CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Threat Intelligence

Threat Intel: To Share or Not to Share is Not the Question

To share or not to share threat intelligence isn’t the question. It’s how to share, what to share, where and with whom.

Challenges of threat intel sharing

From its inception, the discipline of cyber threat intelligence has been about sharing. Informing cybersecurity teams, tools and best practices about threat actors and their tactics, techniques and procedures (TTPs) helps to strengthen defenses. Conversely, the threat and event data our security tools discover and learnings from using external threat feeds, help to enhance threat intelligence. It’s a virtuous cycle. So, it stands to reason that over the past 25 years a combination of communities of interest alongside public and private partnerships have sprung up, creating an entire sector within the cybersecurity industry dedicated to threat intelligence sharing.

But I’m not writing this to convince you that threat intel sharing is important. During a recent panel discussion with experts from FS-ISAC and SecAlliance, audience polls revealed unanimous agreement that threat intelligence sharing is beneficial, with a combination of technical details and contextual information delivering the most value.

What was concerning is that only 17% of respondents were very confident in their organization’s level of cyber threat intelligence sharing, and 17% were at the opposite end of the spectrum – very unconfident. What’s more, this poll was specifically of security professionals within the financial services industry, a sector considered an early adopter of threat intel sharing. What’s it going to take for more security professionals, regardless of sector, to close the confidence gap and actively engage in sharing?

Regulatory compliance

Since the beginning of this decade, we’ve seen a renewed focus on threat intelligence spurred by a rise in opportunistic threat actors taking advantage of events like the pandemic, devastating weather events and the geopolitical environment to launch sophisticated attacks that compromise organizations and the critical services they deliver. The need to know more about complex cyber threats became so important that in 2021 a White House Executive Order on Improving the Nation’s Cybersecurity listed as the top requirement “removing barriers to information sharing.”

More regulations are forthcoming. For example, the Digital Operational Resilience Act (DORA) set to take effect January 2025 is specifically designed to address a gap in EU financial regulation around operational resilience. One of the pillars under the new legislation focuses on information and intelligence sharing in relation to cyber threats and vulnerabilities.

Regulations are often viewed as a “stick” to drive desired behaviors. But when more organizations meet these sharing requirements, a “carrot” aspect starts to kick in – herd immunity.

Herd immunity

Advertisement. Scroll to continue reading.

Today, most organizations operate within complex ecosystems of mutually dependent participants. This means sector resilience is a prerequisite for organizational resilience.

Additionally, it’s not enough for just the big players in a market – be it the largest financial institutions, healthcare providers, retailers, manufacturers or energy providers – to share threat intelligence. Organizations are interconnected with third parties of all types and sizes. So, every organization needs to actively engage in sharing communities and the exchange of not just intelligence but best practices and workflows, because that’s when the practice works best. Collaborating for the greater good creates synergies that enable participants to have access to information they wouldn’t have access to otherwise to strengthen their defenses faster and at a lower cost thanks to the pooling of resources.

Key considerations when evolving your threat intel sharing practices

There are a variety of reasons why organizations may lack confidence in their threat intelligence sharing capabilities. Here are three things to look for in a sharing community that will make the process more attainable and impactful.

  1. User-friendly technology platforms: There has been a substantial movement towards integration to enable machine-to-machine sharing including compatibility with standards like STIX/TAXII and normalization of the threat intelligence itself. These advances are helping to make data sharing easier. Additionally, context makes threat intelligence relevant. So, organizations should focus on threat intelligence tools and platforms with built-in automation capabilities that enrich threat data with context and enable prioritization to quickly find relevant intelligence and strip out the noise.
  2. Data anonymization: Every organization wants to receive shared information, but often they aren’t confident in their ability to contribute and keep their legal team happy. Many communities today have processes in place that enable participants to choose what to share and in what format, including the ability to anonymize sensitive, organization-specific data. Information can be genericized enough so as not to disclose personally identifiable information or corporate proprietary information. Data anonymization helps address legal concerns about privacy and security, while still helping others to protect themselves and look in their own networks to see if they have also been targeted and missed the threat that your organization has seen.
  3. Mechanisms to foster trust: Trust is a key component of sharing, and each type of sharing initiative tends to have a combination of mechanisms to foster trust including creating smaller groups, fully vetting members, enforcing privacy and sharing policies, and leveraging technology and processes to protect and enable the flow of data. For example, ISACs specific to different sectors and organizations like SecAlliance have extensive experience creating rules around the classification of intelligence, the traffic protocol, sharing frequency, and how members can use that intelligence to provide a well-executed and safe environment for the exchange of intelligence. Private initiatives offered by technology vendors may include additional vetting of members as well as processes whereby members can nominate colleagues or peers to be considered for membership. The ultimate goal is to provide a nurturing environment that enables a continuous flow of contextualized threat intelligence that helps security teams and organizations grow in maturity and capability.

To share or not to share isn’t the question. It’s how to share, what to share, where and with whom. The sooner we arrive at answers, the safer we’ll be collectively and individually.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Threat Intelligence

How threat intelligence is critical when justifying budget for GRC personnel, and for threat intelligence, incident response, security operations and CISO buyers.


Deepfakes, left unchecked, are set to become the cybercriminals’ next big weapon


Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands.