There are many ways to derive value out of threat intelligence, whether it be through a full threat intelligence platform, ingesting threat feeds, or simply leveraging threat intelligence features found in common security tools. One of the less adopted ways to benefit from threat intelligence is to share this information with other groups, which helps to reduce response time to events and enact preventative measures.
Industry-centric and government-led initiatives have led to a dramatic increase in the sharing of threat intelligence between governments, private organizations, and industries. Some of these include Information Sharing and Analysis Centers (ISACs), Information Sharing and Analysis Organizations (ISAOs), industry groups, holding companies, and other threat intel sharing communities seeking to power secure collaboration:
One entity produces and shares threat intelligence that others consume, and those consuming the intelligence do not contribute in return. Examples of unidirectional threat intelligence sharing include:
Intelligence is sent down to be consumed but can also be ingested from member organizations. Although sharing is allowed and encouraged in these programs, there is no guarantee that every organization will share anything.
Although threat intelligence is undoubtedly valuable, there are a few common concerns preventing organizations from engaging in sharing:
- Scrubbing data for private information or sensitive corporate information before sharing is a good idea regardless of the type of sharing involved.
- The Cybersecurity Information Sharing Act of 2015 (CISA) has provisions to address concerns around privacy and liability. Some of these protections are contingent on certain stipulations being met. As always, proper legal advice is highly recommended to understand how CISA may apply to specific situations.
Whether your organization is already actively sharing intelligence or hasn’t begun doing so yet, here are some tips on where to get started or ways to enhance sharing that is already happening:
- Email, which is the easiest starting point
- Tools such as Anomali STAXX, a free solution offered by Anomali that supports sharing indicators through STIX and TAXII
- ISACs and other industry organizations, which normally have mechanisms in place for sharing
- Ad hoc sharing with local entities or partners in other industries
- Anomali ThreatStream users already have a very robust solution to share indicators and other intelligence with other organizations or create their own sharing communities
- Threat hunting details such as searches, specific log entries, etc.
- Successful defense techniques or rules such as YARA rules, snort signatures, Bro rules, and scripts.
Download the whitepaper to learn more about sharing outside of industry verticals, sharing targeted information, etc.