How to Intelligently Share Cyber Threat Intelligence
A lot has been written on the importance of information sharing in the cybersecurity community. There is seemingly an ISAC for every industry these days. We’re talking the talk, and on the surface it looks like some organizations are starting to walk the walk. But in reality, we’re still just scratching the surface when it comes to sharing cyber threat information, let alone sharing intelligence that is useful and practical.
The concept of intelligence sharing goes way beyond the stream of acronyms such as STIX, TAXII, CybOX, etc. Not to take away from the importance of a standardized format, but that’s just one small piece of the puzzle to make this work – and to get others to give as much as they might take.
Let’s step back for a second and look at why intelligence sharing is important. What’s the benefit and is it worth the effort? At the end of the day, threat intelligence analysts should be working to affect positive change from a cyber risk perspective. Consumers of that intel should be measuring the value of the intelligence, things like: Is the organization safer, and is cybersecurity spend more cost-effective? Practical cyber threat intelligence can absolutely help an organization focus on their most critical risk areas – and sharing can play an important role in all of this.
Before you can start intelligently sharing threat intel, there are several important things you must do first…
Lay the Groundwork
• Establish a collection plan. You can’t really start worrying about what intelligence to share until you first have a collection plan. Your collection plan can include numerous pieces, including your own internal data, open source intelligence, dark web – both open and from restricted sites, commercial data feeds and ISACs. The more sources you can cultivate, the more breadth and depth you have from which to start conducting real intelligence work.
• Identify key stakeholders with whom to share intel and specify who is a producer and who is a consumer. Once you have a collection plan and start collecting data, you also should identify the key stakeholders within your organization as well as within your partners, customers and vendors — all of whom have digital touchpoints into your organization. Some stakeholder examples include, but are not limited to: executives and boards of directors, technical teams (cybersecurity, IT, application owners), fraud teams, risk management, legal counsel and compliance officers, vendors in your supply chain, and your industry ISAC.
Turning on a spigot of data streaming to your stakeholders isn’t very helpful and in fact can create a lot of ineffective work. This is where the difference between evaluated intelligence and unevaluated data come into play. Your stakeholders should ultimately help determine what data and intelligence gets shared, with emphasis on fulfilling a purpose.
• Of all the data you’ve collected, reviewed and analyzed, what is relevant and does that relevancy change based on who you share it with?
• There should be agreed upon rules of engagement: What types of intelligence do different groups want to see, and what stakeholder data would be most helpful for you?
• What outcomes are you looking to affect change against?
Depending on your organization, there may be more or less stakeholders involved, but the larger point is that cyber threat intelligence has a value to many different roles and organizations. The intelligence you create and share must have context and meaning to each party. Thinking through the types of questions each group would ask is a good starting point in terms of what intel is useful. Sharing an indicator of compromise (IOC) to a risk officer or executive isn’t going to mean anything. Sharing intel on the impact of a threat to the company’s finances might mean a lot.
• Incentivize your stakeholders to share. Intelligence sharing only works if everyone is incentivized to share – and if the liability concerns are minimized. Human nature and a highly litigious environment are forces of nature that go against the concept of intelligence sharing. Industry ISACs are great, but the information is typically going to be more general and less personalized to your organization – outside of being from within the same industry.
So taking the concept of the ISAC and making it more tailored to your business ecosystem is where the rubber meets the road – aka creating your private ISAC (more on this below). Your stakeholders, including your suppliers, partners and customers, should all have a stake in this. With all of the interconnectivity amongst you, a threat to one could very well be a threat to the others.
• Create a private ISAC for your stakeholders. ISACs are the rage when it comes to sharing – there seems to be a new one popping up each week – but a private ISAC that is specific to your business ecosystem can really drive value for you as well as your customers, partners and vendors because the intel will be highly relevant. So the question becomes how to create this sharing environment?
1. Get organized – As mentioned above, EVERYTHING should start with your collection plan. What sources are you pulling from and why? What source gaps do you have? Who are the stakeholders? Who will produce intelligence versus consume it?
2. Enhance current processes instead of starting from scratch – Data fatigue is a real problem out there, analysts are constantly floundering in a sea of data trying to make sense of it all. Instead of trying to create a net new process/deliverable or service from scratch, you can quickly get in the game by looking at improving your existing cybersecurity processes. How can intelligence enrich that current process? How can it give the employees who participate in that process more perspective? A few examples:
• Vulnerability Management – Using Intelligence to prioritize vulnerability mitigation deployment. i.e. what needs to be patched now versus later, and in what order (by exposure).
• Incident/Breach Response Planning – Using Intelligence to inform the incident and breach response program. I don’t know about you but I like to see what has happened in the past so I can plan for the future.
• System Development – As new capabilities are developed and deployed, intelligence can help guide what tactics, techniques and procedures are being utilized so that those scenarios can be accounted for.
• Fraud Footprint – Does the organization know what external fraud is occurring against their brand? Does the anti-fraud team use intelligence?
3. Store, analyze and share – Having a simple repository of “finished” intelligence products and allowing access for those with a “need to know” is a solid start. I see too many organizations get all spun up trying to engineer this mega-sharing platform that quickly spiraled out of control … you end up getting nowhere. Keep it simple, keep it useable, and keep it practical. This is about collecting, evaluating and producing finished intelligence based on the needs of the consumers of that intelligence.
4. Make it official – Intelligence should be a part of your risk management decision-making. It needs to be called out as such in your policy and processes and needs to be funded at some applicable level. Your organization does this already, except it is called Business Intelligence. Every product and service that your organization produces depends on technology in some way shape or form, yet it does not get treated as a risk area. Cyber threat Intelligence should give the cyber risk decision makers more clarity and context to problem areas so they can make more informed decisions and take action.
5. Grow your network – As you begin to reap the rewards of info-sharing and collaboration, expand your network. Consider your own organization’s subsidiaries, satellite or branch offices, internal departments and more. Your organization is also reliant on the products and services that your partners and suppliers provide, so it is imperative that the same conversation is extended to those stiakeholders as well.
Establishing a cyber threat intelligence capability is a strategic decision that takes patience and diligence, but which can change cybersecurity outcomes for the better over the long haul. Intelligence sharing is a key component, and again, it will take time and concerted effort to make it useful – but the end result is more than worth it.