Be like a Moomin: How to establish trust between competitors so we can fight cybercrime
Do you know the Moomins? They’re a tight-knit, happy, collaborative cartoon family. I’d never heard of them until I was lucky enough to spend a few days at the Microsoft offices in Helsinki, Finland.
The Moomin keychain in the photo was a gift from the Finnish CISO. As I did a little research into Moomin lore, I discovered a family of wonderful trolls who work with each other, their friends, and acquaintances to overcome adversity. In the first book, The Moomins and the Great Flood, the Moomins become separated. With the landscape flooded, they are unable to find their village, Moominpappa, until they befriend a stork who offers to help them with a winged ride, giving them an aerial vantage point.
The collaborative problem-solving approach of the Moomins fits right into the overall story of trust I frequently heard during my Finland trip. The country has one of the most trusted police and governments in the world. This may partly be due to the fact that trust in the government has been historically high inNordic countries. In 2015, Finland was the second least corrupt country according to theTransparency International organization.
In the online world, Finland has one of thefastest internet speeds in the worldrunningonsome of theleast malware infected pipes. How are they doing this? With tools, such as theCERT-FI Autoreporter system, which help admins find and respond to breaches faster and empowers admins to take actions to protect their networks. This level of engaged partnership in the overall health of the country’s network is valued. The cybersecurity professionals I spoke with are very focused on maintaining this trust and continue toidentifyand buildopportunities for collaboration between the public and private sectors.
Theres some great learning in there for the international cybersecurity community. Its no secret that cyber-adversaries are selectively collaborating to help make themselves more effective. Operating in dark web exchanges and via encrypted messenger, they share exploits, malcode, and successful attack techniques. But if, as the saying goes, theres no honor amongst thieves, how has an international collective of attackers figured out a model for collaboration that in some ways rivals the trust and collaboration between organizations and countries?
Arguably, their collaboration use case is substantively different from large multinational corporations and governments. The value of an exploit generally degrades the longer it is in the wild. This means that part of the cybercriminal financial model is highly dependent on the speed of dissemination. If they hold onto an exploit for too long, they risk having a valueless asset. Finding and monetizing a SQL injection vulnerability is a fairly straightforward and rapid activity. This is in high contrast to large organizations doing business around the globe that must spend a significant amount of time planning and executing their business strategies. Not to mention the fact that, by definition, criminals dont operate under any governmental laws, have any employee protection rules, or pay employee taxes.
On the legal side of cybersecurity, we need to plan for long-term success and adhere to a long list of mandates and regulations. And because were not in the business of selling exploits, sharing with others how one company defends against them could be seen as giving away part of a competitive edge. When it comes to governments, the hurdles to collaborative trust can be much higherespecially when some of those governments are in virtual trade wars with each other.
Despite the hurdles, we can move forward with cyber-collaborationwithout losing our collective competitive edgeby following these three steps:
- Agree on the rulesWho shares what and when? And whats the quid pro quo? Asymmetric sharing becomes lopsided and abandoned. Also, how will the information be protected and, as needed, anonymized?
- Leverage whats thereISACs are already up and running, with their own rules. There are also industry consortiums like Cloud Security Alliance (CSA) and vendor associations like the Microsoft Intelligent Security Association.
- Enforce the rulesIf members of an association dont play fair, it wont be long before members who are following the rules feel cheated. Voluntary trust is good, but there needs to be an enforcement mechanism to ensure fairness. Organizations that dont follow the rules risk getting cut out.
Much like the stork in the story helped the Moomins get an aerial vantage point of the landscape to help find their way to Moominpappa, so too can a collaborative and open sharing approachsubject to the rules, processes, and parameters defined in the steps abovegive you a different perspective of the landscape that your business needs to traverse from a security standpoint.
But keep in mind that, in the story, the stork doesnt do all the worktheres action required on the part of the Moomins too. They need to find the stork in the first place. In our world, this means a systematic effort to reach out to and engage with information-sharing partners and active cultivation of these relationships. Likewise, knowing how to employ that information is also critical. To this end, threat intelligence tools that enhance visibility and detective controls, such as SIM and IDS, help you understand the current state of your environment to better utilize information you receive from information-sharing partners.
Lastly, the Moomins need to know about their village (Moominpappa) to be able to recognize it from a distance. Even if the stork provides them with a better view, they still need to recognize the village from the air, which anybody whos been in an airplane can attest isnt always easy. By analogy, this means that the better security teams understand the normative state of their own networks and infrastructure, the better equipped they are to leverage data they learn through sharing and gathered from visibility-enhancing tools.
Were not living in a cartoon world of Moomins, but that doesnt mean we cant take a valuable lesson from them about trust and collaboration.