More sharing, less shame: CompTIA ISAO wants to change the standard response to ransomware attacks

by Veronica Combs in Security on July 9, 2021

The information sharing organization helps companies deal with security threats and supports more collaboration overall.

Ransomware attacks are not going to stop any time soon and bad actors refine their attack techniques with every new breach. In addition to following best practices for securing networks and data, industry leaders and businesses of all sizes should prioritize information sharing.

MJ Shoer, senior vice president and executive director of the CompTIA ISAO, said the Kaseya attack was inevitable but it could have been considerably worse. A 2021 CompTIA survey found that 62% of MSPs were very concerned and 30% somewhat concerned about being targeted with cyberattacks.

"This attack underscores the point that we need to come together if we're going to gain the upper hand," he said.

Shoer said the tech industry needs to follow the information sharing example set by bad actors.

"Hackers do a phenomenal job sharing information— they tell each other what works, what doesn't," he said. "They're great at it, we need to be better than great."

Shoer said he wants the industry to erase the stigma associated with cyberattacks.

"That natural reaction to shame companies who get breached isn't helping," he said. "If we get enough organizations sharing what they're seeing, it gives all of us a chance to get the bad guys to back off."

John Collins, a senior analyst at Gartner for SecOps, SIEM, security services, threat intel and incident response, said that he has not seen empirical evidence suggesting increased threat intelligence sharing between security vendors, end user organizations and government. He has noticed more interest in threat intelligence sources and platforms.

"I have observed an increase from historically less security mature organizations who are looking for purpose-built tools for aggregating, curating, managing and operationalizing threat intelligence," he said. "Even TIP vendors are marketing their integration with MISP to allow for a wider range of sharing capability."

The CompTIA ISAO works with public and private cybersecurity agencies and organizations to help its members raise the cybersecurity awareness of the global tech industry. The community of nearly 1,176 member companies shares best practices, cyber threat intelligence and educational content. In addition to cybersecurity intelligence data, CompTIA ISAO members receive full access to all other CompTIA corporate member benefits.

"We all hope that it will prevent an attack but more often than not it helps address an attack or vulnerability or recover and remediate at issue," Shoer said.

Collins said that issues related to the consumption and management of TI are more important than general information sharing.

"I believe the industry needs to have some introspection on the quality of intelligence vs sharing data for the sake having a feed and claiming #tisharing," he said. "I have regular conversations with security leaders asking for better ways to consume and manage the intel they are getting because they are overwhelmed with data, have lots of false positives and are managing the indicators in a spreadsheet."

Collins said that companies and governments should look for ways to declassify or anonymize information to share important threats without putting national security at risk or revealing sensitive data.

"For example, no one outside of your organization needs or cares about an internal user name or machine name that is part of a file path, and you don't want to violate any privacy laws by exposing it," he said. "The vast majority of attacks are commodity in nature and a very small percentage are associated with sophisticated attacks carried out by a group targeting an organization."

Shoer said that he knows of only one CompTIA ISAO member that was hit by the attack, although a few members shut down their systems, as Kaseya recommended.

In addition to monitoring the threat landscape to warn members of potential problems, the ISAO also documents attacks so that members can learn from them.

As helpful as information sharing can be, exposing indicators or TTPs of an active attack can create more problems for other organizations dealing with the same adversary. Collins said it's a classic catch-22 situation.

"I know SecOps operators who were burned by security companies releasing indicators to the public and the adversary in their environment turned into a ghost," he said. "To get more out of the adversary you sometimes need to let them 'live' in an environment for a bit longer, yet they may be exfiltrating data from another company and their defenders or provider needs the intel to identify it and stop it."

This is where tools like MISP and threat intelligence platforms can present a method for sharing intel and often use a system similar to traffic light protocol, Collins said. This approach allows companies to choose what to share and who to share it with.
Plan, practice and prepare

Shoer said he sees a need for more table-top exercises so that companies can spot potential weak spots and formulate a response plan.

"Part of the challenge is taking the time to have these plans in place and then testing them regularly," he said.

This planning should include a priority list for restoring services after an attack has been resolved.

"Companies should think about how to prioritize restoration, by company size, industry, or public impact?" he said. "Companies should be playing these scenarios out and validating plans and looking for the gaps."

Shoer also said he sees more interest in keeping certain types of data in an air-gapped storage format to avoid the risk of a ransomware attack taking down backups along with live systems.

"Having those backups away from targeted networks is really important, including things that people may not be thinking of, such as bank statements and cyber liability insurance policies," he said. "Bad actors get into a network, sniff out this stuff and then set the ransomware amount based on your bank balance."

CompTIA's Cybersecurity Advisory Council provides educational materials and tools to help small business owners understand the risk of ransomware.

CompTIA launched the ISAO in August 2020 to "serve as the focal point for dealing with cyber-threats to technology vendors, MSPs, solution providers, integrators, distributors and business technology consultants." The organization's origins are in an ISAO started by tech entrepreneur Arnie Bellini in August 2019 as part of ConnectWise, the business automation software company he co-founded. Bellini transferred management and operations of the organization to CompTIA in early 2020.