Share, Collaborate, Mitigate: TruSTAR Takes Incident Sharing Anonymous

Now you can safely share cyber incident data early in the response process

Information sharing initiatives have consistently been held back by the simple fact that sharing actionable incident data could not be done without some level of legal, market, or reputational risk to companies. Though understandable, this pervasive corporate hesitance to coordinate attack response with others has created a major disadvantage for those playing defense.

Identifying an ongoing attack on a network or finding evidence of a breach is not an insignificant event for a security response team. It triggers a chain of events and decision points that encompass everything from stopping the attack in progress, assessing the impact, and informing senior executives and legal counsel of the potential damage. Companies are understandably hesitant to disclose any information about an incident externally until they fully understand their own exposure and legal responsibilities. Even when companies decide to share the incident information, either to request remediation assistance or help warn peers, it is often very late in the response process. Unfortunately, though well-intentioned, this often means any coordination is done too late to be meaningful in their own remediation efforts and any intelligence shared arrives too slowly to prevent others from being victimized too.

TruSTAR directly meets this challenge by providing a new incident-sharing infrastructure to make collaborative cyber intelligence practical, effective, and, as we will focus on in this post, unattributable.

TruSTAR’s distinctive advantage is that its members can rapidly share incident reports with complete anonymity, even to us. No attributable information is sent during an incident report submission — it all stays in the member’s environment. This is accomplished by using private encryption keys that are generated and maintained by the client-side application so that only the client can decrypt attributable data fields.

TruSTAR also makes submission as easy as possible and reduces the likelihood of human error by automating attributable-data term removal through use of a template that can be applied to any report format the member already uses, including STIX-formatted and unformatted text incident reports. The TruSTAR template captures items like company name, facility names and aliases, IP ranges, telephone number ranges, product names and aliases, personnel names, email domains, and any other terms the member cares to incorporate into the template. This template is then used to automate removal of those terms from any report before it is submitted to TruSTAR. Our system also allows for human review prior to submission as an additional safeguard.

Finally, TruSTAR’s patent-pending submission authentication protocol ensures that only authorized users can submit incident data, and it does so without the TruSTAR system knowing the submitter’s identity.

In this way, TruSTAR eliminates the need for a third-party to scrub and store identifying information, thus greatly reducing the risk of human error or data compromise. Further, because TruSTAR automates much of the anonymization process and allows companies to use report formats they are already using, it enables companies to share data rapidly without creating additional administrative burdens for their security teams.

What does this all mean? Quite simply TruSTAR members face less corporate resistance to incident sharing because the data they share is unattributable. This allows them to share data very early in the response process, enabling them to both leverage external expertise in their own remediation efforts and provide early warning to help other organizations lower their own exposure. In this way, incident sharing becomes an essential part of the effort to tackle ongoing cyber events and not a reactive, one-directional report after the threat has been resolved.

Of course, sharing information anonymously and rapidly is only part of the equation. Next up, we’ll talk about how TruSTAR helps makes information sharing more actionable….

-Posted by Chris Roblee, Director of Engineering.