1. Could you please introduce yourself and provide an overview of your role as a chief information security officer (CISO)?
I am the Chief Security Officer at the Atos Group, with over 30 years of experience in the industry. My role entails a wide range of responsibilities, including IT security, physical security and safety. The security function is an independent support function within the organization, that reports to a member of the executive committee. My primary objective is to protect Atos and its clients from any threat.
2. In your experience, why are organizations reluctant to share insights about the cyberattacks they have faced?
It is true that companies have been reluctant to share their insights about cyber incidents they have faced because of the potential risks posed to their image and reputation. But things evolve. What was once an environment with minimal sharing or limited information exchange has gradually transformed into one that is more collaborative and transparent. Communication surrounding incidents can be divided into 3 categories:
- Internal communication: Provides detailed information to explain what occurred but is restricted to a limited audience.
- External communication: Though things are progressing, it becomes extremely challenging to share this information effectively.
- Communication with national authorities and regulatory bodies: This will become the norm with new laws and regulations incoming. The obligation to report incidents to these authorities will facilitate a smoother exchange of return on experience (REX).
The importance of external communication should and will increase as cyberattacks become more frequent. It is widely acknowledged that no one is ever completely safe from advanced cyberattacks. Consequently, REX is seen as a way of raising awareness, especially regarding best practices. A crisis communication plan for cyber incident is one of them, and it makes sharing REX simple.
3. What are some common concerns that companies have about sharing their experiences with cyberattacks? How do these concerns impact their decision-making process?
I think all companies face the same level of difficulty when it comes to sharing information about cyberattacks with the public, especially with clients. A common concern is finding the right balance between sharing too much and not enough information.
That is why it is essential to involve the communication team in the incident handling process and cyber crisis management planning phase. This would allow them to understand the cyber incident and its context, and enable them to communicate effectively with the impacted clients. Besides, these plans work best when they are complemented by crisis simulation exercises and preparation. When an incident occurs, the plan allows us to remain calm and lower the probability and/or impact of biased decisions.
Another common concern is the risk that disinformation poses during incidents. At Atos, we have experienced it. Once, we had to communicate externally to deny a rumor that falsely claimed that our organization had been impacted by ransomware. Disinformation can take many different forms and embrace various objectives, while aiming at destabilizing the organization.
4. From a legal and ethical standpoint, what should organizations consider while sharing their experiences with cyberattacks?
We must share right information. And the challenge lies in the fact that when an incident occurs, more often than not we only have fragments of information. When a ransom group declares that they have attacked a company and successfully stolen data, we must check, investigate, and evaluate if sensitive elements have been compromised. The personnel involved in crisis management will then decide whether to communicate, when to communicate and what to share. This process can be simplified by using templates inspired by the best practices in crisis communication.
From a legal standpoint, the obligation to communicate with national authorities about cyber security incidents will become the norm (e.g., with NIS2 in Europe). Atos has proactively decided to always communicate incidents to the French National Cyber Security Center through a weekly report. It is essential to maintain a high reactivity level when sharing this information with authorities, as they might spot an emerging threat thanks to similar incident reports from other companies.
5. In your opinion, why is it important for organizations to share threat intelligence and REX regarding cyberattacks? What are the potential benefits of sharing such information?
At the group level, we have established a comprehensive threat intelligence system that focuses on vulnerabilities, attack techniques, industry-specific attacks, large scale attacks and so on. It allows us to be aware of an attack if we have implemented the right detection and protection measures and have updated our security protocols.
We also keep a close eye on the broader ecosystem, actively monitoring emerging threats and attack scenarios that affect other companies. This proactive approach means that we are not only watching for vulnerabilities or threats that could impact our assets, such as a vulnerability on a component of one of our applications for example, but also continuously enhancing our defense mechanisms by maintaining an up-to-date understanding of the threat landscape. In this context, processing and sharing information is key.
6. In which ways sharing threat intelligence can enhance an organization’s detection and response capabilities?
We recently saw the MOVEit file transfer 0-day vulnerability, followed by a few other zero-days on other file transfer solutions. We paid close attention as we, as well as our providers, might be using such a solution. The criticality lies in the fact that when such vulnerability is disclosed and no patch is available, we are all exposed. So, we must quickly update our alert and detection systems.
It is worth noting that the information shared in the context of threat intelligence can be difficult to analyze and comprehend. It is, therefore, necessary to obtain comprehensive information to make the most of it. In this regard, the role of cyber experts is essential. Beyond the threat bulletins and the intelligence tools, human understanding remains critical.
7. Could you share specific instances where sharing threat intelligence has directly helped an organization mitigate or prevent cyberattacks?
In the case of the MOVEit Transfer 0-day vulnerability, information sharing allowed us to take the edge off an attack. As many companies employ file transfer software, this case is fairly representative. The potential impact of such vulnerabilities extends beyond individual systems, affecting the internal and external IT systems. Similarly, phishing emails pose a significant threat as they grant attackers the opportunity to perform reconnaissance and execute lateral movements. Furthermore, the emergence of new attack vectors, whether originating from human vulnerabilities or technological aspects like MFA fatigue, demands attention.
Knowing that these types of attack exist, actively sharing information will help mitigate the risks better. I believe that managed security service providers (MSSPs) and managed service providers (MSPs) have a key role to play here. By sharing REX without disclosing client identities, they can help other companies to protect themselves and raise awareness around new threats.
8. What steps can organizations take to ensure that they share threat intelligence securely and responsibly, without compromising sensitive information?
The traffic light protocol (TLP) is a standardized system for classifying and handling sensitive information. It enables you to protect sensitive data and ensures that information is only shared with those with a need to know. The TLP classification consists of four colors: RED, AMBER, GREEN and WHITE (or CLEAR).
9. Are there any initiatives or platforms that facilitate secured sharing of threat intelligence among organizations?
Yes, both at the European and national levels. At the European Cyber Security Organization (ECSO), I’m an ambassador of the European CISO user group. We have a private exchange group including several European CISOs. Some of them shared REX on previous attacks they had overcome.
At the national level in France, the CESIN serves as a platform for CISOs to share experiences and insights with other CISOs. Sharing REX also happens during one-to-one discussions between CISOs. And I believe that this trend will continue and intensify in the future. It is crucial to note that information sharing encompasses not only past attack experiences but also the indicators of compromise (IoCs).
Furthermore, there are some discussions on sharing information between the public and private sectors, between the national security centers, and between the public, private actors and the cyber security agencies. These discussions become essential in advancing towards the level of attackers, who already share a lot of information among themselves, especially since they are anonymous. In addition, there are some initiatives put in place at the industry level.
10. Finally, what advice would you give to organizations that are hesitant about sharing their experiences and threat intelligence?
- Prepare – It is easier to share information about an incident when we are handling it safely and calmly. Crisis management and communication plans, along with crisis simulation exercises, are essential for remaining confident about what to share, when to share, and with whom.
- Network – All CISOs must actively connect with their peers and remain open to what is happening in the ecosystem. It is easier to seek support or learn from those who face the same functional challenges, or those who have experienced similar incidents in the past.
- Get the right people – As said earlier, humans remain essential in understanding a threat. We must recruit talents to develop our capabilities in threat intelligence. Having a threat intelligence team in-house or outsourced to a MSSP will give you the independence and reactivity to effectively protect yourself and your clients.
About the author
Group Chief Security Officer, Atos
Paul is Group Chief Security Officer at Atos
After a 27-year career at Atos, specializing in security since 2000, Paul now leads the Group’s security strategy. His responsibilities include defining the Atos Group’s security strategy, monitoring security transformation plans and managing Atos’ global community of security leaders around the world.