Co-written with Austin Stubblefield
With cyber threats moving from attacks on private businesses to sweeping strikes on national infrastructure, the federal government is shifting resources and implementing new rules and regulations to address the growing challenge. On May 12, the administration outlined many ways federal agencies should improve their security procedures in an executive order signed by President Joe Biden.
After the Solar Winds hack, Colonial Pipeline ransomware attack and a series of other high-stakes, high-profile incidents, Biden's executive order laid the groundwork for improving America's cybersecurity protocols. These included:
- Removing barriers to information sharing
- Modernize cybersecurity standards in government
- Improve software supply chain security
- Establish a cybersecurity safety review board
- Create a playbook for cyber incidents
For this blog, we'll focus on removing barriers to information sharing and how that can help prevent cybersecurity incidents and breaches. The order reads as follows:
Remove Barriers to Threat Information Sharing Between Government and the Private Sector.
President Biden’s Executive Order on Improving the Nation’s Cyber Security ensures that IT service providers can share information with government agencies and requires them to share certain breach information. IT providers are often hesitant or unable to voluntarily share information about a compromise. Sometimes this can be due to contractual obligations; in other cases, providers simply may be reluctant to share information about their security breaches. Removing any contractual barriers and requiring providers to share breach information that could impact government networks is necessary to enable more effective defenses of federal departments and to improve the nation’s cybersecurity as a whole.
As cyber threats become more sophisticated, the need to communicate and collaborate effectively has never been more critical. Sharing threat intelligence can help security teams act quickly and effectively. Unfortunately, most cybersecurity executives are reluctant to share information.
Steps to start sharing threat intelligence
President John F. Kennedy was fond of the saying “the rising tide lifts all the boats.” And while he was specifically speaking to the economy, the saying rings true to the benefit all organizations see from the act of sharing intelligence. Whether your organization is actively sharing intelligence or hasn’t started, here are some tips on where to get started or enhance your sharing strategy:
- Tools and communities – Choose appropriate tools and communities to share threat intelligence. Possible options are:
- Email is the most accessible starting point
- Write, publish and share threat bulletins. Anomali ThreatStream provides easy to use tools for converting investigations into professional threat bulletins
- Tools such as Anomali STAXX, a free solution offered by Anomali that supports sharing indicators through STIX and TAXII
- ISACs and other industry organizations, which generally have mechanisms in place for collaboration and sharing
- Ad hoc sharing with local entities or partners in other industries
- Anomali ThreatStream users have an existing and very robust solution for sharing indicators of compromise and other intelligence with other organizations, as well as the ability to create and join industry ISACs and unique sharing communities through Anomali Trusted Circles
- Share and contribute – Sharing observed adversary behaviors, additional context, attacks detected, or details from incident response are great places to start. Don’t worry if you are unable to share much analysis initially. Once you get used to sharing, your analysis will become easier.
- Share outside your vertical – Look for opportunities to share with organizations outside your industry, including localized entities such as Fusion Centers. Working closely with your legal teams and lawyers to draw up appropriate agreements to facilitate sharing between the entities is highly recommended.
- Share hunting & defense techniques – The more we share, the harder it becomes for the bad guys. Consider sharing:
- Threat hunting details such as searches, specific log entries, etc.
- Successful defense techniques or rules such as YARA rules, snort signatures, Bro rules, and scripts.
- Share breach details – Pushing out breach details quickly could mean the difference between someone else being attacked and being able to act promptly to stop the breach. Also, it could bring lots of assistance in terms of additional intelligence and quicker answers to incident response challenges thanks to the additional resources from other organizations.
There are many significant benefits to sharing threat intelligence. There's never been a better time to get started.
To learn more about the benefits of sharing threat intelligence, download our whitepaper: The Definitive Guide to Sharing Threat Intelligence