Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

4/4/2017
11:45 AM
Adam Vincent
Adam Vincent
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

The Power of the Crowd: 3 Approaches to Sharing Threat Intel

Crowdsourced intelligence can help you build a stronger, more informed cyberdefense. Here's how.

In today’s cyber landscape, threats move and change faster than ever, making a quick and effective response to a potential intrusion critical. But, according to EY’s latest Cyber Threat Intelligence Report, 36 percent of companies surveyed report that it’s unlikely they would be able to detect a sophisticated attack.

To help solve this problem, cybersecurity experts often look outside their own organization for intelligence to help them diminish a cyber attacker’s advantage. The fact is, the only way to really change the game in cybersecurity response, and even threat prevention, is to understand how the adversary works, what their end goal may be, and to predict where they might go next. Unfortunately, this battle is nearly impossible to win alone. It requires intelligence from a variety of sources, with the power of the crowd being an integral piece of the puzzle.

Connected Communities
Crowdsourcing intelligence in cybersecurity means connecting a community of similarly trained, like-minded, and trusted individuals and organizations to solve the problem of a specific threat, adversary, or industry target. There are some amazing organizations leading the edge in threat intelligence sharing and collaboration such as The Arizona Threat Response Alliance, Inc. (ACTRA). ACTRA is a hub for collaborative cyber information-sharing between partners, industry, academia, law enforcement, and intelligence. It’s a prime example of how cyber information sharing across industries can help all the organizations involved analyze critical, real-time data in a quick, neutral, and cost-effective manner. In this case, ACTRA’s crowdsourced threat sharing enables more effective responses to cyber threats across Arizona’s critical infrastructure and key resources.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest threat intel trends and best practices.]

While threat sharing is occurring to a certain degree today through open source tools and even across a handful of industry groups, there is still much room for improvement to create truly crowdsourced threat intelligence sharing. Threat intelligence sharing as we know it today is hindered by manual tracking and analysis, as well as ineffective sharing models, analytic standards, and reporting vehicles that don’t disseminate accurate and actionable intelligence in a timely manner.

So, how can more organizations overcome the obstacles to sharing – and most especially the constraints on time? Here are three industrywide approaches that can grease the wheels for sharing:

  1. Learn from others. Make use of existing Information Sharing and Analysis Centers (ISACs) and Information Sharing and Analysis Organizations (ISAOs), such as the recently launched Sports ISAO, which shares intelligence to protect athletes, facilities and event sponsors from cyberattacks. Joining an ISAC or an ISAO is a great introduction to internal teams, such as legal, who may be apprehensive about the intel sharing process. The established standards and processes of these groups make it easier to gain executive level buy-in.
  2. Leverage analytics. Rather than looking at one incident at a time and then drawing conclusions to share, it’s better to use data science and analytics to surface the most relevant threats, especially when all indicators and other threat intelligence is maintained in a single database, Of course, you can do this with your own data, but storing data in a platform where it can be compared against other sources, will greatly increase your chances of surfacing threats.
  3. Orchestration and automation. In an under-staffed industry like cybersecurity, it is not surprising that many people are looking to orchestration for efficiency with use cases like pushing indicators to the firewall. Now, imagine applying that power to threat intelligence sharing. You could create set rules to push the information out to your partners automatically.

It wasn’t so long ago that you couldn’t go a day without seeing an article on how the secret to getting ahead of cyberthreats was sharing. While in theory that worked, it didn’t go very far. It was all just too hard. But, crowdsourcing threat intelligence - gathering it all in one place, leveraging analytics to process it and using orchestration to share it further - has real potential to make this a reality.

Related Content:

 

Adam is an information security expert and is currently the CEO and a founder at ThreatConnect, Inc. He possesses over a decade of experience in programming, network security, penetration testing, cryptography design & cryptanalysis, identity and access control, and a ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8015
PUBLISHED: 2020-04-02
A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of exim in openSUSE Factory allows local attackers to escalate from user mail to root. This issue affects: openSUSE Factory exim versions prior to 4.93.0.4-3.1.
CVE-2020-1927
PUBLISHED: 2020-04-02
In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.
CVE-2020-8144
PUBLISHED: 2020-04-01
The UniFi Video Server v3.9.3 and prior (for Windows 7/8/10 x64) web interface Firmware Update functionality, under certain circumstances, does not validate firmware download destinations to ensure they are within the intended destination directory tree. It accepts a request with a URL to firmware u...
CVE-2020-8145
PUBLISHED: 2020-04-01
The UniFi Video Server (Windows) web interface configuration restore functionality at the “backup� and “wizard� endpoints does not implement sufficient privilege checks. Low privileged users, belonging to the PUBLIC_GROUP ...
CVE-2020-8146
PUBLISHED: 2020-04-01
In UniFi Video v3.10.1 (for Windows 7/8/10 x64) there is a Local Privileges Escalation to SYSTEM from arbitrary file deletion and DLL hijack vulnerabilities. The issue was fixed by adjusting the .tsExport folder when the controller is running on Windows and adjusting the SafeDllSearchMode in the win...