Posted May 23, 2018
Defending your organization from cyber-attacks is a daunting challenge when the economics of cybersecurity favors the attacker. For an organization, success means thwarting each and every attack attempt while the attacker only needs one win. The money and data obtained from a breach is valued at only a fraction of the cost that your organization will bear for managing the damage. Once done with your organization, attackers move on to another, often using the same tactics.
Sharing cyber threat intelligence between organizations alters the economic equation. Organizations can learn from each other and detect new tactics without having to experience them first. Thus, attacker tactics more quickly become ineffective across a wider set of potential targets and the risk of getting caught rises. When shared with authorities, broader visibility of attack patterns can also help in the capture and prosecution of threat actors. Unfortunately, despite the existence of several cyber threat sharing communities, widespread contribution to intelligence sharing has not been as common as many would desire.
This blog addresses two primary reasons for the cyber security industry’s insufficient intelligence sharing and suggests possible solutions.
- Many organizations have not fostered internal cyber threat management processes that can efficiently integrate with intelligence sharing.
- There are several behavioral factors that contribute to organizations’ willingness to share cyber threat intelligence.
Creating Value Inside Your Organization with Cyber Threat Intelligence
Cyber threat intelligence sharing can generate great value for your organization, but only once its internal cyber threat management processes are ready to leverage threat intelligence for automated threat defense at scale. Luckily, properly preparing your organization for intelligence sharing integration creates value in itself.
Your organization’s cyber threat management should allow rapid scaling of automation and promote your team’s continuous learning. The number of cyber threats is growing so rapidly that, without the ability to quickly scale, your organization may become overwhelmed by spikes in the amount of intelligence flowing, whether it is from internal or external sources.
Automation capabilities should be configured to promote effective triage and rapid learning by your cyber threat management team. Regardless of integration into intelligence sharing efforts, these changes will make your organization more secure in the near- and long-term.
A suggested organization cyber threat management process designed for scalability and continuous improvement – as seen in figure 1 – might include:
- Timely threat intelligence: Drives network telemetry correlation, malicious pattern detection, and packet-based signature detection.
- Network activity: Provides intelligence to all of these processes and should also be monitored for anomalies. When possible and appropriate, automation detects, prevents, and responds to attack activity as well as generate new indicators of compromise.
- Cyber threat management team: Reviews all detected threats and investigates prioritized complex and anomalous activity to identify newly emerging threats, determine appropriate reactions, and define indicators for future automated detection and response.
- Network Telemetry Threat Correlation: Identifies your organization’s interactions with known malicious network elements (e.g. communication with a C2 server).
- Pattern Detection: Monitors for known malicious series of activities (e.g. brute force login attempts).
- Signature Detection: Analyzes network packets to identify known malicious executable data (e.g. malware files).
Threat intelligence for each of these known threats may enable automated prevention or even automated creation of new indicators, patterns, or signatures; however, a manual review of prevention, response, and mitigation activities is always encouraged to maintain situational awareness.
You may have noticed I left out Anomaly Detection from the above list. That’s because while each of the above detections search for known threats, Anomaly Detection seeks to identify unknown threats by monitoring for unusual activity. Anomalous results typically require manual review but can be an excellent source for identifying high-value indicators, patterns, and signatures associated with emerging malicious activity.
When your organization is properly configured, each new piece of threat intelligence enhances your automated protection capabilities, allowing your human talent to focus on hunting for harder-to-find threats.
Sharing Value Between Organizations with Cyber Threat Intelligence
A well-defined internal cyber threat management cycle prepares your organization to integrate with others via intelligence sharing. Engaging in cyber threat intelligence sharing communities can make a huge difference in your defense, allowing your organization’s efforts to create value for others and vice versa.
Once an attacker’s methods and resources are identified by one member, their effectiveness is reduced if used elsewhere in that intelligence sharing community. The more each member can scale through automation, the larger a community’s intelligence sharing value can grow.
Fortunately, intelligence sharing for automated threat defense does not require sending your network activity or proprietary knowledge outside of your company. The sharing of threat intelligence that contains indicators, patterns, and signatures is all that is required.
The integration of several organizations’ internal cyber threat management activities benefits both automated detection and manual analysis. An increase in threat intelligence from external sources increases the efficacy of automated threat detection; more indicators, patterns, and signatures allow more automated detection of potential threats.
As a result, there are fewer new threats that require detailed manual detection since other organizations have already identified and shared them.