When we talk about intelligence sharing, we automatically think about spooks, double agents, espionage, and covert operations. But today it is much more of a business imperative to share intelligence, to collaborate with our industry peers and it is perhaps less covert than we previously imagined. Particularly in the relentless war against cybercriminals, it is vital that we share information around cybersecurity threats and vulnerabilities because that is exactly what our adversaries are doing.
Cybercriminals share intelligence to support meticulously planned attacks. In fact, sharing intelligence about data breach opportunities and exploitable vulnerabilities has become essential for cybercriminals to execute their attacks more effectively. That is why it is important that as an industry, vendors and enterprise organizations alike, we collaborate and build intelligence networks, communities and capability. The Five Eyes (FVEY) is undoubtedly one of the biggest and most enduring multi-state intelligence sharing networks in the world. The alliance, established post World War II, is an intricate web of global intelligence, comprising five English-speaking countries and was one of the first information sharing communities.
Fast forward to present day and threat intelligence sharing and collaboration is very much front of mind for most large enterprises. Customers and vendors have been members of information sharing groups ISACs for many years, and some of the most important and active of these relate to critical national infrastructure. The Electricity Information Sharing and Analysis Center (E-ISAC), for example, provides the electric industry with quality analysis and rapid sharing of security information on how to mitigate complex, constantly evolving cyber and physical security threats to the grid. Operators and select partners commit to reducing the risk of cyber and physical security threats to the industry across North America by providing unique insights, leadership, and collaboration.
Digitization has transformed our critical national infrastructure (CNI) sector, enabling advances in service provision, reliability, and agility to better serve citizens and drive economic growth. However, the CNI sector is relentlessly targeted by financially or ideologically motivated threat actors seeking to disrupt services.
Cyber warfare, nation-state actors, and in particular ransomware attacks remain significant risks to the security of CNI organizations. Indeed, custom tools specifically targeting the industrial control systems underpinning CNI are constantly being developed by hackers who are aiming to gain persistent full system access. If there was any doubt that they are succeeding, we need only read the recent advisory from CISA warning that the Volt Typhoon group had compromised communications, energy, transportation and waste water services.
Safeguarding CNI against cyber threats requires a multifaceted approach, strengthening security controls, promoting awareness, and fostering collaboration are essential to protect critical infrastructure. Information and intelligence-sharing is also an essential element of building a robust, collective cyber defense program.
In fact, the need to know more about complex cyber threats has become so important that in 2021 the White House Executive Order on improving the Nation’s Cybersecurity listed as the top requirement “removing barriers to information sharing.”
Today more regulations are coming to the fore, for example the Digital Operational Resilience Act (DORA), set to take effect January 2025, is specifically designed to address a gap in EU financial regulation around operational resilience. One of the pillars under the new legislation focuses on information and intelligence sharing in relation to cyber threats and vulnerabilities.
Delving deeper into threat intelligence and organizations face several challenges protecting sensitive internal operations while engaging in necessary collaboration with external partners. Companies must maintain sovereignty over their data, ensuring it is owned, controlled, and housed within a private instance that can operate with autonomy and confidentiality. At the same time, they require a platform that allows for controlled access to this intelligence by external entities, such as federated operations and partner networks, ensuring that collaboration does not compromise security.
The complexity of modern cybersecurity demands support for diverse sharing models, from machine-to-machine exchanges accommodating various languages and formats to the distribution of human-readable data. Access to user-centric dashboards, comprehensive reports, and sophisticated analytical tools is crucial for actionable intelligence. Any platform must also cater to the varying maturity levels of external teams, ensuring usability and accessibility regardless of their expertise. It must also seamlessly integrate with different infrastructures and architectures, enabling a versatile and inclusive approach to threat intelligence sharing across the cybersecurity ecosystem
What is interesting is that when people think about threat intelligence sharing, they normally think of this as person to person. However, as outlined above, sharing can also be machine to machine or machine readable and human readable. The human readable formats have the advantage of being easily understood by a person reading them. A machine-readable format is specifically designed for devices and machines and the format is therefore complex for humans to understand. Machine readable formats are easier and faster for a machine to encode. The good news is that the data in machine-readable format can be automated, extracted, and used for further processing without human involvement
So, the whole concept of threat intelligence transfer is like a pyramid comprising of a base of data, rising through information to knowledge and peaking in wisdom. What we are talking about here is how you effect that transformation of data into understanding, knowledge, and wisdom.
When somebody is new to a role and/or transitioning off a role, we talk about “knowledge transfer”. “Intelligence transfer” is subtly different because it helps people gain knowledge but it puts it into context, helping individuals learn, but it also helps machines do their jobs better with additional high-fidelity data which is contextualized and enriched. However, for this to all work, there must be trust in the outcomes, trust in the data and what the machine has learnt. The security team must be confident in the data, they must believe what it is telling them, and ultimately, they have to trust that it won’t break anything through automation. This is easier said than done, because research from last year highlights that trust in automation is low and is one of the key barriers to organizations automating more cybersecurity use cases and processes.
The primary goal of threat intelligence sharing is to help organizations better understand the risks of the most common and severe issues, like zero-day threats, advanced persistent threats and exploits, and enable them to make good, informed decisions regarding their response to those threats. With automated, detailed, contextualized threat intelligence, organizations can better anticipate malicious activity and utilize intelligence to speed detection around proven attacks. They can also foster more collaborative relationships between organizations and the industry at large. Increasing collaboration in the ecosystem and trust in cybersecurity automation will help to win the battle against cyber adversaries.
