This post is also available in: heעברית (Hebrew)

The US NSA wants to make cybersecurity more profitable than cyber attacks. Neal Ziring, the NSA’s Capabilities Directorate technical director said recently: “I want to get it to the point where a threat actor says, ‘I better choose carefully where I throw this malware first, because I’m not going to get a third or fourth try.’ Today they don’t have that concern”.

In order to decimate a cybercriminal’s Return On Investment (ROI) on developing tools and attack playbooks, Ziring is calling on public agencies, companies and the security community to radically change the way they respond to cyberattacks.

He said the cybersecurity community needs to work cooperatively to collectively respond to attacks in the same spirit they share threat intelligence. He explained that doing so will deprive cyber threat actors of the ability to use tools and tradecraft multiple times and starve criminals financially.

“The future of cyber defense is having a shared or coordinated response,” Ziring said. “We need to break out of today’s enterprise mentality of every person for themselves.”

The type of framework Ziring describes doesn’t exist today, but two standards come close. Those are STIX (Structured Threat Information Expression) and TAXII (Trusted Automated eXchange of Indicator Information) which deal with sharing data ahead of an attack. Neither address a key component that Ziring is calling for which is a public-private framework that creates a type of autoimmune system.

“There is no technological reason why this couldn’t work. There are only practical obstacles like the need for interoperable standards that will enable us to do this in today’s heterogeneous environments. And that’s the bit we are solving right now with STIX and OpenC2,” he said.

Still early in development, OpenC2 is a language that would enable the coordination and execution of command and control of defense components between domains and within a domain. Universal support for that type of framework will take a major shift in industry mindsets. Ziring said the industry does not need new regulations to mandate breach transparency. The upside to information sharing is the carrot that he hopes will lure companies, sectors and communities to be part of the sharing framework. He notes there are already several critical infrastructure sectors that are required to report breaches to the DHS.

“It would be better if we didn’t have to create more regulation. We’ll have to take a wait and see approach for now,” he said.

Currently, the type of framework Ziring describes is extremely rare. Within the financial services sector breach data is shared between members of a FS-ISAC (Financial Services Information Sharing and Analysis Center). When one member is attacked all other members are alerted and can fend off similar attacks before they happen. Meanwhile, attack surfaces are growing with the rapid expansion of cloud and IoT services. Ziring said current defenses are not as scaleable as they need to be and can’t match the automated nature of cyberattacks.

Using FS-ISAC as a model, Ziring envisions a future where industry-focused communities share visibility into threats. When an attack occurred, top-level community members would analyze the threat and send out counter measures to community members inoculating them within seconds or minutes from similar attacks. “It’s unreasonable to ask small business to be ready fight off a nation-state attack themselves,” he said.