Games are fun.
Whether you’re playing a board game with your family, or you’re three hours into the most intense online gaming tournament you’ve ever experienced, games are just something we naturally gravitate toward.
Realistically though, as much fun as games are to play, we eventually need to turn off the console, put the board games away, and go to work.
RH-ISAC members know that when they log in to their machine for the day, they will have the opportunity to collaborate with their peers from across the retail, hospitality, and travel sectors, and while collaboration certainly has a measure of enjoyment to it, it’s definitely not a game. Or is it?
Sharing and Collaboration Challenge
Just a few short weeks ago, RH-ISAC members leapt headfirst into Season 3 of the members-only Sharing and Collaboration Challenge.
Here’s How it Works
Members share intelligence with their peers based on what they are seeing in their company environment.
RH-ISAC awards points to those members for sharing with the RH-ISAC community. The more impactful the share, the more points RH-ISAC awards.
RH-ISAC tracks and tallies member shares, providing members with regular updates on standings.
Whomever has the most points at the end of the year wins cool swag and bragging rights!
How Scoring Works
As we all know, not all intelligence sharing holds the same value. So, the RH-ISAC Intel Team put together a handy chart (Figure 1) to explain the depths of context that makes an intelligence share of greater or lesser value to the community as a whole.
While sharing an IoC or hash value is a great first step toward sharing valuable threat intelligence, more context ultimately delivers more value.
Examples (greater value indicated in BOLD)
This IP address, 123.456.789[.]0, is an IoC.
IoC including when and how it was received
The IP address, 123.456.789[.]0, was the source IP address for a phishing email we received. 17 company personnel received the phishing email.
The IP address, 123.456.789[.]0, was the source IP address for a phishing email we received. 17 company personnel received the phishing email. All company personnel who received the phishing email were either in the accounting or purchasing departments.
We assess this to be a spearphishing attack. We base our analysis on the fact that only personnel in the accounting and purchasing departments were targeted, and the fact that we also discovered this IP address had been used in spearphishing campaigns in the past.
Analysis with findings
We submitted an RFI to RH-ISAC to learn if anyone else had seen this IP address in similar activity, and we learned that this IP address had been observed at least 3 other times, all of which were associated with spearphishing.
We also reached out to our email protection provider, who confirmed that their threat intelligence team had also seen this IP address in the past, and they assess with moderate confidence that this IP address, along with the associated spearphishing campaigns can be attributed to APT FIN7.
Member course of action
As a result of this final analysis, we have taken the following steps:
Figure 1. Intelligence Sharing Value Chart
Now we have your attention and you’re ready to share, member can email [email protected] for more information and get ready to share and collaborate for a chance to be RH-ISAC Sharing and Collaboration Challenge champions and earn some awesome swag in the process too.