Threat Intelligence

4/4/2017
11:45 AM
Adam Vincent
Adam Vincent
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

The Power of the Crowd: 3 Approaches to Sharing Threat Intel

Crowdsourced intelligence can help you build a stronger, more informed cyberdefense. Here's how.

In today’s cyber landscape, threats move and change faster than ever, making a quick and effective response to a potential intrusion critical. But, according to EY’s latest Cyber Threat Intelligence Report, 36 percent of companies surveyed report that it’s unlikely they would be able to detect a sophisticated attack.

To help solve this problem, cybersecurity experts often look outside their own organization for intelligence to help them diminish a cyber attacker’s advantage. The fact is, the only way to really change the game in cybersecurity response, and even threat prevention, is to understand how the adversary works, what their end goal may be, and to predict where they might go next. Unfortunately, this battle is nearly impossible to win alone. It requires intelligence from a variety of sources, with the power of the crowd being an integral piece of the puzzle.

Connected Communities
Crowdsourcing intelligence in cybersecurity means connecting a community of similarly trained, like-minded, and trusted individuals and organizations to solve the problem of a specific threat, adversary, or industry target. There are some amazing organizations leading the edge in threat intelligence sharing and collaboration such as The Arizona Threat Response Alliance, Inc. (ACTRA). ACTRA is a hub for collaborative cyber information-sharing between partners, industry, academia, law enforcement, and intelligence. It’s a prime example of how cyber information sharing across industries can help all the organizations involved analyze critical, real-time data in a quick, neutral, and cost-effective manner. In this case, ACTRA’s crowdsourced threat sharing enables more effective responses to cyber threats across Arizona’s critical infrastructure and key resources.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest threat intel trends and best practices.]

While threat sharing is occurring to a certain degree today through open source tools and even across a handful of industry groups, there is still much room for improvement to create truly crowdsourced threat intelligence sharing. Threat intelligence sharing as we know it today is hindered by manual tracking and analysis, as well as ineffective sharing models, analytic standards, and reporting vehicles that don’t disseminate accurate and actionable intelligence in a timely manner.

So, how can more organizations overcome the obstacles to sharing – and most especially the constraints on time? Here are three industrywide approaches that can grease the wheels for sharing:

  1. Learn from others. Make use of existing Information Sharing and Analysis Centers (ISACs) and Information Sharing and Analysis Organizations (ISAOs), such as the recently launched Sports ISAO, which shares intelligence to protect athletes, facilities and event sponsors from cyberattacks. Joining an ISAC or an ISAO is a great introduction to internal teams, such as legal, who may be apprehensive about the intel sharing process. The established standards and processes of these groups make it easier to gain executive level buy-in.
  2. Leverage analytics. Rather than looking at one incident at a time and then drawing conclusions to share, it’s better to use data science and analytics to surface the most relevant threats, especially when all indicators and other threat intelligence is maintained in a single database, Of course, you can do this with your own data, but storing data in a platform where it can be compared against other sources, will greatly increase your chances of surfacing threats.
  3. Orchestration and automation. In an under-staffed industry like cybersecurity, it is not surprising that many people are looking to orchestration for efficiency with use cases like pushing indicators to the firewall. Now, imagine applying that power to threat intelligence sharing. You could create set rules to push the information out to your partners automatically.

It wasn’t so long ago that you couldn’t go a day without seeing an article on how the secret to getting ahead of cyberthreats was sharing. While in theory that worked, it didn’t go very far. It was all just too hard. But, crowdsourcing threat intelligence - gathering it all in one place, leveraging analytics to process it and using orchestration to share it further - has real potential to make this a reality.

Related Content:

 

Adam is an information security expert and is currently the CEO and a founder at ThreatConnect, Inc. He possesses over a decade of experience in programming, network security, penetration testing, cryptography design & cryptanalysis, identity and access control, and a ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-7268
PUBLISHED: 2018-05-21
MagniComp SysInfo before 10-H81, as shipped with BMC BladeLogic Automation and other products, contains an information exposure vulnerability in which a local unprivileged user is able to read any root (uid 0) owned file on the system, regardless of the file permissions. Confidential information suc...
CVE-2018-11092
PUBLISHED: 2018-05-21
An issue was discovered in the Admin Notes plugin 1.1 for MyBB. CSRF allows an attacker to remotely delete all admin notes via an admin/index.php?empty=table (aka Clear Table) action.
CVE-2018-11096
PUBLISHED: 2018-05-21
Horse Market Sell & Rent Portal Script 1.5.7 has a CSRF vulnerability through which an attacker can change all of the target's account information remotely.
CVE-2018-11320
PUBLISHED: 2018-05-21
In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that are sourced from the target do not have sensitive values obfuscated in the deployment logs.
CVE-2018-8142
PUBLISHED: 2018-05-21
A security feature bypass exists when Windows incorrectly validates kernel driver signatures, aka "Windows Security Feature Bypass Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-1035.