Be like a Moomin: How to establish trust between competitors so we can fight cybercrime

Image of a Moomin keychain sitting on a hotel desk.Do you know the Moomins? They’re a tight-knit, happy, collaborative cartoon family. I’d never heard of them until I was lucky enough to spend a few days at the Microsoft offices in Helsinki, Finland.

The Moomin keychain in the photo was a gift from the Finnish CISO. As I did a little research into Moomin lore, I discovered a family of wonderful trolls who work with each other, their friends, and acquaintances to overcome adversity. In the first book, The Moomins and the Great Flood, the Moomins become separated. With the landscape flooded, they are unable to find their village, Moominpappa, until they befriend a stork who offers to help them with a winged ride, giving them an aerial vantage point.

The collaborative problem-solving approach of the Moomins fits right into the overall story of trust I frequently heard during my Finland trip. The country has one of the most trusted police and governments in the world. This may partly be due to the fact that trust in the government has been historically high in Nordic countries. In 2015, Finland was the second least corrupt country according to the Transparency International organization.

In the online world, Finland has one of the fastest internet speeds in the world—running on some of the least malware infected pipes. How are they doing this? With tools, such as the CERT-FI Autoreporter system, which help admins find and respond to breaches faster and empowers admins to take actions to protect their networks. This level of engaged partnership in the overall health of the country’s network is valued. The cybersecurity professionals I spoke with are very focused on maintaining this trust and continue to identify and build opportunities for collaboration between the public and private sectors.

There’s some great learning in there for the international cybersecurity community. It’s no secret that cyber-adversaries are selectively collaborating to help make themselves more effective. Operating in “dark web” exchanges and via encrypted messenger, they share exploits, malcode, and successful attack techniques. But if, as the saying goes, there’s no honor amongst thieves, how has an international collective of attackers figured out a model for collaboration that in some ways rivals the trust and collaboration between organizations and countries?

Arguably, their collaboration use case is substantively different from large multinational corporations and governments. The value of an exploit generally degrades the longer it is in the wild. This means that part of the cybercriminal financial model is highly dependent on the speed of dissemination. If they hold onto an exploit for too long, they risk having a valueless asset. Finding and monetizing a SQL injection vulnerability is a fairly straightforward and rapid activity. This is in high contrast to large organizations doing business around the globe that must spend a significant amount of time planning and executing their business strategies. Not to mention the fact that, by definition, criminals don’t operate under any governmental laws, have any employee protection rules, or pay employee taxes.

On the legal side of cybersecurity, we need to plan for long-term success and adhere to a long list of mandates and regulations. And because we’re not in the business of selling exploits, sharing with others how one company defends against them could be seen as giving away part of a competitive edge. When it comes to governments, the hurdles to collaborative trust can be much higher—especially when some of those governments are in virtual trade wars with each other.

Despite the hurdles, we can move forward with cyber-collaboration—without losing our collective competitive edge—by following these three steps:

  1. Agree on the rules—Who shares what and when? And what’s the quid pro quo? Asymmetric sharing becomes lopsided and abandoned. Also, how will the information be protected and, as needed, anonymized?
  2. Leverage what’s there—ISACs are already up and running, with their own rules. There are also industry consortiums like Cloud Security Alliance (CSA) and vendor associations like the Microsoft Intelligent Security Association.
  3. Enforce the rules—If members of an association don’t play fair, it won’t be long before members who are following the rules feel cheated. Voluntary trust is good, but there needs to be an enforcement mechanism to ensure fairness. Organizations that don’t follow the rules risk getting cut out.

Much like the stork in the story helped the Moomins get an aerial vantage point of the landscape to help find their way to Moominpappa, so too can a collaborative and open sharing approach—subject to the rules, processes, and parameters defined in the steps above—give you a different perspective of the landscape that your business needs to traverse from a security standpoint.

But keep in mind that, in the story, the stork doesn’t do all the work—there’s action required on the part of the Moomins too. They need to find the stork in the first place. In our world, this means a systematic effort to reach out to and engage with information-sharing partners and active cultivation of these relationships. Likewise, knowing how to employ that information is also critical. To this end, threat intelligence tools that enhance visibility and detective controls, such as SIM and IDS, help you understand the current state of your environment to better utilize information you receive from information-sharing partners.

Lastly, the Moomins need to know about their village (Moominpappa) to be able to recognize it from a distance. Even if the stork provides them with a better view, they still need to recognize the village from the air, which anybody who’s been in an airplane can attest isn’t always easy. By analogy, this means that the better security teams understand the “normative” state of their own networks and infrastructure, the better equipped they are to leverage data they learn through sharing and gathered from visibility-enhancing tools.

We’re not living in a cartoon world of Moomins, but that doesn’t mean we can’t take a valuable lesson from them about trust and collaboration.