By Travis Farral, director of security strategy at Anomali
Threat intelligence continues to become a more ubiquitous feature of information security programs as its value in detecting and preventing attacks becomes more clear. Whether organizations have a full threat intelligence team, ingest threat feeds, or simply leverage threat intelligence features found in common security tools, they are benefiting from threat intelligence in one way or another.
Part of the core value proposition of threat intelligence is its collectiveness––the more it’s shared, the more valuable it becomes. When an attacker targets one business that is leveraging comprehensive threat intelligence, it is battling the combined knowledge of multiple organizations, giving it an advantage.
However, many organizations using intelligence still hesitate to share their own intelligence more broadly. A recent study from the Ponemon Institute found that only 50 percent of organizations currently participate in industry-centric sharing initiatives such as Information Sharing & Analysis Centers (ISACs), which provide industry-relevant intelligence, a place to collaborate with peers and network with other security teams. Of those organizations, the majority (60 percent) only receive threat intelligence through ISACs but do not contribute intelligence.
Many organizations cite a variety of concerns and hesitations that prevent them from actively sharing their own intelligence more broadly, but a lot of these fears are myths that can be easily dispelled. For instance, some organizations cite privacy and liability concerns as a key reason for not contributing to threat sharing initiatives. However, it is possible to keep sensitive information private while still contributing to threat sharing initiatives.
In addition to protective provisions from the Cybersecurity Information Sharing Act of 2015 (CISA), one way to avoid these concerns––and good practice in general––is to scrub threat data for any sensitive corporate information before sharing. Even if this limits the amount you’re able to contribute, a little bit can go a long way in helping other organizations spot attackers.
Many small organizations believe their cybersecurity programs are too little or their budget is too limited for them to share anything that would be of value to other organizations––but this is never the case. Even for big corporations that are frequently targeted by attackers, there are additional details that can be missed. For example, no organization sees every possible variant of phishing emails that comes through their business. Sharing whatever you can, even if it seems insignificant, can add critical context and visibility that complements other shared intelligence.
There are also some organizations that fear the possibility of revealing a breach, which makes them reluctant to contribute to threat sharing initiatives. The reality is that while it may not be ideal for other organizations to know you’ve been compromised, it’s important that you spot a breach sooner rather than later, even if that comes through intelligence sharing. Pushing out breach details quickly can help bring quicker answers to incident response challenges thanks to the additional resources from other organizations adding their skills and expertise to the event.
For organizations that are hesitant to share intelligence but are looking for simple ways to contribute, there are a wide variety of options. A simple first step is identifying tools and communities you can leverage. ISACs are easy to get involved in and typically have mechanisms in place to ease threat sharing.
You can also establish partnerships beyond your vertical through localized entities such as Fusion Centers or use standards like STIX and TAXII to streamline the process of sharing. There are a number of free tools available that can help you to both contribute to and receive from common threat feeds.
By democratizing threat intelligence, organizations can pass information more quickly, make better judgments and deliver more insightful analysis to stakeholders and intelligence consumers. Changes to malware, infrastructure, new tools, new techniques, actor behaviors, campaigns, and other intelligence-related details can all become quickly known across a multitude of organizations. Ultimately, the bad guys may be trying to compromise single organizations but are battling a collective in the process.
About the Author
Travis Farral is a seasoned IT security professional with an extensive background in corporate security environments. Well versed in technical security solutions including in-depth IDS and IPS event analysis, log analysis, and detailed network assessments. Proficient project manager with a history of leading successful project and program efforts with limited resources and/or tight time constraints. Knowledgeable in developing and implementing security policies and procedures within corporate guidelines and objectives. Well-rounded professionally with experience handling large project budgets and delivering presentations to high ranking corporate executives. Passionate about developing teams, earning trust, and exposing potential. Specialties: leadership, security principles/architecture, IDS/IPS analysis, penetration testing, vulnerability assessments, wireless network testing, security design, security implementation, encryption. Learn more about Travis at: https://www.anomali.com/news-events/press/anomali-appoints-former-exxonmobil-threat-intelligence-expert