In September 2020, Nominet released the results of its survey of government digital security professionals based in the United States, the United Kingdom and the Middle East. More than four-fifths (81%) of those respondents told Nominet that they felt collaboration with the private sector could help their employers to keep pace with digital threats. Additionally, 99% revealed their belief that they could learn about innovation from working with private companies. At Cisco, we agree that public-private partnerships can help to improve cyber threat response for everyone involved. That’s why we decided to begin working with the Arizona Cyber Threat Response Alliance (ACTRA).
ACTRA is giving new meaning to collaboration as a cornerstone of digital security—not only in Arizona but in the United States more broadly. To get a better idea of how ACTRA is redefining cyber threat response, I decided to sit down and chat with Frank J. Grimmelmann, president & CEO of ACTRA. Here’s what he had to say.
Q: Why did you decide to create ACTRA? What’s its mission?
I founded ACTRA in January 2013 after having completed four years as president of the InfraGard program in Arizona. What I saw was that the cyber threat response time was too little, too late. That was the comment of the agencies as well as the organizations involved.
What ACTRA is meant to do is take cyber threat response to the next level. The organization’s goal is to be wholly independent but to keep its members closely affiliated so that those individuals who have information on potential digital threats can determine with whom they wish to share it. If they own the information, they need to make the call. Members can then operationalize the threat intelligence directly into their defense systems.
One major objective we all have in information security is protecting our assets. That is something that ACTRA enables directly. And then through our collaborative sharing, we are able to neutralize the threat at the source. “Offensive defense” is what we call it.
Q: How does that information sharing process work exactly?
It all takes place within our Threat Unit Fellow (TUF) Program. Members can conduct information sharing by policy or exception across their teams, and it is controlled by the person sharing it. They can say it stops with the person that it’s given to. It can be used on a need-to-know basis by staff. It can be used broadly across the corporation, or you can share it with anybody you choose to.
They control that when they originally share the information by putting what’s called a traffic light protocol (TLP) level on it. TLP:RED means it stops with the person receiving it. TLP:AMBER means it’s shared more broadly in the organization with those on a need-to-know basis. One that would be shared across the total organization is TLP:GREEN. That includes ransomware, where your employees need to know what to be on the lookout for with regard to phishing campaigns and other attack vectors.
ACTRA operates horizontally in that we take direct feeds, for example, from government Information Sharing and Analysis Corporations (ISACs), MS-ISAC and multi-state ISACs. Our objective is to keep an eye out for things we might see emerging in government or financial services, for example, that could be equally applicable to other sectors. We focus on which tactics, techniques and procedures are in use. How do those translate to the ability to take a blocking move in the short run? From that information sharing, we allow ourselves and others to connect the dots to neutralize the threat at the source.
Q: What does ACTRA’s membership look like?
Our membership structure goes across all 16 critical sectors defined by the U.S. Department of Homeland Security Cybersecurity and Information Security Agency—or CISA, as we call it now. We operate that totally voluntarily. So, we don’t need staff involved. We have a global watch center. We tie that into handlers who are the go-to people. And we have threat intelligence analysts who work together across all the sectors.
Currently, we have about 81 people who are trained. All of them are volunteers and have day jobs. Think of them as members of a militia. What they are doing is they are wearing an ACTRA hat. In fact, when we deal with the agencies, they carry a moniker. So, it doesn’t associate them with their organization. It associates them with being part of ACTRA’s response team. Our hope is to continue to expand our membership over time.
Q: Can you provide some examples of this information sharing in practice?
A good example was a recent ransomware attack. After the first member got hit, a security advisory went out a week later. Another member got hit, but by that time, one of the members had written an algorithm to reverse the encryption. So not having to go to backups or anything, everyone could actually restore their environments by running the scripts.
Another example happened a few years ago when it was purported that the State of Arizona had come under attack and there had been compromise of two legislative machines within the State. The incident was Friday night; News of the attack came out on a Saturday afternoon; On Sunday morning at 4:00 AM, I had multiple private sector companies step up and express their willingness to work, to provide resources including manpower to assist the State in its recovery.
Q: And who’s sharing this information?
Both at a strategic and a policy level, we are dealing with generally CSOs, CISOs and CIOs. We sometimes have CFOs; they tend to be involved and are very concerned with asset protection. But we are also operationally interfacing and training people that are at the incident response level, the technical level. That’s where the rubber hits the road in terms of giving them something that they can essentially become proactive with instead of reactive.
Our training falls under the umbrella of the ACTRA Cybersecurity Academy. This initiative has a 200-hour program that’s free to member organizations. Ultimately, we embed the people whom we train back into their organizations, and then they operate as a virtual SME response team when incidents occur. They help to put out advisories and/or assist one another as a network.
In our Cybersecurity Academy, we have people who range in age from just out of school with a couple of years of experience to people who have 30+ years in the industry. All of them are learning together and making the community stronger because of it.
Q: How does that focus on training support your other goals?
There are three pillars that we are built on. Number one is culture. In other words, that collaborative environment. Without that, none of the rest of it would work.
Number two is technology. We’re dealing with information and threats at the speed of light. We have to operationalize that. So, it becomes people, process and technology all working together to be able to deliver a response that is as near to real time as you can get.
The third area is workforce development. Again, if you are bringing all of this new technology into the stack but don’t have people trained to utilize the understanding and interrelationships, your bigger footprint of that technology really becomes a bigger attack surface.
These three pillars are reflected in the design of our logo. There are three stars. That’s what those represent, the three pillars of the foundation that allow ACTRA to succeed. You can’t do it with only one of the three. If all we had was culture and everybody sat around sharing information, there’s no value. Same with technology. If you have that but you don’t have process around that and people aren’t trained, there’s no value. And then the third is the people themselves, because we have a shortage in the industry, and we need skilled personnel.
Q: How can people learn more about ACTRA?