Age of Threat Intelligence Sharing
Given the range and sophistication of threat actors, combined with digital transformation and the proliferation of remote devices forming a growing potential attack surface, sharing threat intelligence has become vital. Not to mention, Threat Intelligence Sharing was a key component listed in President Biden’s Executive Order on cybersecurity.
A company can no longer operate in a silo when cyber adversaries leverage a full range of tactics across multiple industries. Having a broader picture of these actors and their motivations requires sharing threat intelligence that reduces duplication of effort and response time.
Intel Sharing Balancing Act
While there are justifiable concerns with sharing threat intel, the benefits to be gained by smartly sharing are compelling enough to navigate legal and security issues.
The goal of any cybersecurity program should be to detect potential indicators of compromise (IoCs) as rapidly as possible and perform mitigation before they reach the edges of the network. To quickly detect changes in the cybersecurity landscape, a wide scope of visibility is needed. When a company is actively engaged in sharing threat intel, the relevant information is passed quickly and more well-informed decisions can be made. In addition, analyses for internal stakeholders and intel consumers can be more insightful, relevant, and actionable.
Privacy and liability are issues that need to be addressed. Data should be scrubbed for private information or sensitive corporate information before sharing and this should be set up ahead of time for any type of automated data transfer. Legal guidelines such as CISA or EU GDPR can help conform to regulations.
Preparing for Information Sharing
According to a guide published by NIST, preparation for a sharing program should include the following:
- Define the goals and objectives of information sharing
- Identify internal sources of threat information
- Define the scope of information sharing activities
- Establish information sharing rules
- Join a sharing community
- Plan to provide ongoing support for information sharing activities
Starting small will help expand sharing in a safe and relevant manner. Learning to optimize the type of data, how to share it, and with whom to share it helps to create an efficient and cost-effective program.
Gaining C-level and management support is essential to obtaining the necessary tools and cooperation that is needed. A cost/benefit analysis will help to convince management that the risks of sharing can be minimized and the upside will not only make the company safer but also save costs. Sharing intel may not only save a company from an expensive breach but can also save costs on the better allocation of resources. For example, metrics may include a decrease of alert events or incidents of getting ahead of an attack due to the sharing of cyber threat intelligence. An Accenture report on the cost of cybercrime found that security intelligence and threat sharing were a top cost-saving measure, saving companies on average $2.26M.
What Intel Should be Shared?
A good way to get started sharing intelligence is to collaborate and add context to other parties' shared information. This could include observed adversary behaviors, attacks seen, or details of incident response. Historical context can also be quite helpful in building profiles of actors' tactics, techniques, and procedures (TTPs).
Once a solid framework is established, sharing threat hunting details that lead to shortcuts and successful defense techniques such as YARA rules, snort signatures, Bro rules, scripts, etc., provide actionable learning.
Cybercriminals plot their attacks in a communications-rich environment, giving them an advantage over companies that test their defenses in the silo of their immediate environment. For blue teams to become more like red teams, they need a broader perspective on the threat landscape. Companies can even partner with information sharing and analysis centers (ISACs) and conduct war games with community members to strengthen their defenses.
In the case of a breach, the tendency is to handle the situation internally and release as little detail as possible. While this may seem to be the safer option, quickly sharing details with partners within a solid legal framework could save another company from being breached and also help your own mitigate the damage by leveraging their knowledge and experience.
Sharing Intel, Creates Partners in Fighting Crime
A good place to start sharing threat intelligence is with entities in the same industry. Participation in industry-centric sharing initiatives like ISACs and ISAOs enables organizations to compare their threat situation with similar critical infrastructure, products, and vulnerabilities. ISACs and ISAOs also offer collaboration between companies on a regional basis for knowledge of local incidents such as WiFi attacks, physical breaches, terrorist attacks, etc. Sharing between the private sector and government has also been facilitated through initiatives such as DHS and Cyber Information Sharing and Collaborative Program (CISCP).
Collaborative efforts with verticals in other industries can also be beneficial. Threat actors have no boundaries and often hone their attacks in one industry and then move on to another. Having insight into what another vertical is experiencing only adds to the ability of an incident response team to turn on a dime.
Sharing intel with a cybersecurity vendor may seem like a bit of a one-way street, but the advantages of tapping into their knowledge of the broader attack landscape and correlation with intelligence from inside organizations can be substantial. In addition to human intelligence collection (HUMINT), they also employ collection methods that are not normally used by their client organizations, such as crawlers, specialized honeypots, etc.
More and more, thwarting cybercriminals requires a united front and savvy sharing of intelligence can be the solution that makes that happen.
Sharing threat intelligence establishes a united front against cybercriminals and is a key component of any cybersecurity strategy. Start sharing today and download The Definitive Guide to Sharing Threat Intelligence.