The cybersecurity industry has talked about threat intelligence sharing for over 20 years. Cybersecurity experts typically argue that companies should share threat intelligence because it’s for the greater good, or because the bad guys do it all the time and the good guys should too or because it’s the “right thing” to do for the country. Those statements are all true. But while threat sharing does occur, at least on an ad hoc, informal and/or temporary basis, a lot of the time what happens is … nothing.
Threat sharing is easy to talk about but hard to do in practice. It is harder to do consistently, every day, at scale. And it is even harder to do in the face of competitive pressures that all cybersecurity companies face. What makes threat sharing so difficult? At least five factors contribute to the problem:
- Technical: data volume, speed and diversity pose challenges for interoperability and consistency
- Economic: it’s hard to measure the return on sharing
- Legal: parameters for acceptable sharing can be unclear
- Cultural: sharing is often perceived as undercutting security companies’ business models
- Conceptual: threat sharing means different things to different people, creating confusion
Over the past twenty years, we have created policies, tools, approaches and structures to overcome most of these barriers:
- Technical: standard formats (STIX, ATT&CK) and analytic tools make sharing manageable
- Economic: case studies, anecdotal reporting and experience show the benefits of sharing
- Legal: US and EU legal frameworks define how acceptable sharing and dedicated sharing organizations operate in almost every industry
- Cultural: business models treat technical data as a foundation rather than the product
- Conceptual: the different types of threat sharing are better defined
However, having the tools to overcome the barriers is not enough. In order for sharing to be worthwhile in the long run, companies need to know that they are better off when they share compared to when they don’t. For cybersecurity companies, “better off” means that sharing creates a competitive edge, rather than blunts it.
In fact, threat sharing hones a company’s competitive edge in at least six ways:
- Obtaining access to needed expertise. Cybersecurity is a multifaceted problem, and security companies need insights across a wide variety of domains. They may need to understand connections between IT and OT systems or the typical business processes within an industry. They may need expertise on an obscure piece of software, or specific legal requirements governing personally identifiable information in a given country. No organization will have all the expertise it needs in-house. Participating in sharing arrangements makes it easier for an organization to tap into broad networks of expertise and thereby improve their ability to meet customer needs.
- Accessing a broader swath of malicious activity. No matter how large its sensor network, no organization sees all malicious activity across the Internet. Since a lot of malicious activity is interconnected, however, analysts need as holistic a view of the malicious activity as possible in order to understand and characterize the threat. The only way to get that picture is by sharing.
- Taking additional actions to increase security. Cybersecurity companies don’t share information for the sake of sharing information. They share it so that defenses are more effective and network defenders can take action to disrupt malicious actors. The more information available, the more actions a company can take and the more effective those actions will be in thwarting the adversary.
- Meeting end-user demands. Many end-user companies now have dozens of appliances in their security stack. They are beginning to demand that cybersecurity companies make their products work together, rather than have the end-user serve as a systems integrator. For vendor products to work well together, vendors need to share threat intelligence behind the scenes. End-users are also becoming aware of the benefits sharing provides; some include sharing requirements in their cybersecurity contracts.
- Generating new connections and ideas. Sharing threat intelligence inevitably produces new insights into existing activity and ideas for new research. Threat sharing also challenges complacency and spurs organizations to continue striving. It makes a company grow and compete harder, because it has more insight into what other companies are doing.
- Preparing for a crisis. A crisis is not the time to exchange business cards, nor is it the time to build trust. Regular contact with the relevant organizations across the industry is required to be ready for a crisis. One of the best ways to have those connections and build that trust is to participate in regular sharing activities. Such sharing enables all the participants to have a better understanding of each other’s capabilities.
These benefits are not theoretical; we’ve seen them in practice within the Cyber Threat Alliance. Within CTA, threat intelligence sharing:
- Enhances security products – All our members report when they receive information that is new to them. CTA has 26 members, many of whom are very large companies with access to vast amounts of data, but they still report that between 5 and 10 percent of the indicators are net new to them. This additional information makes everyone’s security products more effective.
- Reduces the “fog of war” – During the WannaCry outbreak in 2017, confusion initially reigned about the infection vector. In the first few hours, many organizations were scrambling, looking for the email spreading the malware. CTA convened its membership and the members shared what they were seeing. During that conversation, no member identified an email vector. Due to its breadth of coverage, if no CTA member could identify an email vector, the chances of email being the propagation method were almost zero. Thus, our member companies could stop looking for emails and focus on finding the real vector. In a crisis, saving hours of work is valuable.
- Amplifies actions – Cisco Talos decided to brief CTA members about a type of malware called VPN Filter before they announced their findings to the public. By sharing information with CTA before publication, other members were able to prepare detections and protections ahead of time. As a result, when the information did become public, all the CTA members went live with protections simultaneously. This action substantially increased the impact on VPN Filter and likely contributed to the authors abandoning the associated infrastructure.
- Fills in gaps – CTA’s members consistently report when they learn from each other about new threats and additional aspects of existing threats. They can identify connections that they could not before and gain an appreciation for the larger picture. These interactions make the threat researchers and analysts better at their jobs, which in turn improves the company’s products and services.
- Enables working groups – CTA has formed working groups focused on either specific events (elections, Olympics) or threats. By focusing sharing on an event or threat group, we can deepen the threat sharing on those issues. Such focused sharing allows member companies to better understand the threats to an event or to develop a course of action more likely to disrupt the activities of a particular threat actor. Finally, it better prepares CTA members to respond if a crisis occurs around that event or due to that actor.
- Speeds proliferation of defensive measures – Our members shared exploit proofs of concept and signatures with each other. This sharing means that defensive measures against exploitation of vulnerabilities like Bluekeep proliferate much faster than if the companies work independently. While such information can spread through informal networks, by using a more formal channel like CTA, the information spreads further, faster.
Practical lessons from CTA’s sharing experiences
Over the past three years, we have learned a few practical lessons about what makes threat intelligence sharing work.
Something is better than nothing – We often act as though organizations must share everything they know for the sharing to be useful. That assumption is not true. More information is better, but some information is better than no information. Therefore, you can start small and increase sharing over time. Sharing provides benefits even if it is not everything.
Automation is important for technical sharing – Without automation, technical threat intelligence sharing cannot occur effectively. Sharing must occur at machine speed at scale in order for it to provide real utility.
Humans are important too – However, machine speed sharing only gets you so far. We still need humans to interpret and to act upon the data. Trust has to build among the participants. Therefore, it’s important that sharing activities include a human component too.
Business rules matter – Technology is important, but real success comes from structuring the sharing processes in a way that is seen as equitable, meets participants’ business needs and directly enhances their mission.
Sharing requires dedicated resources – Dedicating the resources needed to keep up effective levels of sharing day-in, day-out, on an ongoing basis is challenging for most organizations. However, for intelligence sharing to work over the long term, it requires sustained, persistent engagement.
Applying these lessons at the organization level
If your organization produces, collects or provides threat intelligence:
Determine what you can share and what you could benefit from receiving – No organization will ever share everything it knows, but spending the time up front to understand what you can share will make the sharing process smoother. Having a clear idea of what information you would like to receive also increases the benefits you can derive from sharing.
Join a formal threat sharing organization – As with many processes, no substitute exists for experience when it comes to sharing. The only way to learn how sharing will affect your organization is to try it.
Automate technical intelligence sharing – Since threat sharing is most effective when it includes an automated component, investing in automation will pay significant dividends. Learning the standard data formats, like STIX and MISP, is useful as well.
If your organization primarily consumes threat intelligence:
Ask your vendors how they share threat intelligence across industry – As a network defender, you want to know that you are getting the broadest picture possible and that your vendor is protecting you from as broad a range of threats as possible. One way to ensure that breadth is to ask the vendor to participate in a sharing organization.
Ask your vendors to validate the intelligence they provide – You can also ask your vendors to validate the intelligence they provide with other cybersecurity companies, reducing the rate of false positives and boosting your confidence in the intelligence.
Make threat sharing an evaluation criterion in cybersecurity contracts – As a consumer, you can make threat sharing a factor in picking a vendor. Such a requirement will signal the importance of having a broad, holistic threat intelligence picture and reinforce the demand-pull for threat intelligence sharing.
If your organization shares threat intelligence among members:
Update your business rules to encourage sharing – Within CTA, we require our members to share a certain minimum amount of threat intelligence daily. This rule helps ensure all members perceive the sharing as being equitable. By providing an incentive or requirement to share, organizations can increase the participation rate and create a virtuous circle.
Focus on information types that fit your comparative advantage – Not all sharing organizations need to share technical indicators like malware hashes and domain names among their members. For many organizations, the most important information may be defensive best practices and general threat awareness. Focusing sharing activities on your comparative will improve the return on time and money invested in sharing activities. It also reduces frustration among the intelligence consumers.
Build relationships with other threat sharing organizations across sectors and geographic regions – Just as the Internet operates as a network of networks, our sharing activities should as well. No single organization is going to be connected to every other organization. However, the threat sharing nodes should work together, thereby generating an effect at Internet scale.
If your organization is a national government agency:
Articulate priorities clearly – The private sector will have views on what actors are important versus those that are not. However, only the government can set priorities and persuade others to align with those priorities. The government must play a leadership role.
Focus sharing with the private sector on your comparative advantage – The government’s advantage is typically not in detecting and sharing technical threat indicators. In many cases, private sector companies identify a given indicator as malicious before the government does; even when the private sector lags in identification, the breadth of detection is almost always larger. However, those companies often do not know much about the indicator or its relative importance. Government has a huge advantage in being able to provide context—Why is it important to pay attention to a given indicator? How is it potentially connected to other indicators?
Encourage cross-sector and international sharing – Since cyberthreats do not respect international borders or industry verticals, sharing across these boundaries is very important. Government agencies can play a key role in facilitating and spurring this kind of sharing.
We have talked long enough about threat sharing as an industry. It is time to do it in practice. Getting to the point where almost all cybersecurity companies regularly share threat intelligence will take time, but the industry must evolve in that direction. The result will be not only a much safer ecosystem but more competitive companies as well.