Threat intelligence is becoming a more ubiquitous feature in information security programs. Whether organizations have a full threat intelligence team, ingest threat feeds, or simply leverage threat intelligence features found in common security tools, most are now benefiting from threat intelligence in one way or another. The 2019 Ponemon Study, The Value of Threat Intelligence, indicates that 85% of organizations say threat intelligence is essential to achieving a strong security posture.
Commensurate with the increase in the use of threat intelligence has been an increase in sharing threat intelligence between organizations. Industry-centric sharing initiatives like Information Sharing and Analysis Centers (ISACs), Information Sharing and Analysis Organizations (ISAOs), and other private sharing organizations have led to a dramatic increase in the sharing of threat intelligence. Additionally, governmentled initiatives from the Department of Homeland Security (DHS), like the Automated Indicator Sharing (AIS) program and the Cyber Information Sharing and Collaboration Program (CISCP), United Arab Emirates (UAE) Tasharuk program, and the United Kingdom’s Cyber Security Information Sharing Partnership (CiSP), have all encouraged, and in some cases, mandated sharing partnerships between governments and private organizations. We have seen private local sharing partnerships based on mutual interest cropping up as well.
Despite the relative popularity of these sharing initiatives, member organizations are still mostly focused on consuming what is shared instead of adding their own contributions. There are a number of reasons for this. Not all organizations have the resources to stand up threat intelligence practices capable of producing original intelligence. While this is not a requirement for sharing indicators or other types of intelligence, it is still a primary reason that organizations feel they have nothing of value to contribute. Privacy concerns are another major barrier to organizations contributing to threat intelligence sharing initiatives. It’s not a hard sell to consume shared data from other organizations, but there are still fears around sharing internal threat data that might be considered sensitive. These concerns are valid but not insurmountable to getting more organizations involved in sharing. Furthermore, these concerns typically disappear during times of crisis, and intelligence sharing expands unilaterally when mutually advantageous to preventing further damage. There are many significant benefits to sharing— perhaps some that haven’t yet been realized. Included here are several points for consideration, regarding the sharing of threat intelligence.
Unidirectional Versus Bidirectional Sharing
There are two common ways in which threat intelligence is shared.The most common version is unidirectional threat intelligence sharing, where one entity produces and shares threat intelligence that others consume. Those consuming the intelligence do not contribute in return, often because a mechanism does not exist for “pushing” information back. Examples of unidirectional threat intelligence sharing include:
- Open-source intelligence, which might involve downloading a publicly available report covering a recent attack that contains indicators and methods used, or ingesting an open-source intelligence feed.
- Closed-source reports and feeds
The other option for organizations is to engage in bidirectional threat intelligence sharing. For most organizations, their initial experience with this kind of sharing likely came when joining their industry ISAC or government sharing program. In these situations intelligence isn’t just sent down to be consumed, but can also be ingested from member organizations. Although sharing is allowed and encouraged in these programs, there is typically no mandate that every member organization share intelligence.
Concerns Around Sharing Intelligence
It’s highly desirable to consume available threat intelligence. Whether or not specific sources of threat intelligence should be consumed by a particular organization, or if it has the ability to properly utilize those sources, is a separate question outside the scope of this discussion. These questions should be answered by intelligence requirements, fidelity, availability of resources, and so on. Also see Anomali ThreatStream. Overall, the decision to consume some source of intelligence is generally not a hard sell if it is deemed to be required for generating actionable intelligence in an organization.
Asking an organization to actively share indicators or produced-intelligence is another question altogether. Even contributing additional details or context to intelligence shared from other organizations can be a tall order. Below is a list of common concerns that impede organizations from engaging in sharing threat intelligence:
1. Privacy and liability concerns:
- Scrubbing data for private information or sensitive corporate information before sharing is a good idea regardless of the type of sharing involved. This is most problematic with automated sharing as the scrubbing must be done before the information is shared.
- The Cybersecurity Information Sharing Act of 2015 (CISA) has provisions to address common concerns around privacy and liability. Some of these protections are contingent on certain stipulations being met. As always, proper legal advice is highly recommended to understand how CISA may apply to specific situations.
- The European Union General Data Protection Regulation (GDPR) for protecting business data and personal information also applies to threat sharing. Formal threat sharing compliance models are being evaluated but not formalized. In the meantime, threat intelligence analysts need to reassess the many sharing methods they’ve used in the past to avoid non-compliance.
- The fact that so many organizations are engaging in sharing initiatives within their industry or with the government is proof that privacy and liability concerns can be overcome—either through more accurate perception of sharing intelligence, protective clauses in legal agreements, recent legislation, or care in what is being shared. Regardless of the underlying reason, it is a promising trend for the future of shared intelligence.
2. “There is nothing of value to contribute.”
- Organizations with smaller information security teams and smaller budgets may feel like they don’t have anything to contribute that isn’t already being covered by larger organizations or those with bigger budgets. This shouldn’t preclude them from stepping in where possible. There are often at least some additional details that can be added to the intelligence already shared. For example, no organization sees every possible attack or all possible variants of a particular wave of phishing emails. There will always be opportunities for organizations to get involved and share something, regardless how insignificant it may seem. These details can aid in visibility and help produce more fully sourced intelligence analysis. It only takes one part-time analyst to contribute valuable context, particularly when relevant tools are available at his/her disposal. Available products like Anomali Lens™, using natural language processing, enhances their analytic capability.
3. Lack of expertise
- Not having trained intelligence analysts on staff can be a hindrance to contributing to shared intelligence. While it is true that lack of trained analysts is an issue, it shouldn’t curtail the notion of sharing altogether. By simply adding whatever context, observed attack details, and if possible, analysis developed by those on staff, value can still be added to the community.
4. Fear of revealing an organization has been hacked
- The fear of sharing breach details more broadly than with the entities absolutely necessary is common. What if the analysis details of some interesting traffic shared in the morning turned out to be evidence of a month-long breach discovered after further analysis? Going even further, the idea of deliberately sharing breach details quickly with sharing partners is probably a foreign concept in most organizations. This topic is addressed more fully later in the document in the section titled, “Where to start or expand intelligence sharing” under item number six.