Overcoming the Security Side-Eye: Making Collaborative Threat Intelligence Work
The facial expression has many names: side-eye, skepticism, disbelief — the perfect, singular, arched eyebrow over a pair of glasses. Regardless of the name, it is one we have seen both digitally, virtually and in person when discussing collaborative threat intelligence.
Yes, we can proclaim that the bad guys are working together and organized cybercrime is on the rise. We can talk about how it is imperative that security vendors, partners and clients work together to shorten the life cycle of threats. But how realistic is it to expect collaboration in such a tense threat landscape?
What Threat Intelligence Are We Sharing?
When we talk about the types of information being shared, it’s important to clarify the content as well. The general guidance is to avoid sharing proprietary, internal information about your security infrastructure, such as the number of endpoints and servers, or even specific security appliances or software installed. Instead, security professionals should share external threat intelligence information.
Analysts should be encouraged, for example, to share the content of a spam email, the source IP and the MD5 hash associated with a potentially malicious attachment, but not necessarily the number of employees who received the email or clicked a link or attachment.
It’s important to note the distinction between evidence of attempts and evidence of infiltration. A successful attack is far more dangerous and likely to spread elsewhere than an unsuccessful one. Sharing indicators of compromise (IoCs) on an active infiltration can help shorten the life cycle of a successful campaign and make more work for the attackers, since they must reconfigure their methods to overcome the defenses erected to block their incursion.
Overcoming Corporate Policies
Aside from fear of liability from threat intelligence sharing, corporate policies often prohibit sharing outside the organization. This is the hardest obstacle to overcome because it requires a change that starts with the corporate legal team and can have a ripple effect in other areas.
The good news is that government and community-led efforts such as the U.S. Cybersecurity Information Sharing Act (CISA), and industry-focused groups like the Information Sharing and Analysis Centers (ISACs), are affecting change in these areas. The Hong Kong Monetary Authority recently launched a Cybersecurity Fortification Initiative (CFI) to further encourage high standards of cybersecurity within the Hong Kong financial markets. These policies and organizations aim to ease the way for businesses to join the threat information sharing movement.
Lack of Processes or Resources
Let’s say you have permission to share threat intelligence and begin collaborating. Now what? Organizations often lack processes to anonymize and distribute threat intelligence back into the security community, as well as the resources to define the process. The challenge, then, is to research the plethora of collaborative threat intelligence platforms available and choose one that meets your organization’s needs, particular process and budget.
Of course, vendor-sponsored platforms such as the IBM X-Force Exchange are one option, but many ISACs also have online communities. Attackers have figured out how to remotely collaborate via message boards, online black markets and even email, so time is of the essence in learning how to give yourself the same advantage.
Lack of Trust Relationships
So now that you have permission to share and a place to share, how do you figure out with whom to share? Trust relationships are imperative. A good place to start is with a group of like-minded colleagues. Whether it be in person at conferences or vendor shows, online through an ISAC, on-platform with other users of a collaborative threat intelligence portal, or even through online communities such as LinkedIn, there is no shortage of security peers struggling with many of the same issues.
Independent initiatives such as the Cyber Threat Alliance, a conglomeration of security solution vendors and researchers who joined forces to collectively share information and protect their customers, have also sprouted up to help provide options for security analysts seeking additional information and a trusted network.
The obstacles are not insurmountable, but it does take time to cultivate the right structure and network of colleagues to collaborate on threat intelligence. To learn more about what to look for in a platform, join the Feb. 22 webinar, “How to Expand Your Threat Intelligence Toolbox in a Single Platform.”