The Benefits of Sharing Threat Intelligence Inside and Outside Your Organization
Welcome to this week’s blog. I hope you’re enjoying this series and what you’ve read so far if you’ve been following along. If you’re new, welcome as I dive deeper into the Top 10 Cybersecurity Challenges enterprise organizations face, as found in our recently released Cybersecurity Insights Report 2022: The State of Cyber Resilience.
Coming in at number seven on our Top 10 List of the Challenges Cybersecurity Professionals Face is "Lack of ability to share threat intelligence cross-functionally."
In an August blog, I wrote about President Biden’s Executive Order that sought to ensure that IT service providers share threat information about incidents with the federal government and collect and preserve data that could aid threat detection, investigation, and response. My comment was that before we share information as an industry, organizations need to break down their silos to share threat intelligence internally. It was not surprising to see this surface as one of the Top 10 Challenges organizations face. (I know, a clock is right twice a day, too, I’m taking the win here. Even if no one else is reading, I enjoy writing these.)
Digital transformation has quickly expanded attack surfaces. Now more than ever, global organizations must balance a rapidly evolving cybersecurity threat landscape against business requirements. Threat information sharing is critical for security teams and organizations to protect themselves from cyber-attacks. The problem with sharing threat intelligence is that most organizations don’t know where to start.
Enter Cyber Fusion
Thirty years ago, military intelligence organizations developed the concept of cyber fusion, which combines HUMINT (human Intelligence) with COMINT (computer intelligence). They used the idea to collaborate with different intelligence communities and gain an in-depth understanding of the threat landscape. Cyber fusion is becoming increasingly popular in the cybersecurity industry, with organizations creating cyber fusion centers or using technologies like threat intelligence management or XDR (extended detection and response) solutions to eliminate silos, enhance threat visibility, and increase cyber resilience and collaboration between security teams.
Cyber fusion offers a unified approach to cybersecurity by combining the intelligence from different teams into one cohesive picture. It also helps to integrate contextualized strategic, tactical, and operational threat intelligence for immediate threat prediction, detection, and analysis.
How to Start Sharing Threat Intelligence Internally
Cyber fusion takes a proactive approach to cybersecurity that helps organizations break down barriers and open communications across their entire organization to help them identify and address cyber risks before they become an issue. A cyber fusion approach helps foster collaboration among different departments within the company to focus on areas that ensure protection against relevant threats.
By getting more people involved in keeping up with security issues and cyber incidents, organizations can ensure their investments and resources focus right where they need to be.
Click on the image below to download our new ebook to learn more about how you can utilize cyber fusion to help break down silos within your organization.
Concerns with Sharing Threat Intelligence
Legal issues have prevented most companies from sharing information about attacks, with the primary debate focused on what data should be shared and how. Other concerns, as outlined on our resource page, include:
- Privacy and liability concerns: These can be overcome through a more accurate perception of sharing intelligence, protective clauses in legal agreements, recent legislation, or care in what is being shared.
- “There is nothing of value to contribute”: No organization sees every attack. Sharing seemingly insignificant details can aid visibility and help produce a more fully sourced intelligence analysis.
- Lack of expertise: Even if you are not a trained professional, adding whatever context, observed attack details, and, if possible, analysis developed by those on staff is still beneficial to the community.
- Fear of revealing an organization has been hacked: The fear of sharing breach details more broadly than with the entities necessary is common but can be remedied by following best practices while sharing.
Sharing Threat Intelligence is Good for Everyone
As threat actors become progressively more sophisticated, it is increasingly essential for organizations to share threat intel and leverage the community’s collective knowledge to improve their security posture and timely implementation of adequate defensive measures.
With detailed and contextualized threat intel, organizations can better anticipate and identify malicious activity and utilize intelligence to speed detection and prevent attacks.
- Collaborate: Foster relationships between organizations and increase trust among them.
- Get context: Gain varied insights from people within the community with broad contexts.
- Discover blind spots: Uncover threat actor insights that might not have been seen previously.
Challenges Sharing Threat Intelligence
Quantity: An overwhelming number of threats is impossible for analysts to handle manually, as they continue to chase false positives to triage, process, and act on the highest priority security incidents.
- Verification: A threat actor or attacker may file false reports to mislead or overwhelm threat intelligence systems, threat feeds, or a threat investigation.
- Quality: If the focus is more on collecting and sharing more threat data without threat processing, there is a risk that much of it will be duplicative, wasting valuable time and effort.
- Agility: Security professionals need to share threat intelligence in near-real-time to match attack speeds. Intelligence received too late may not be able to prevent an attack, but it can still help understand it better.
- Correlation: The failure to identify relevant patterns, key data points, and trends in threat data makes it challenging to turn data into intelligence, which can be used to inform and direct security operations.
Where to Start or Expand Intelligence Sharing
Whether your organization is currently sharing intelligence or is considering doing so, here are some tips to help you get started or improve on what you’re already doing.
1. Tools and communities: Begin with choosing appropriate tools to share threat intelligence. Email is the most accessible place to start but focus on moving into more formal methods of sharing through available tools, possibly leveraging standards such as STIX and TAXII. ISACs (information sharing and analysis center) and other industry organizations are perfect communities to get started with intelligence sharing and typically have mechanisms in place for doing so.
2. Share and contribute: Make sure to contribute to sharing once sharing partnerships are in place. Also, contribute where your team can add additional context to intelligence shared from other parties. Sharing observed adversary behaviors, attacks seen, or details from incident response are great places to start.
3. Share outside your vertical: Look for opportunities to share with organizations outside your vertical. This includes localized entities such as fusion centers and other organizations deemed a good fit for sharing intelligence.
4. Consider sharing with vendors: This suggestion probably isn’t for everybody. If the section on sharing with vendors resonated with you, consider some potential vendors who might be beneficial to share intelligence with and reach out to them.
5. Share hunting & defense techniques: Threat hunting details such as searches that have proved valuable, specific log entries that are useful, and other related information can turn into short-cuts in other organizations’ hunting efforts
6. Share breach details: Breaches can be sticky subjects inside organizations. Depending on the legal framework in place that facilitates intelligence sharing, ample protections around disclosure could exist to ensure protection for sharing breach details with sharing partners (consult legal advice pertinent to your specific agreements to be sure). What this brings is a variety of potential benefits for all parties involved.
Learning from Each Other
By exchanging threat intelligence among a sharing community, organizations benefit from the community’s collective knowledge, experience, and capabilities to better understand the threats they face. Therefore, threat intelligence sharing is a critical tool for the cybersecurity community. It takes the knowledge of one organization and spreads it across the entire industry to improve all security practices.
Cyber threat intelligence sharing is about finding out indicators of compromise or information around cyber-attacks or vulnerabilities and discussing strategy. By understanding what security defenses other people are using or planning to use in the future, everyone can better prepare for potential threats.
Information sharing doesn’t have to just be about an actual cyber threat. Sharing best practices, successful and unsuccessful approaches, attacker strategies, etc., can help organizations strengthen their defenses against modern cybercriminals.
Anomali has multiple resources to help you understand the benefits of threat intelligence, including why and how you should share threat intelligence. Download our Definitive Guide to Sharing Threat Intelligence to learn more.
Join me next time as I continue this journey and look at number six on our list.
In the meantime, download our Cybersecurity Insights 2022 Report or scroll through below for direct links to the other blogs in this series.