Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

11/11/2016
11:00 AM
Derek Manky
Derek Manky
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Sharing Threat Intel: Easier Said Than Done

For cyber intelligence-sharing to work, organizations need two things: to trust each other and better processes to collect, exchange, and act on information quickly.

As cyber threats become more sophisticated and expand to the cloud and the Internet of Things, the sharing of meaningful threat intel  between trusted organizations has become more critical than ever before. At Fortinet this year, our teams witnessed the benefits of info sharing first hand as part of a joint operation that helped INTERPOL and the Nigerian Economic & Financial Crime Commission uncover the head of an international criminal network.

What did we learn? For one thing, these partnerships demonstrate the importance of global threat intelligence research and analytics that security vendors can offer in dealing with cyber threats. In my opinion, security vendors have a responsibility to share threat findings with each other, as well as end-user advocacy groups. It is essentially the best way to combat adversaries and assist law enforcement in fighting cybercriminals. Yet, serious challenges remain to the worthwhile goal of info sharing, even among classified, trusted networks.

One of the major barriers to information sharing is the perception of liability. In a 2014 Ponemon survey of over 700 IT security practitioners, 71% of respondents who participate in information sharing said that sharing improves their security posture. But for organizations that don’t share, half pointed to "potential liability" as the principal reason for holding back. 

To get beyond these obstacles, two things must be in place: trust between organizations and a process to receive and implement threat intelligence information quickly.

Trust but Verify
Not only do organizations need detailed protocols in place about what information can be shared, but they also need to trust the organizations with whom they are sharing, or the process being used to collect, process and exchange such information.

Another major concern revolves around data privacy and protecting personally identifiable information (PII). How can you share information that provides details about an attack and attacker without having it be connected, even contextually, to customers and thereby risk customer privacy and assume liability? Organizations have to rely on trusted partners who rigidly adhere to and enforce agreed-upon protocols, e.g. only sharing information related to the adversary, and anonymizing PII.

Here are a few tips for developing trusted relationships:

  • Start with folks you know in your industry. Ask them their thoughts about threat sharing.
  • Join an ISAO (Information Sharing and Analysis Organization) or ISAC (Information Sharing and Analysis Center). These are groups focused on sharing threat intelligence relevant to that vertical that have established protocols and procedures best suited for an industry’s needs.
  • Organizations like INTERPOL, the NATO Industry Cyber Partnership (NICP), and even regional organizations have active partnerships with vendors and industry leaders to collect and share threat data. For security vendors, participation in industry organizations such as the Cyber Threat Alliance (CTA) and the OASIS Cyber Threat Intelligence (CTI) group makes everyone safer.
  • Meet people in person. Trust is a slow process and few things work better than meeting with peers over dinner or drinks to establish a rapport. There are dozens of industry-related conferences, local meet-ups and user groups designed to bring folks together.
  • As Ronald Reagan famously said, "Trust, but verify." Sharing and receiving critical security information requires constant monitoring. Are you sharing critical information but receiving junk? Is data being appropriately anonymized? Are you receiving the same data you shared? Keeping everyone honest is critical for maintaining a trusted relationship.

Rapid Processing
A common critique of many information-sharing services is that they are slow and unreliable. For sharing to work, organizations need to be able to receive, process, and implement threat intelligence information quickly. They also need to ensure that any threat intelligence they share is immediately useful. 

Dark Reading's all-day virtual event Nov. 15 offers an in-depth look at myths surrounding data defense and how to put business on a more effective security path. 

Actionable information is the best way to move from being reactive to proactive. It allows organizations to move from simply stopping attacks to actually catching cybercriminals. Developing and sharing truly actionable intelligence requires the efforts of a trained security team on the part of the organization developing that information, as well as on the part of the users or organizations consuming it.

While many organizations are actively engaged in collecting as much data as they can from a variety of sources — including their own — much of the work in processing, correlating, and converting it into policy is still done manually. This makes it very difficult to respond to an active threat quickly, or share timely and actionable information. Ideally, the consumption, processing, and correlation of threat intelligence is automated.

Security vendors also need to automate the sharing of threat intelligence information – and not just with outside entities. Many organizations are still struggling to share threat intelligence between deployed security devices or even between different team members. Automation ensures that time-sensitive threat information immediately reaches all stakeholders so it can be shared in real time and acted on.

Trusted sharing, even with a known partner or community, is easier said than done. When evaluating your security landscape, characteristics of network design should be considered that will securely facilitate the receiving and sharing of threat intelligence. Given that the time to compromise for today’s attacks continues to shorten, it is essential that we begin to to automate as much of the process as possible — including time-sensitive activities such as sharing, consuming, hand-correlating intelligence, and distributing updated policies. 

Related Content:

Derek Manky formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Now this is the worst micromanagment I've seen.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17210
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
CVE-2019-12934
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
CVE-2019-9229
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address 169.254.254.253 allows attackers in the local network to access multiple quagga VTYs. Attackers can...
CVE-2019-12815
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
CVE-2019-13569
PUBLISHED: 2019-07-19
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.