Why Sharing Threat Intelligence is a Smart Move (And Tips for Doing It)
Cyber criminals are more organised and sophisticated than ever. Their attacks are capable of doing more damage than ever before.
As a result, many companies feel like they’re perpetually playing catch up with their cybersecurity efforts.
But one way that organisations are gaining the upper hand is by sharing threat intelligence. This is actually one of the core tenets of the DevSecOps manifesto, which emphasizes shared threat intelligence over individuals keeping information to themselves.
And as research has found, more and more companies are buying into this strategy. In fact, 78 percent believe that it’s now a vital part of achieving strong security.
Fighting Fire with Fire
What’s interesting is that information sharing is something that hackers do all of the time. Peruse the Internet, and you’ll find countless sites and forums that are solely devoted to hackers exchanging information with one another. There are entire online communities built around it.
You could even argue that this willingness to share knowledge has been a key contributor to how successful the hacker community has become.
Taking the same approach can be incredibly beneficial for modern companies. Rather than siloing information, sharing threat intelligence helps organisations take a stand and encourages collaboration for heightened security. It’s like fighting fire with fire.
Let’s now discuss some reasons why this is a smart move and how to go about sharing threat intelligence.
Quickly Identify Vulnerabilities
The longer a threat goes unnoticed, the more damaging the impact will likely be. Whether it’s spying on sensitive data, infecting your network with a virus or stealing credit card information, cyber criminals want their actions to escape your attention. Staying under the radar bodes well for them.
One of the best ways to reduce the threat detection time is to have your team members on the same page and actively sharing information with one another.
Say that a person from one department spots suspicious network activity that appears out of the ordinary. When they share their finding with your other departments, the threat can be diagnosed in near real-time.
But without this type of communication, the threat dwell time is almost guaranteed to increase. And this is important given that the median dwell time was 49 days as of 2015.
Proactively Fix Flaws
This approach to cybersecurity naturally raises awareness. Whenever a potential attack occurs, it sets off a figurative alarm where everyone within your organisation is quickly alerted.
In turn, team members can work together cohesively to neutralize a threat and fix the problem.
Cybersecurity expert Grayson Milbourne says it well in TechCrunch with the following quote. “As soon as a threat is detected on one endpoint, all other endpoints using the platform are immediately protected.”
In some cases, this can prevent any damage from occurring whatsoever. And even in a worst-case scenario where it does have the chance to infiltrate your network, you’ll at least be able to lessen the damage and assuage any ill effects.
Raise Your Collective Threat Intelligence Level
Your organisation’s threat intelligence is limited when team members/departments operate in isolation. The lack of information flow inhibits everyone’s ability to react to and address threats.
Individuals may not have a clue as to what’s going on outside of their immediate department and completely unaware that a critical threat is looming.
But an open exchange of information naturally facilitates a greater understanding. No longer do team members work as disparate entities but as a unified whole. And this is highly advantageous for raising your collective threat intelligence level.
What you ultimately get is a security-centric ecosystem where you have a solid grasp on your current state of cybersecurity at all times.
Better Equip Yourself for Evolving Threats
Milbourne also says, “Given the evolution of malicious code and constantly changing environments, it’s critical that security controls adapt quickly and dependably.” And you could argue that sharing threat intelligence is one of the best ways to achieve this needed level of adaptability.
When team members openly share information, everyone is aware of the potential threats you’re up against. So if there was new type of attack like an advanced SQL injection, your entire team would be aware of it.
This puts your organisation in a position to stay one step ahead of cyber criminals. Even though the specific types of threats and their intensity may change, you’ll always be prepared.
Tips for Effective Threat Intelligence Sharing
At this point, we’ve established that this strategy offers some distinct advantages and can give your enterprise an edge over opportunistic cyber criminals. But for it to work, it’s necessary to follow some best practices.
Here are some guidelines for making the process as seamless as possible.
Perform an Information Inventory…
The first step is to identify the specific types of data that you’re currently capable of producing as this will ultimately determine the information that can be shared.
For example, you might use managed security vulnerability scans to spot changes, defects or misconfigurations that could open the door to a cyber attack, which would play a major role in the data that you’re able to generate.
Knowing how much data you’re able to generate and the particular aspects of cybersecurity that it covers lets you know your capabilities and whether or not it’s sufficient.
This brings us to your next point.
As Well as a Device Inventory
You’ll also want to know exactly which devices you’re using within your network because it will tell you what could potentially be exploited. Ask yourself:
- What types of devices do we use?
- What are their OS versions?
- What are their patch levels?
- Are the OS and patch levels up-to-date?
Acquire Necessary Tools
You may find that your organisation’s current set of tools are inadequate for producing the depth of data that’s necessary to facilitate shared threat intelligence. If so, you’ll need to consider investing in additional technologies that will enable you to do so.
For instance, penetration testing tools are highly effective for identifying vulnerabilities that would otherwise be difficult when done manually. So if this isn’t something you’re currently utilising, you may want to look into vendors and the penetration testing tools they offer.
This isn’t to say that you need to shell out big money. But it’s certainly advantageous to at least explore your options and see if there are any tools that can help you generate more comprehensive data.
Develop an Efficient Framework for Sharing
The quicker and easier it is for your team to share information, the more successful your initiatives should be. So you’ll need to devise a system to streamline this process and decide which specific platforms you’ll want to use for communication.
This could be something as basic as email or something as sophisticated as a formal threat intelligence sharing tool.
Simplicity is key here. Any unnecessary difficulties will only create friction and diminish the communication between your team. That’s why you should strive to make it as simple as possible and place an emphasis on user-friendliness.
Encourage a Rapid Response
Being proactive is absolutely critical to making this strategy work for you.
As Steve Zurier says in Dark Reading, “Information sharing is not about breach notification. Organisations need to share event data early in the security cycle—before an event happens—such as information about suspicious activity.” It’s all about catching issues in the early stages. Otherwise, it defeats the entire purpose.
So this is something that you need to instill in your team members. Everyone should be encouraged to speak up whenever they notice something that seems out of place.
Remember it’s better to respond to a false alarm than wait too long so an attack has a chance to cripple your network.
Be Aware of Cybersecurity Sharing Limitations
There is one caveat that should be noted. Organisations do have certain limitations in terms of the types of information they can share.
As Zurier puts it, “Sharing data with other organisations about exploits and vulnerabilities is legal so long as you don’t share personally identifiable information.” He specifies by explaining that you wouldn’t want to typically share a victim’s email address. However, things like IP addresses and suspicious URLs are totally fine.
This is just something to be aware of because you could potentially find yourself in legal trouble if you were to give away personally identifiable information. So you’ll want to let your team members know about this to prevent any unintended backlash from occurring.
Greater Security Through Deeper Collaboration
Technology has created some massive opportunities for modern companies. Unfortunately, it’s also created numerous challenges when it comes to cybersecurity. And this is definitely something to take seriously.
While there are many ways to enhance cybersecurity, sharing threat intelligence is one of the most comprehensive. By creating an environment of communication and collaboration, your organisation should be prepared for whatever comes your way.
An added plus is that it helps make security an integral part of your culture.
Does your company currently have any form of shared threat intelligence in place? Please share your story: