Cyber Threats Intelligence: why share it across organizations
Cyber Threat Intelligence (CTI) sharing is a fundamental process to guarantee the organizations’ security. The base principle is to take the learnings from a single organization and share these learnings across the organization and the specific industry to strengthen the security practices of everyone who may be concerned. By sharing CTI, security teams can alert each other about new findings across cyber threats, active cybercrime campaigns and indicators of compromise (IOCs) that are important for the cybersecurity community and about which they should be immediately aware of. In this way, organizations can work together to empower each other’s defenses against all the active threats in cyberspace.
This behaviour creates a heard-like immunity for networks as defensive capabilities are raised collectively.
A survey recently conducted demonstrated that 62% of blue teams (in charge of defending one network defending teams) had difficulties to stop red teams (network attackers teams) during adversary simulation exercises.
In the simulation to which the survey was referred, a blue team was in charge of defending one network, and they have the benefit of knowing the network ins and outs better than any red team or cybercriminal, so they were well-equipped to spot abnormalities and IOCs and act fast to mitigate threats. However, the blue teams have a big disadvantage: they mostly work in silos together with members of their own team. They typically don’t share threat intelligence information with other security teams, vendors, or industry groups. This means they see cyber threats from a single point of view. This disadvantage is where the red teams and cybercriminals thrive. The red teams are always able to choose the rules of the game (when, where and how the attack will be executed) and they share their successes and failures with each other to constantly adapt and evolve attack tactics. They thrive in a communications-rich environment sharing frameworks, toolkits, guidelines, exploits, and even offering help to each other.
For blue teams, to move from defense to prevention, they need to take defense to the attacker’s front door and this proactive approach can only work by having timely, accurate, and contextual threat intelligence. This approach requires a community.
Many organizations are hesitant to join a CTI community. The SANS 2020 Cyber Threat intelligence Survey shows that more than 40% of respondents both produce and consume intelligence, leaving much room for improvement over the next few years.
One of the biggest challenges to intelligence sharing is that businesses don’t understand how sharing some of their network data can actually strengthen their own security over time. Much like the early days of open-source software, there’s a fear that if you have anything open to exposure it makes you inherently more vulnerable. But as open source eventually proved, more people collaborating in an open approach can lead to many positive outcomes, including better security.
Another major challenge is that blue teams don’t have the lawless luxury of sharing threat intelligence with reckless abandon: we have legal teams. And legal teams aren’t thrilled with the notion of admitting to IOCs on their network. And there is a lot of business-sensitive information that shouldn’t be shared, and the legal team is right to protect this.
OneFirewall Alliance is able to consult and provide the needed experience in this field with developed software for CTI Sharing (we call it World Crime Feeds Agent). Speak to us