Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Threat Intelligence

Why Intelligence Sharing Is Vital to Building a Robust Collective Cyber Defense Program

With automated, detailed, contextualized threat intelligence, organizations can better anticipate malicious activity and utilize intelligence to speed detection around proven attacks.

Intelligence sharing to improve cyber defense

When we talk about intelligence sharing, we automatically think about spooks, double agents, espionage, and covert operations.  But today it is much more of a business imperative to share intelligence, to collaborate with our industry peers and it is perhaps less covert than we previously imagined. Particularly in the relentless war against cybercriminals, it is vital that we share information around cybersecurity threats and vulnerabilities because that is exactly what our adversaries are doing.

Cybercriminals share intelligence to support meticulously planned attacks. In fact, sharing intelligence about data breach opportunities and exploitable vulnerabilities has become essential for cybercriminals to execute their attacks more effectively. That is why it is important that as an industry, vendors and enterprise organizations alike, we collaborate and build intelligence networks, communities and capability. The Five Eyes (FVEY) is undoubtedly one of the biggest and most enduring multi-state intelligence sharing networks in the world. The alliance, established post World War II, is an intricate web of global intelligence, comprising five English-speaking countries and was one of the first information sharing communities. 

Fast forward to present day and threat intelligence sharing and collaboration is very much front of mind for most large enterprises. Customers and vendors have been members of information sharing groups ISACs for many years, and some of the most important and active of these relate to critical national infrastructure. The Electricity Information Sharing and Analysis Center (E-ISAC), for example,  provides the electric industry with quality analysis and rapid sharing of security information on how to mitigate complex, constantly evolving cyber and physical security threats to the grid. Operators and select partners commit to reducing the risk of cyber and physical security threats to the industry across North America by providing unique insights, leadership, and collaboration.

Digitization has transformed our critical national infrastructure (CNI) sector, enabling advances in service provision, reliability, and agility to better serve citizens and drive economic growth. However, the CNI sector is relentlessly targeted by financially or ideologically motivated threat actors seeking to disrupt services.

Cyber warfare, nation-state actors, and in particular ransomware attacks remain significant risks to the security of CNI organizations. Indeed, custom tools specifically targeting the industrial control systems underpinning CNI are constantly being developed by hackers who are aiming to gain persistent full system access. If there was any doubt that they are succeeding, we need only read the recent advisory from CISA warning that the Volt Typhoon group had compromised communications, energy, transportation and waste water services.

Safeguarding CNI against cyber threats requires a multifaceted approach, strengthening security controls, promoting awareness, and fostering collaboration are essential to protect critical infrastructure. Information and intelligence-sharing is also an essential element of building a robust, collective cyber defense program.

In fact, the need to know more about complex cyber threats has become so important that in 2021 the  White House Executive Order on improving the Nation’s Cybersecurity listed as the top requirement “removing barriers to information sharing.”

Today more regulations are coming to the fore, for example the Digital Operational Resilience Act (DORA), set to take effect January 2025, is specifically designed to address a gap in EU financial regulation around operational resilience. One of the pillars under the new legislation focuses on information and intelligence sharing in relation to cyber threats and vulnerabilities.

Advertisement. Scroll to continue reading.

Delving deeper into threat intelligence and organizations face several challenges protecting sensitive internal operations while engaging in necessary collaboration with external partners. Companies must maintain sovereignty over their data, ensuring it is owned, controlled, and housed within a private instance that can operate with autonomy and confidentiality. At the same time, they require a platform that allows for controlled access to this intelligence by external entities, such as federated operations and partner networks, ensuring that collaboration does not compromise security.

The complexity of modern cybersecurity demands support for diverse sharing models, from machine-to-machine exchanges accommodating various languages and formats to the distribution of human-readable data. Access to user-centric dashboards, comprehensive reports, and sophisticated analytical tools is crucial for actionable intelligence. Any platform must also cater to the varying maturity levels of external teams, ensuring usability and accessibility regardless of their expertise. It must also seamlessly integrate with different infrastructures and architectures, enabling a versatile and inclusive approach to threat intelligence sharing across the cybersecurity ecosystem

What is interesting is that when people think about threat intelligence sharing, they normally think of this as person to person. However, as outlined above, sharing can also be machine to machine or machine readable and human readable. The human readable formats have the advantage of being easily understood by a person reading them. A machine-readable format is specifically designed for devices and machines and the format is therefore complex for humans to understand.  Machine readable formats are easier and faster for a machine to encode. The good news is that the data in machine-readable format can be automated, extracted, and used for further processing without human involvement

So, the whole concept of threat intelligence transfer is like a pyramid comprising of a base of data, rising through information to knowledge and peaking in wisdom. What we are talking about here is how you effect that transformation of data into understanding, knowledge, and wisdom.

When somebody is new to a role and/or transitioning off a role, we talk about “knowledge transfer”. “Intelligence transfer” is subtly different because it helps people gain knowledge but it puts it into context, helping individuals learn, but it also helps machines do their jobs better with additional high-fidelity data which is contextualized and enriched. However, for this to all work, there must be trust in the outcomes, trust in the data and what the machine has learnt. The security team must be confident in the data, they must believe what it is telling them, and ultimately, they have to trust that it won’t break anything through automation. This is easier said than done, because research from last year highlights that trust in automation is low and is one of the key barriers to organizations automating more cybersecurity use cases and processes.

The primary goal of threat intelligence sharing is to help organizations better understand the risks of the most common and severe issues, like zero-day threats, advanced persistent threats and exploits, and enable them to make good, informed decisions regarding their response to those threats. With automated, detailed, contextualized threat intelligence, organizations can better anticipate malicious activity and utilize intelligence to speed detection around proven attacks. They can also foster more collaborative relationships between organizations and the industry at large. Increasing collaboration in the ecosystem and trust in cybersecurity automation will help to win the battle against cyber adversaries.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

Joe Levy has been appointed Sophos' permanent CEO, and Jim Dildine has been named the company's CFO.

CISA executive assistant director for cybersecurity Eric Goldstein is leaving the agency after more than three years.

More People On The Move

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Cybercrime

The top five categories of Bad Bot attacks are fake account creation, account takeovers, scraping, account management, and in-product abuse.

Cybercrime

Deepfakes, left unchecked, are set to become the cybercriminals’ next big weapon

Threat Intelligence

A new research report discusses the five most exploited vulnerabilities of 2022, and the five key risks that security teams should consider.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...