security information sharing

What is an ISAC?

An ISAC or Information Sharing and Analysis Center is a way for companies and governments to share threats, attacks, and defense tips.

Normally ISACs and ISAOs are meant for industry verticals.

I haven't seen much of any sort of "hobbyist" or "volunteer" ISAC, meant for people who run homelabs, mastodon servers, etc.

I think one should exist that's specificly providing for the following:

  • Fediverse software
  • formal nonprofits and not-for-profits
  • loose groups of people without nonprofit status
  • Selfhosting

What this would involve:

  • A virtual meeting space
    • something on matrix, bridged to discord?
    • voting via loomio?
  • Documentation
    • best practice hardening
    • best practice SIEMs/SOAR/AV, etc
  • Services
    • automated auditing
    • training
    • automated scanning
    • honeypot networks
    • threat intelligence
    • MISP bidirectional threat feed
  • higher tier services
    • human auditors / bulk pricing / pro-bono?
    • shared SOC?
    • pro-bono IR?

Volunteer types:

  • Client sysadmins!
  • Security documentation writers
  • Security news reporters
  • Threat researchers
  • pro-bono auditors? paid auditors?
  • pro-bono SOC? paid soc?
  • pro-bono IR? paid IR?

For example:

  • port scanning all member boxes
  • IP reporting (via fail2ban) enabled for all members
  • shared rule development
  • shared SIEM resources? (this is probably problematic)

Similar things:

  • IFTAS (fediverse moderator focused) http://about.iftas.org/ - this'd be more than just fedi
  • AbuseIPDB - this includes much more than just reporting bad activity, but responding to web-wide problems, training, hardening, etc
  • Bunkerweb, TheHive, MISP (things we might use, but this ISAC isn't just one technology)

Basically an ISAC spans:

  • multiple kinds of software (not just, say, mastodon)
  • multiple "vendors" (well, in this case, open source security projects)
  • multiple services/roles for/by members

Problems:

  • GDPR, privacy concerns
  • people being wary of security cooperation e.g. with bidirectional threat feeds
  • information sharing might be more limited because vetting might not be the same compared to other ISACs
  • limited time/attention for members

Todo:

  • convey what it is effectively
  • explain how you'd interact with it
  • explain how you get value

What are your thoughts?

message me @risottobias@tech.lgbt!