From its inception, the discipline of cyber threat intelligence has been about sharing. Informing cybersecurity teams, tools and best practices about threat actors and their tactics, techniques and procedures (TTPs) helps to strengthen defenses. Conversely, the threat and event data our security tools discover and learnings from using external threat feeds, help to enhance threat intelligence. It’s a virtuous cycle. So, it stands to reason that over the past 25 years a combination of communities of interest alongside public and private partnerships have sprung up, creating an entire sector within the cybersecurity industry dedicated to threat intelligence sharing.
But I’m not writing this to convince you that threat intel sharing is important. During a recent panel discussion with experts from FS-ISAC and SecAlliance, audience polls revealed unanimous agreement that threat intelligence sharing is beneficial, with a combination of technical details and contextual information delivering the most value.
What was concerning is that only 17% of respondents were very confident in their organization’s level of cyber threat intelligence sharing, and 17% were at the opposite end of the spectrum – very unconfident. What’s more, this poll was specifically of security professionals within the financial services industry, a sector considered an early adopter of threat intel sharing. What’s it going to take for more security professionals, regardless of sector, to close the confidence gap and actively engage in sharing?
Regulatory compliance
Since the beginning of this decade, we’ve seen a renewed focus on threat intelligence spurred by a rise in opportunistic threat actors taking advantage of events like the pandemic, devastating weather events and the geopolitical environment to launch sophisticated attacks that compromise organizations and the critical services they deliver. The need to know more about complex cyber threats became so important that in 2021 a White House Executive Order on Improving the Nation’s Cybersecurity listed as the top requirement “removing barriers to information sharing.”
More regulations are forthcoming. For example, the Digital Operational Resilience Act (DORA) set to take effect January 2025 is specifically designed to address a gap in EU financial regulation around operational resilience. One of the pillars under the new legislation focuses on information and intelligence sharing in relation to cyber threats and vulnerabilities.
Regulations are often viewed as a “stick” to drive desired behaviors. But when more organizations meet these sharing requirements, a “carrot” aspect starts to kick in – herd immunity.
Herd immunity
Today, most organizations operate within complex ecosystems of mutually dependent participants. This means sector resilience is a prerequisite for organizational resilience.
Additionally, it’s not enough for just the big players in a market – be it the largest financial institutions, healthcare providers, retailers, manufacturers or energy providers – to share threat intelligence. Organizations are interconnected with third parties of all types and sizes. So, every organization needs to actively engage in sharing communities and the exchange of not just intelligence but best practices and workflows, because that’s when the practice works best. Collaborating for the greater good creates synergies that enable participants to have access to information they wouldn’t have access to otherwise to strengthen their defenses faster and at a lower cost thanks to the pooling of resources.
Key considerations when evolving your threat intel sharing practices
There are a variety of reasons why organizations may lack confidence in their threat intelligence sharing capabilities. Here are three things to look for in a sharing community that will make the process more attainable and impactful.
- User-friendly technology platforms: There has been a substantial movement towards integration to enable machine-to-machine sharing including compatibility with standards like STIX/TAXII and normalization of the threat intelligence itself. These advances are helping to make data sharing easier. Additionally, context makes threat intelligence relevant. So, organizations should focus on threat intelligence tools and platforms with built-in automation capabilities that enrich threat data with context and enable prioritization to quickly find relevant intelligence and strip out the noise.
- Data anonymization: Every organization wants to receive shared information, but often they aren’t confident in their ability to contribute and keep their legal team happy. Many communities today have processes in place that enable participants to choose what to share and in what format, including the ability to anonymize sensitive, organization-specific data. Information can be genericized enough so as not to disclose personally identifiable information or corporate proprietary information. Data anonymization helps address legal concerns about privacy and security, while still helping others to protect themselves and look in their own networks to see if they have also been targeted and missed the threat that your organization has seen.
- Mechanisms to foster trust: Trust is a key component of sharing, and each type of sharing initiative tends to have a combination of mechanisms to foster trust including creating smaller groups, fully vetting members, enforcing privacy and sharing policies, and leveraging technology and processes to protect and enable the flow of data. For example, ISACs specific to different sectors and organizations like SecAlliance have extensive experience creating rules around the classification of intelligence, the traffic protocol, sharing frequency, and how members can use that intelligence to provide a well-executed and safe environment for the exchange of intelligence. Private initiatives offered by technology vendors may include additional vetting of members as well as processes whereby members can nominate colleagues or peers to be considered for membership. The ultimate goal is to provide a nurturing environment that enables a continuous flow of contextualized threat intelligence that helps security teams and organizations grow in maturity and capability.
To share or not to share isn’t the question. It’s how to share, what to share, where and with whom. The sooner we arrive at answers, the safer we’ll be collectively and individually.