Paving new paths for collaborative defense in the face of rising global threats

Not the same old story: In 22 years of working in the cybersecurity industry, I’ve heard a lot of talk about the importance of collaboration and community; instances where this talk translated into action were much rarer. How do you make it work?

The NotPetya Incident and the Power of Community

When a cybersecurity community works, it’s not just a ‘support group’ but a source of actionable insight for CISOs. We had a chance to see this happen right before our eyes during the NotPetya cyberattack in 2017.

NotPetya was a global Black Swan event – the most damaging wiper ever deployed, wreaking $10B worth of havoc. It impacted almost every sector, and changed the way businesses and governments think about cybercrime.

Coincidentally, just as NotPetya hit, we had some of the world’s leading CISOs in the same room in Jerusalem, fresh from a tour of the Via Dolorosa. This was part of Team8’s first CISO Summit, a global conference of cybersecurity leaders; and while certainly unplanned, it gave us a glimpse into the true potential of a CISO community.

With many organizations impacted, the ability to immediately relay information was crucial. The people in that room shared recovery strategies that allowed them to shore up their defenses–so that when the Bad Rabbit ransomware threat appeared some months later, its impact was minimal. And while part of it was due to real-time information sharing, the effectiveness of the response was also driven by companies being prepared. They had learnt from the experience of the businesses that were impacted by NotPetya, and who had been courageous enough to share their experience.

Strength in Numbers

A community is more than an annual get-together. The NotPetya incident was an example of what can be achieved when the cyber industry works together against a common threat. But we can’t always rely on a conference happening every time there’s a major attack.Collaboration needs to be continuous, it needs to happen as close to real-time as possible, and it needs to be actionable.

For Team8, the CISO Summit is just one part of the broader CISO Village–a community of 100+ cybersecurity leaders, many of whom work at companies that are household names–alongside other influential voices in the global cyber industry.

The CISO Village is far from the first attempt to build community-driven collaboration in the cybersecurity space. But many such attempts have fallen flat and failed to garner ongoing engagement from participants. In designing and operating the Village, we’ve learned from the mistakes of others, and have tried to create a space where information can flow freely (within the boundaries of privacy and confidentiality) and where we can replicate the type of practical cooperation we saw with NotPetya.

Why have previous attempts stumbled, and what makes CISO Village different?

Collaborative Defense: Easier Said Than Done

The cybersecurity industry is still relatively young, but the need for better collaboration and knowledge sharing has been around since its inception. Being a CISO can be an isolating experience: the very nature of the role requires confidentiality, discretion, and in some cases hitting the brakes on new initiatives for the sake of protecting the organization.

Finding avenues for confiding in others, sharing best practices and tools, and keeping up to date with potential threats have always been essential–especially as today’s CISOs are expected to have extensive knowledge not just of cyber solutions, but also the underlying IT systems that form the attack surface.

Recent developments have added an air of urgency. On the 25th of February this year, a  day after Russia’s invasion of Ukraine, ransomware group Conti publicly expressed their loyalty to Russia. In response, an anonymous security researcher published over 60,000 messages leaked from Conti’s internal Jabber conversations.

There were a number of interesting findings: Conti resembles an ordinary firm working five days a week from an office building, complete with HR department and dedicated teams. This was not a group of script kiddies working from their parent’s basements. And what’s even more pertinent for our purposes is that Conti was not working alone–rather, they were cooperating with no fewer than seven different malware groups.

These findings join other investigations that have linked government actors to attack groups:

• The notorious APT ‘Bear’ groups, which have targeted critical infrastructure in Europe, Turkey, and the US, have been linked to the Russian and Federal Security Service (FSB)
• The Lazarus Group, active since 2009 and responsible for destructive wiper attacks and malware, is state-sponsored by the North Korea
• Stone Panda, a group affiliated with the Chinese government, is claimed to have been behind a months-long attack against China’s financial sector

Rivals are working collaboratively. It’s estimated that 80% of cyber attacks are driven by organized crime rings, often specializing in different activities. Today’s ransomware gangs have become ransomware cartels – multiple gangs working together explicitly for the purpose of sharing code and exploits, developing tools, coordinating data dumps, and hosting shared infrastructure. Groups are often backed by, or even directly working together with government actors, to create capabilities and tools that are far more threatening than what we’ve seen in the past.

What about CISOs and other cybersecurity leaders? Sadly, in many ways, we are lagging behind the bad actors.

Where Things Go Wrong

Despite the desire for greater collaboration, initiatives often fail to gain momentum. Previous attempts to build cybersecurity communities, or to create platforms for knowledge sharing and open discussion–including many that I have witnessed firsthand–have not taken off. This is due to a combination of factors:

• Strong incentives not to share information: Sharing intelligence can potentially lead to ‘free riding’ where there is no guarantee of reciprocation from the other side; at the same time, it might be seen as a privacy concern for the party sharing the information.

• Perceived reputational risk: Human beings prefer to avoid embarrassment. When a cyberattack happens on our watch, the first instinct is to keep it quiet: no CISO’s morning has ever improved by seeing their company’s name plastered all over the front page of the New York Times in the context of a cyberattack. Not sharing any information can be the path of least resistance.
• General aversion to sharing information and tendency to prefer working ‘in the shadows’. As CISOs, we are so used to safeguarding company information that sharing anything may seem antithetical to good business practice. It may be difficult to shift from a competitive to a collaborative perspective.

These practical and psychological barriers often keep discussions between CISOs at a surface level; and when information is not shared freely, the impact is limited and participants lose interest in collaborating.

And yet, despite these obstacles, I can say with certainty that the CISO Village is a thriving and highly beneficial cyber community. Identifying the patterns that make it work can inform future efforts to create platforms for collaboration.

Building a Community on Three Pillars of Trust

The success of the CISO Village stems from its being built on a solid foundation of trust, established through three main pillars:

Team8’s unique position in the cyber industry. Our team has unparalleled experience in the fight against all forms of cyberthreats, from DDoS to crypto-ransomware, from single attackers to highly-qualified and sponsored APT groups, and across domains – military, public sector, and private sector. Our portfolio of leading cybersecurity companies and access to the top operators in the industry enable us to gather the world’s foremost experts, and create connections and intros that no one else can.

Trust through procedure. The CISO Village is an invite-only community for industry leaders and companies facing significant challenges, which can learn from each others’ experiences. Gatherings and round tables are designed to facilitate the flow of information in a closely-knit environment, with clear guarantees that information stays behind closed doors.

Trust through actionability. The CISO Village is built to address issues as they arise, rather than in a post-mortem after the damage has already been done. This includes a Slack channel that operates based on the Chatham House Rule – share the information you receive, but do not reveal the identity of who said it.

Navigating an Uncertain Future

The challenges of modern cybersecurity have grown more global, more complex, and more interconnected. Defensive efforts need to evolve as well.

As we enter a new era of change we face a heightened level of cybersecurity risk. The next few years are likely be characterized by an economic slowdown, deteriorating security conditions in parts of the world, and potential crises related to climate and energy; we are likely to see an increase in cybercrime, new vectors of attack, and more sophisticated bad actors. Now more than ever, cybersecurity leaders need to keep lines of communication open, and to join forces against threats that could cause major global disruption. We hope that the CISO Village will be the community that this industry needs, leading the future of collective defense and collaborative cybersecurity.