Sharing intel: joining your threat intelligence community
December 6, 2018
As threat intelligence becomes more ubiquitous, many organisations are discovering that sharing threat intelligence information is powerful in combating cyber-attacks.
Sharing is one of the earliest lessons we learn in life, but – understandably – not the foremost on our minds when it comes to cyber-security. Sharing your toys as a kid makes perfect sense, but sharing something like company data? That’s the exact information you’re trying to keep out of the wrong hands.
I know, it seems counterintuitive. But let’s say, for the sake of argument, that you placed information into the right hands. What happens next?
Many organisations asked themselves the same question and found a promising answer – sharing information such as cyber-threat intelligence provided a host of benefits that led to better cyber-defence. With detailed and contextualised data on cyber-adversaries, organisations were better able to guess attacker strategies, identify malicious actions and block infiltration.
There are numerous ways to gather and apply shared threat intelligence, but consider contributing this information rather than just consuming it. Threat actors collaborate frequently, and one of our best chances at staying ahead of them is to do so ourselves. Below are some additional details to consider as you begin to share threat intelligence.
Who should I share with?
The most natural fit for sharing threat intelligence are those organisations most likely to experience the same attacks as your own. Adversaries will typically reuse many of their tools and procedures as they target companies within an industry (who knew they’d be one of the biggest proponents of recycling?). Your industry peers will also intuitively understand your business and privacy concerns. For many organisations this may be the only group they share intelligence with, leading some to create Information Sharing and Analysis Centers (ISACs). These groups can help facilitate sharing for even the most resource-strapped of companies.
There are other potential partners for sharing, though. Some attacks originate in physical spaces and aren’t confined to the internet. Local cyber=security groups may be a great option for any geographically originated type of attack. Finding local sharing partners, that may or may not be in your industry, can be important for localised and geographic intelligence sharing. Another important reason to find partners outside of your industry or vertical is to gain exposure to cyber-threat information that is outside of your regular ecosystem, and therefore easily overlooked or missed.
What should I share?
Many people hold back from sharing because they feel they have nothing of value to contribute. This simply isn’t true. Even something small can be the tip-off another organisation needed to stave off disaster. The key to making what you share valuable, however, is to ensure that you provide quality over quantity. Quality intelligence includes context to the situation, your own analysis, and any other relevant observations. It may seem scary or downright unacceptable to share such sensitive material, but with the right agreements in place privacy concerns can be met with the right amount of caution. Sharing tools such as a threat intelligence platform can also ensure that data is exchanged in a highly secure fashion.
In addition to sharing intelligence, organisations can share defensive measures such as YARA rules, snort rules, scripts, system or application configuration tweaks, security tool configurations, and more. All of this serves to give yourself and your partners better visibility for intelligence analysis and agility when taking action based on new insights.