Search
  • From the Women in Crisis Response Writers Hub

Book Review: Collaborative Cyber Threat Intelligence, Edited by Florian Skopik


Collaborative Cyber Threat Intelligence[1], referred as CCTI in this brief review is a non-technical overview of the challenges and the potential areas that need to be considered as countries try and establish a cyber threat intelligence sharing mechanism at the national level, through public-private-partnership. Advantages to threat information sharing and using shared resources are manifold as Skopik outlines, including time and cost savings for any Organisation willing to join in the “Collective Défense”.

He lists “Trust”, “Integration of Threat Intelligence with Organisational Processes”, “Establishing Interoperability between internal and external systems”, “Legal and Regulatory requirements” as 4 challenges that might need addressing before such information can be shared and he references the NIST 800-150 as the foundation. I have used three other well respected books by other industry experts as a lens to critically juxtapose the contents of this book (see References).

Chapter 2[2] begins with a definition of IT, ICT, and Cybersecurity albeit a bit repetitive in content – the entire section could have been edited for brevity; Authors, Pahi and Skopik, mention the challenges of categorization of cyberattacks by tactics, techniques, and procedures (TTPs), motivation or threat actors, instead use targets as a potential new category (p22). Mandiant’s Fireeye’s in-depth malware analysis[3] or Verizon Data Breach Investigations Report already do this through their Incident Classification Patterns & Subsets, and Industry Analysis[4]. The authors do a great job at explaining frequently misused terms and differences between the Dark Web and Deep Web (p27).

Chapter 3[5] presents some major drawbacks for those technically initiated in monitoring, logging, and network analysis. For example, while the block diagrams all indicate discussion about industrial control systems (ICS) networks, section 3.4 fails to touch upon protocols that are unique to these systems but were gradually ported to work on OSI’s 7 layer or TCP’s 4-layer models[6]. As such, tools, techniques, and procedures could highly vary between a traditional ICT and an ICS, which esteemed authors authoritatively know given their in-depth experience in the field. The chapter misses a mark to bring these differences to the reader’s attention.

The 5 dimensions of information sharing:


a. Efficient Cooperation and Coordination,

b. Legal and Regulatory Landscape

c. Standardisation efforts

d. Regional and International Implementations

e. Technology Integration into organisations including ENISA, ISO, ITU, NIST, NATO frameworks, standards and entities are discussed in chapter 4[7].

It is well-researched, and succinctly written to introduce the dense landscape and a great section if you want to know very quickly about STIX/TAXII/IODEF and some niche information sharing taxonomies like IDEA (Intrusion Detection Extensible Alert) (p138) to compare with. A simple table highlighting aspects addressed by the different Standardisation efforts (p159) is a simple yet useful tool.

In CHAPTER 5[8] the authors touch upon the standard topics such as sources of cyber threat intelligence, types of information sharing structures including some insights into automation. Cloud services, Privacy, and data sensitivity categorization using the Traffic Light Protocol (TLP) and Information Exchange Policy (IEP).

Two unique aspects about this chapter is that authors try and bring attention to context of a CTI community, with Cyber Threat Alliance[9] as an example; Secondly, the section talks about hub-spoke and peer 2 peer (P2P) models of CTI sharing infrastructure which I think are important aspects from a design and architectural standpoint. “Good intelligence can be ruined by poor dissemination” say Roberts and Brown[10]. And although they do a great job of outlining the aspects of intelligence dissemination, this chapter in CCTI does a better job at laying out the services that can be expected of a good intelligence dissemination platform.

Chapter 6[11] talks about cybersecurity strategies of EU such as ENISA, EDA, the UN, NATO and the US; It highlights some aspects from the National Cybersecurity strategies of four countries: Germany, Switzerland, the UK and the US. The first three countries have some of the strongest ideologies about privacy, so these are useful for juxtaposition with the US to better highlight US’s strengths and opportunities in the field.


The chapter emphasizes on understanding cyber security situational awareness (CSA) (p245-270) and although it is disappointing that they do not talk about various types of INT (Roberts and Brown’s[12] chapter on Basic Intelligence does a good job at this topic) and mostly refer to OSINT in the book, the chapter does a good job of underlining the importance of context in “intelligence” including aspects such as Cyber Common Operating Pictures (CCOP)[13],[14],[15] (p265)


Legal Implications of Information Sharing and Implementation Issues and Obstacles from a Legal Perspective are the focal points of chapters 7[16] & 8. These chapters are crucial because sharing cyber threat information could at times require a degree of confidentiality, but mostly availability and integrity.


Best practices with reference to the GDPR, Directive 2013/40/EU, Directive 2008/114 and Directive 2016/1148 aka the NIS Directive are mentioned in the chapter (p282) including, insights into overcoming the fear of data sharing as well. Chapter 8[17] extends this discussion further with 5 different case studies each delving in detail into scenarios where the regulations might apply.

For e.g., IP Address dissemination, Ethical consideration of responsible disclosure on product vulnerabilities, CTI data leakage via incident response teams, unintended consequences of disproportionate mitigation measures such as IP blocking in a DDoS attack, Service provider obligations and Customer privacy are well deserved topics that are tackled herein. Having perused through the some really strong books in the industry in the field of ICS (see References), CCTI does a unique job of providing cases in point as a reflective exercise unlike other books.

Chapter 9[18] is an extensive report on the large-scale case study carried out between 2014 and 2017, known as the European Control System Security Incident Analysis Network – (ECOSSIAN). The ECOSSIAN Framework uses a 3-tier architecture at the operator level (O-SOC), national level (N-SOC), and at the pan-European level (E-SOC) to exchange cyber threat and incident information thereby emulating a cohesive network of threat information exchange.

It discusses the framework and three case studies:

A. Attack on a fictitious Financial Institution,

B. Attack on a fictitious national gas provider leading to outages in gas supply, and

C. Attack on a SCADA-based national transport infrastructure impacting the electric grid and railway traction. The three case studies try and depict the ECOSSIAN[19] framework in action and how proactive threat information exchange could potentially help thwart a domino effect of a cyber-attack on highly interconnected critical infrastructures.

To conclude, a topic like reconnaissance is only touched briefly when discussing the Cyber Kill Chain in the second chapter[20] whereas it could have been elaborated when discussion monitoring, networking in the third chapter. One of the biggest gaps I noticed is the lack of any discussion on vendor management or the challenge of ICS systems portability to perform advanced interactive operations using modern internet of things features traditionally not designed as part of the devices and their intended functionality.

A quick run through the index checking for the word ‘vendor’ renders zero reference in the text. Technical challenges of forensics such as preserving integrity is not discussed in any of the chapters. Ideally this could have been discussed in chapter 3.

Topics such as Risk Management, False Positives and False Negatives, Bias in information and intelligence gathering and sharing seem majorly missing. Moreover, information gathering, and sharing could highly vary between normal operations and in a crisis situation.

Lastly, a separate chapter focusing on how an Austrian case study could be ported to other organisations such as small and medium enterprises that are either commercial or non-profit, and large enterprises in other global regions operating under different sociocultural environment could have been included for scalability of the ideas. As such the book while disappointing in some places, is a differentiator in a few other places as highlighted in the review above. It is a richly documented, acutely focused book on cyber threat intelligence sharing.

References

1. "2019 Data Breach Investigations Report". 2019. Verizon Enterprise. https://enterprise.verizon.com/resources/reports/dbir/.

2. "Advanced Persistent Threat Groups". 2019. Fireeye. Accessed November 18. https://www.fireeye.com/current-threats/apt-groups.html.

3. Brown, Rebekah, and Scott J. Roberts. 2017. Intelligence-Driven Incident Response. 1st ed. Sebastopol,CA: O'Reilly Media, Inc.

4. Conti, Gregory, John Nelson, and David Raymond. 2013. "Towards A Cyber Common Operating Picture". 2013 5Th International Conference On Cyber Conflict. https://ccdcoe.org/uploads/2018/10/6_d1r2s4_conti.pdf.

5. D. Knapp., Eric, and Joel Thomas Langill. 2015. Industrial Network Security (Second Edition). 2nd ed. Waltham, MA: Syngress.

6. "Deliverables". 2017. Ecossian.Eu. https://www.ecossian.eu/published-results/deliverables.html.

7. Esteve, Manuel, Israel Perez, Carlos Palau, Federico Carvajal, Javier Hingant, Miguel A. Fresneda, and Juan P. Sierra. 2016. "Cyber Common Operational Picture: A Tool For Cyber Hybrid Situational Awareness; Improvement". In Cyber Defence Situation Awareness. NATO Science and Technology Organisation. https://preview.tinyurl.com/STO-MP-IST-148.

8. Esteve, Manuel, Israel Pérez, Carlos Palau, Federico Carvajal, and Javier Hingant. 2016. "Cyber Defence Situation Awareness". Sto.Nato.Int. http://10.14339/STO-MP-IST-148.

9. Fransen, Frank, and Richard Kerkdijk. 2018. "Cyber Threat Intelligence Sharing Through National And Sector-Oriented Communities". In Collaborative Cyber Threat Intelligence, 1st ed., 187-224. Boca Raton, FL: CRC Press, Taylor and Francis Group. https://www-taylorfrancis-com.ezp-prod1.hul.harvard.edu/books/e/9781315397900.

10. Friedberg, Ivo, Markus Wurzenberger, Abdullah Al Balushi, and Boojoong Kang. 2017. "From Monitoring, Logging, And Network Analysis To Threat Intelligence Extraction". In Collaborative Cyber Threat Intelligence, 1st ed., 69-127. Boca Raton, FL: CRC Press, Taylor and Francis Group. https://www-taylorfrancis-com.ezp-prod1.hul.harvard.edu/books/e/9781315397900.

11. "How Sharing Works". 2019. Cyber Threat Alliance. Accessed November 20. https://www.cyberthreatalliance.org/how-our-sharing-works/.

12. Leitner, Maria, Timea Pahi, and Florian Skopik. 2018. "Situational Awareness For Strategic Decision Making On A National Level". In Collaborative Cyber Threat Intelligence, 1st ed., 225-275. Boca Raton, FL: CRC Press, Taylor and Francis Group. https://www-taylorfrancis-com.ezp-prod1.hul.harvard.edu/books/e/9781315397900.

13. Macaulay, Tyson. 2009. Critical Infrastructure. Boca Raton, FL: CRC Press.

14. Miller, Jamie. 2015. "Cybersecurity’S Golden Fleece – The Common Operating Picture". Linkedin.Com. https://www.linkedin.com/pulse/cybersecuritys-golden-fleece-common-operating-picture-jamie-miller.

15. Pahi, Timea, and Florian Skopik. 2018. "A Systematic Study And Comparison Of Attack Scenarios And Involved Threat Actors". In Collaborative Cyber Threat Intelligence, 1st ed., 19-68. Boca Raton, FL: CRC Press, Taylor and Francis Group. https://www-taylorfrancis-com.ezp-prod1.hul.harvard.edu/books/e/9781315397900.

16. Schroers, Jessica, and Damian Clifford. 2018. "Legal Implications Of Information Sharing". In Collaborative Cyber Threat Intelligence, 1st ed., 277-312. Boca Raton, FL: CRC Press, Taylor and Francis Group. https://www-taylorfrancis-com.ezp-prod1.hul.harvard.edu/books/e/9781315397900.

17. Schweighofer, Erich, Vinzenz Heussler, and Walter Hötzendorfer. 2018. "Implementation Issues And Obstacles From A Legal Perspective". In Collaborative Cyber Threat Intelligence, 1st ed., 313-354. Boca Raton, FL: CRC Press, Taylor and Francis Group. https://www-taylorfrancis-com.ezp-prod1.hul.harvard.edu/books/e/9781315397900.

18. Settanni, Giseuppe, and Timea Pahi. 2018. "Real-World Implementation Of An Information Sharing Network Lessons Learned From The Large-Scale European Research Project ECOSSIAN". In Collaborative Cyber Threat Intelligence, 1st ed., 355-420. Boca Raton, FL: CRC Press, Taylor and Francis Group. https://www-taylorfrancis-com.ezp-prod1.hul.harvard.edu/books/e/9781315397900.

19. Skopik, Florian, and Giuseppe Settani. 2018. "The Importance Of Information Sharing And Its Numerous Dimensions To Circumvent Incidents And Mitigate Cyber Threats". In Collaborative Cyber Threat Intelligence, 1st ed., 129-186. Boca Raton, FL: CRC Press, Taylor and Francis Group. https://www-taylorfrancis-com.ezp-prod1.hul.harvard.edu/books/e/9781315397900.

20. Skopik, Florian. 2018. Collaborative Cyber Threat Intelligence. 1st ed. Boca Raton, FL: CRC Press Taylor and Francis Group.

21. Skopik, Florian. 2017. "Introduction". In Collaborative Cyber Threat Intelligence Detecting And Responding To Advanced Cyber Attacks At The National Level, 1st ed. Boca Raton, FL: CRC Press. https://www-taylorfrancis-com.ezp-prod1.hul.harvard.edu/books/e/9781315397900.


Endnotes

[1] Skopik, Florian. 2018. Collaborative Cyber Threat Intelligence. 1st ed. Boca Raton, FL: CRC Press Taylor and Francis Group. [2] Pahi, Timea, and Florian Skopik. 2018. "A Systematic Study And Comparison Of Attack Scenarios And Involved Threat Actors". In Collaborative Cyber Threat Intelligence, 1st ed., 19-68. Boca Raton, FL: CRC Press, Taylor and Francis Group. https://www-taylorfrancis-com.ezp-prod1.hul.harvard.edu/books/e/9781315397900. [3] "Advanced Persistent Threat Groups". 2019. Fireeye. Accessed November 18. https://www.fireeye.com/current-threats/apt-groups.html. [4] "2019 Data Breach Investigations Report". 2019. Verizon Enterprise. https://enterprise.verizon.com/resources/reports/dbir/. [5] Friedberg, Ivo, Markus Wurzenberger, Abdullah Al Balushi, and Boojoong Kang. 2017. "From Monitoring, Logging, And Network Analysis To Threat Intelligence Extraction". In Collaborative Cyber Threat Intelligence, 1st ed., 69-127. Boca Raton, FL: CRC Press, Taylor and Francis Group. https://www-taylorfrancis-com.ezp-prod1.hul.harvard.edu/books/e/9781315397900. [6] D. Knapp., Eric, and Joel Thomas Langill. 2015. Industrial Network Security (Second Edition). 2nd ed. Waltham, MA: Syngress, pg. 121-166 [7] Skopik, Florian, and Giuseppe Settani. 2018. "The Importance Of Information Sharing And Its Numerous Dimensions To Circumvent Incidents And Mitigate Cyber Threats". In Collaborative Cyber Threat Intelligence, 1st ed., 129-186. Boca Raton, FL: CRC Press, Taylor and Francis Group. https://www-taylorfrancis-com.ezp-prod1.hul.harvard.edu/books/e/9781315397900. [8] Fransen, Frank, and Richard Kerkdijk. 2018. "Cyber Threat Intelligence Sharing Through National And Sector-Oriented Communities". In Collaborative Cyber Threat Intelligence, 1st ed., 187-224. Boca Raton, FL: CRC Press, Taylor and Francis Group. https://www-taylorfrancis-com.ezp-prod1.hul.harvard.edu/books/e/9781315397900. [9] "How Sharing Works". 2019. Cyber Threat Alliance. Accessed November 20. https://www.cyberthreatalliance.org/how-our-sharing-works/. [10] Brown, Rebekah, and Scott J. Roberts. 2017. Intelligence-Driven Incident Response. 1st ed. Sebastopol, CA: O'Reilly Media, Inc. pg. 163 [11] Leitner, Maria, Timea Pahi, and Florian Skopik. 2018. "Situational Awareness For Strategic Decision Making On A National Level". In Collaborative Cyber Threat Intelligence, 1st ed., 225-275. Boca Raton, FL: CRC Press, Taylor and Francis Group. https://www-taylorfrancis-com.ezp-prod1.hul.harvard.edu/books/e/9781315397900. [12] Brown, Rebekah, and Scott J. Roberts. 2017. Intelligence-Driven Incident Response. 1st ed. Sebastopol, CA: O'Reilly Media, Inc. 9-26 [13] Miller, Jamie. 2015. "Cybersecurity’S Golden Fleece – The Common Operating Picture". Linkedin.Com. https://www.linkedin.com/pulse/cybersecuritys-golden-fleece-common-operating-picture-jamie-miller. [14] Conti, Gregory, John Nelson, and David Raymond. 2013. "Towards A Cyber Common Operating Picture". 2013 5Th International Conference On Cyber Conflict. https://ccdcoe.org/uploads/2018/10/6_d1r2s4_conti.pdf. [15] Esteve, Manuel, Israel Perez, Carlos Palau, Federico Carvajal, Javier Hingant, Miguel A. Fresneda, and Juan P. Sierra. 2016. "Cyber Common Operational Picture: A Tool For Cyber Hybrid Situational Awareness; Improvement". In Cyber Defence Situation Awareness. NATO Science and Technology Organisation. https://preview.tinyurl.com/STO-MP-IST-148. [16] Schroers, Jessica, and Damian Clifford. 2018. "Legal Implications Of Information Sharing". In Collaborative Cyber Threat Intelligence, 1st ed., 277-312. Boca Raton, FL: CRC Press, Taylor and Francis Group. https://www-taylorfrancis-com.ezp-prod1.hul.harvard.edu/books/e/9781315397900. [17] Schweighofer, Erich, Vinzenz Heussler, and Walter Hötzendorfer. 2018. "Implementation Issues And Obstacles From A Legal Perspective". In Collaborative Cyber Threat Intelligence, 1st ed., 313-354. Boca Raton, FL: CRC Press, Taylor and Francis Group. https://www-taylorfrancis-com.ezp-prod1.hul.harvard.edu/books/e/9781315397900. [18] Settanni, Giseuppe, and Timea Pahi. 2018. "Real-World Implementation Of An Information Sharing Network Lessons Learned From The Large-Scale European Research Project ECOSSIAN". In Collaborative Cyber Threat Intelligence, 1st ed., 355-420. Boca Raton, FL: CRC Press, Taylor and Francis Group. https://www-taylorfrancis-com.ezp-prod1.hul.harvard.edu/books/e/9781315397900. [19] "Deliverables". 2017. Ecossian.Eu. https://www.ecossian.eu/published-results/deliverables.html. [20] Pahi, Timea, and Florian Skopik. 2018. "A Systematic Study And Comparison Of Attack Scenarios And Involved Threat Actors". In Collaborative Cyber Threat Intelligence Detecting And Responding To Advanced Cyber Attacks At The National Level, 1st ed. Boca Raton, FL: CRC Press. https://www-taylorfrancis-com.ezp-prod1.hul.harvard.edu/books/e/9781315397900, pg. 30,31

11 views

Recent Posts

See All
  • Instagram

©2020 by Women in Crisis Response. Proudly created with Wix.com