Who’s sharing threat intelligence?
There are many ways to derive value out of threat intelligence, whether it be through a full threat intelligence platform, ingesting threat feeds, or simply leveraging threat intelligence features found in common security tools. One of the less adopted ways to benefit from threat intelligence is to share this information with other groups, which helps to reduce response time to events and enact preventative measures.
Industry-centric and government-led initiatives have led to a dramatic increase in the sharing of threat intelligence between governments, private organizations, and industries. Some of these include Information Sharing and Analysis Centers (ISACs), Information Sharing and Analysis Organizations (ISAOs), industry groups, holding companies, and other threat intel sharing communities seeking to power secure collaboration:
What are the types of threat intelligence sharing?
There are two types of sharing, each defined by who is sharing the information.
Unidirectional threat intelligence sharing
One entity produces and shares threat intelligence that others consume, and those consuming the intelligence do not contribute in return. Examples of unidirectional threat intelligence sharing include:
Bidirectional threat intelligence sharing
Intelligence is sent down to be consumed but can also be ingested from member organizations. Although sharing is allowed and encouraged in these programs, there is no guarantee that every organization will share anything.
Concerns around sharing threat intel
Although threat intelligence is undoubtedly valuable, there are a few common concerns preventing organizations from engaging in sharing:
Privacy and liability concerns
- Scrubbing data for private information or sensitive corporate information before sharing is a good idea regardless of the type of sharing involved.
- The Cybersecurity Information Sharing Act of 2015 (CISA) has provisions to address concerns around privacy and liability. Some of these protections are contingent on certain stipulations being met. As always, proper legal advice is highly recommended to understand how CISA may apply to specific situations.
“There is nothing of value to contribute”
Lack of expertise
Fear of revealing an organization has been hacked
Steps to start sharing threat intelligence
Whether your organization is already actively sharing intelligence or hasn’t begun doing so yet, here are some tips on where to get started or ways to enhance sharing that is already happening:
Tools and communities
- Email, which is the easiest starting point
- Tools such as Anomali STAXX, a free solution offered by Anomali that supports sharing indicators through STIX and TAXII
- ISACs and other industry organizations, which normally have mechanisms in place for sharing
- Ad hoc sharing with local entities or partners in other industries
- Anomali ThreatStream users already have a very robust solution to share indicators and other intelligence with other organizations or create their own sharing communities
Share and contribute
Share outside your vertical
Share hunting & defense techniques
- Threat hunting details such as searches, specific log entries, etc.
- Successful defense techniques or rules such as YARA rules, snort signatures, Bro rules, and scripts.
Share breach details
Want to know more about threat intel sharing?
Download the whitepaper to learn more about sharing outside of industry verticals, sharing targeted information, etc.