Games are fun. 

Whether you’re playing a board game with your family, or you’re three hours into the most intense online gaming tournament you’ve ever experienced, games are just something we naturally gravitate toward. 

Realistically though, as much fun as games are to play, we eventually need to turn off the console, put the board games away, and go to work. 

RH-ISAC members know that when they log in to their machine for the day, they will have the opportunity to collaborate with their peers from across the retail, hospitality, and travel sectors, and while collaboration certainly has a measure of enjoyment to it, it’s definitely not a game. Or is it? 

Sharing and Collaboration Challenge

Just a few short weeks ago, RH-ISAC members leapt headfirst into Season 3 of the members-only Sharing and Collaboration Challenge. 

Here’s How it Works 

Members share intelligence with their peers based on what they are seeing in their company environment. 

RH-ISAC awards points to those members for sharing with the RH-ISAC community. The more impactful the share, the more points RH-ISAC awards. 

RH-ISAC tracks and tallies member shares, providing members with regular updates on standings. 

Whomever has the most points at the end of the year wins cool swag and bragging rights! 

How Scoring Works 

As we all know, not all intelligence sharing holds the same value. So, the RH-ISAC Intel Team put together a handy chart (Figure 1) to explain the depths of context that makes an intelligence share of greater or lesser value to the community as a whole. 

While sharing an IoC or hash value is a great first step toward sharing valuable threat intelligence, more context ultimately delivers more value. 

Depth Level 

Explanation 

Examples (greater value indicated in BOLD) 

1 

IoC 

This IP address, 123.456.789[.]0, is an IoC. 

2 

IoC including when and how it was received 

The IP address, 123.456.789[.]0, was the source IP address for a phishing email we received. 17 company personnel received the phishing email. 

3 

Additional context 

The IP address, 123.456.789[.]0, was the source IP address for a phishing email we received. 17 company personnel received the phishing email. All company personnel who received the phishing email were either in the accounting or purchasing departments. 

4 

Initial assessment 

We assess this to be a spearphishing attack. We base our analysis on the fact that only personnel in the accounting and purchasing departments were targeted, and the fact that we also discovered this IP address had been used in spearphishing campaigns in the past. 

5 

Analysis with findings 

We submitted an RFI to RH-ISAC to learn if anyone else had seen this IP address in similar activity, and we learned that this IP address had been observed at least 3 other times, all of which were associated with spearphishing. 

6 

Attribution 

We also reached out to our email protection provider, who confirmed that their threat intelligence team had also seen this IP address in the past, and they assess with moderate confidence that this IP address, along with the associated spearphishing campaigns can be attributed to APT FIN7. 

7 

Member course of action 

As a result of this final analysis, we have taken the following steps: 

  • Blocked IP address, 123.456.789[.]0. 
  • Shared our full analysis with RH-ISAC Core Members. 
  • Shared our findings and analysis in the RH-ISAC Slack Member workspace. 
  • Included screenshots from the spearphishing campaign and added those into security awareness training materials for our organization. 
  • Scheduled phishing awareness training for our entire organization. 
  • Reached out to RH-ISAC to learn if there is a working group that would benefit from our observations and analysis that one of our analysts could join. 

Figure 1. Intelligence Sharing Value Chart 

Now we have your attention and you’re ready to share, member can email IntelTeam@rhisac.org for more information and get ready to share and collaborate for a chance to be RH-ISAC Sharing and Collaboration Challenge champions and earn some awesome swag in the process too. 

Leave a Reply

Your email address will not be published. Required fields are marked *