Hacker News new | ask | show | jobs
by 21echoes 3835 days ago
https://en.wikipedia.org/wiki/Cybersecurity_Information_Shar...

This passed along with the budget bill at the end of last week. It establishes a system whereby the US defense department shares with corporations their signals for detecting state-sponsored attacks, and companies are allowed to opt in to sharing anonymized attack information with the DoD
2 comments
netik 3835 days ago
CISA is a terrible bill and not a solution to this problem. Security teams have been able to manage this data on their own for years without government intervention.

There have always been other methods for determining if an attacker is state sponsored. One example: Seeing your account, and a number of dissident or activists being attacked from a block of IPs or similar password attempts, probably means the attack is state sponsored.

That being said, in security, attribution is a very hard problem, and the methods used to determine state sponsored attacks are also quite hard to design.

There's a reason why companies won't elaborate on how they do this, but it is usually a combination of login/account intelligence and threat feeds.

link
at-fates-hands 3835 days ago
>> Seeing your account, and a number of dissident or activists being attacked from a block of IPs or similar password attempts, probably means the attack is state sponsored.

Used to work at a fairly large global corporation. One day I was chatting up one of the senior sys admins. He was talking about the incredible traffic that bombards their server everyday. I was pretty naive back then and said, "Cmon man, it can't be that much!"

He opened his terminal and ran a simple monitoring tool, then opened one another terminal. In one was the constant traffic to several of their applications that were from a specific block of IP addresses he thought he had traced back to China. The other window was a running queue of mistyped password attempts. It was like clockwork. They'd try three, get kicked out of the system, then in an instant, you'd see a flurry of new IP addresses from the same block, then some more attempts to guess the password. Kicked out, rinse, repeat.

In the span of five minutes, I must have seen two dozen failed attempts to try and do a dictionary password attack on their login page. He guessed it was some kind of a bot that was running the tests considering how mechanical and orderly the attacks were.

It really opened my eyes as to how often and how many businesses these governments go after for intellectual property.

link
21echoes 3835 days ago
didn't say i agreed with it, just pointed out a likely reason why such a narrowly specific threat notification tool would be launched now.
link
jlgaddis 3835 days ago
I have long suspected that the overwhelming majority of any "sharing" that takes place will be one-sided, from corporations to government.

In previous jobs, I've been involved with various ISACs and while there was some sharing of information from the government, it was often "watered down", vague, and mostly unactionable.

link