls.
Enabling a trusted ecosystem to facilitate the sharing of cyber threat intelligence from across Australian CI sectors and conducting intelligence analysis centrally is a fundamental aspect of CI-ISAC. This enables members to focus their cyber teams on assessing the risk to their environments and effective response activities. A single, joined-up approach removes siloes, and analysing member-shared intelligence centrally removes duplication of effort. Larger, more mature members lead the sharing of cyber threat intelligence and enables us to learn from the mature end of town to benefit all members, regardless of maturity.
Conclusion
Cyber criminals have evolved their operating models to form specialist task forces based on skillsets: Initial access brokers break in and establish a foothold within networks, this is then handed-off to hackers specialised in spreading across networks and elevating privileges. A third team may then analyse and exfiltrate sensitive data for future extortion, before encrypting assets. This is an over-simplified example, but cyber criminals have improved their effectiveness by moving away from generalist approaches and co-operating to improve their effectiveness when attacking targets.
Defenders need to adopt a similar approach, specifically in relation to cyber defences. Threat Intelligence represents an ability to focus resources and teams on threats to an organisation. If employed correctly, this can save time, effort and money but most importantly, threat intelligence enables more effective risk management. Teams gain actionable information to assess threats against their own environments, and recommendations to uplift their security controls.
Leveraging CI-ISAC, empowers your cyber teams with a holistic understanding of threats to Australian assets, informed by local sharing and global perspectives.
By David Sandell, the co-founder and CEO of CI-ISAC Australia.
