February 10, 2017 By Pamela Cobb 3 min read

The facial expression has many names: side-eye, skepticism, disbelief — the perfect, singular, arched eyebrow over a pair of glasses. Regardless of the name, it is one we have seen both digitally, virtually and in person when discussing collaborative threat intelligence.

Yes, we can proclaim that the bad guys are working together and organized cybercrime is on the rise. We can talk about how it is imperative that security vendors, partners and clients work together to shorten the life cycle of threats. But how realistic is it to expect collaboration in such a tense threat landscape?

What Threat Intelligence Are We Sharing?

When we talk about the types of information being shared, it’s important to clarify the content as well. The general guidance is to avoid sharing proprietary, internal information about your security infrastructure, such as the number of endpoints and servers, or even specific security appliances or software installed. Instead, security professionals should share external threat intelligence information.

Analysts should be encouraged, for example, to share the content of a spam email, the source IP and the MD5 hash associated with a potentially malicious attachment, but not necessarily the number of employees who received the email or clicked a link or attachment.

It’s important to note the distinction between evidence of attempts and evidence of infiltration. A successful attack is far more dangerous and likely to spread elsewhere than an unsuccessful one. Sharing indicators of compromise (IoCs) on an active infiltration can help shorten the life cycle of a successful campaign and make more work for the attackers, since they must reconfigure their methods to overcome the defenses erected to block their incursion.

Overcoming Corporate Policies

Aside from fear of liability from threat intelligence sharing, corporate policies often prohibit sharing outside the organization. This is the hardest obstacle to overcome because it requires a change that starts with the corporate legal team and can have a ripple effect in other areas.

The good news is that government and community-led efforts such as the U.S. Cybersecurity Information Sharing Act (CISA), and industry-focused groups like the Information Sharing and Analysis Centers (ISACs), are affecting change in these areas. The Hong Kong Monetary Authority recently launched a Cybersecurity Fortification Initiative (CFI) to further encourage high standards of cybersecurity within the Hong Kong financial markets. These policies and organizations aim to ease the way for businesses to join the threat information sharing movement.

Lack of Processes or Resources

Let’s say you have permission to share threat intelligence and begin collaborating. Now what? Organizations often lack processes to anonymize and distribute threat intelligence back into the security community, as well as the resources to define the process. The challenge, then, is to research the plethora of collaborative threat intelligence platforms available and choose one that meets your organization’s needs, particular process and budget.

Of course, vendor-sponsored platforms such as the IBM X-Force Exchange are one option, but many ISACs also have online communities. Attackers have figured out how to remotely collaborate via message boards, online black markets and even email, so time is of the essence in learning how to give yourself the same advantage.

Lack of Trust Relationships

So now that you have permission to share and a place to share, how do you figure out with whom to share? Trust relationships are imperative. A good place to start is with a group of like-minded colleagues. Whether it be in person at conferences or vendor shows, online through an ISAC, on-platform with other users of a collaborative threat intelligence portal, or even through online communities such as LinkedIn, there is no shortage of security peers struggling with many of the same issues.

Independent initiatives such as the Cyber Threat Alliance, a conglomeration of security solution vendors and researchers who joined forces to collectively share information and protect their customers, have also sprouted up to help provide options for security analysts seeking additional information and a trusted network.

The obstacles are not insurmountable, but it does take time to cultivate the right structure and network of colleagues to collaborate on threat intelligence. To learn more about what to look for in a platform, join the Feb. 22 webinar, “How to Expand Your Threat Intelligence Toolbox in a Single Platform.”

Register Now for the Upcoming Webinar

More from Threat Intelligence

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Hive0137 and AI-supplemented malware distribution

12 min read - IBM X-Force tracks dozens of threat actor groups. One group in particular, tracked by X-Force as Hive0137, has been a highly active malware distributor since at least October 2023. Nominated by X-Force as having the “Most Complex Infection Chain” in a campaign in 2023, Hive0137 campaigns deliver DarkGate, NetSupport, T34-Loader and Pikabot malware payloads, some of which are likely used for initial access in ransomware attacks. The crypters used in the infection chains also suggest a close relationship with former…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today