Augmenting Your Threat Intelligence Program With Threat Intelligence Sharing

Posted: 8th November 2017

Collecting raw data on cybersecurity threats does not constitute threat intelligence. By the same token, analyzed data only qualifies as meaningful threat intelligence if the results are directly attributable to business goals.

True threat intelligence is the output of analysis based on identification, collection, and enrichment of relevant data and information. When analyzing the data, it’s important to always keep quantifiable business objectives in mind and how those objectives are impacted by the intelligence.

Producing intelligence “just in case” you need it is a waste of valuable resources. It may also cause you to react to false positives or legitimate threats that do not really pose a significant risk.

The 2 Types of Threat Intelligence

Threat intelligence falls into two categories that are heavily interdependent on each other:

  1. Operational intelligence is produced by computers and includes data identification, collection, enrichment, and analysis.
  2. Strategic intelligence is produced by humans and focuses on identifying and analyzing threats to an organization’s core assets — including employees, customers, infrastructure, applications, and vendors.

Both types of intelligence traditionally rely heavily on skilled and experienced analysts to develop and maintain. It’s also important that security analysts develop external relationships and proprietary information sources so they can identify trends, as well as educate employees and customers. Analysts should also study attacker tactics, techniques, and procedures, and then ultimately make the defensive architecture recommendations that are necessary to combat the identified threats.

Evolution of Threat Intelligence Sharing

In addition to developing a solid internal threat intelligence program, another key to successfully defending digital assets is threat intelligence sharing. This concept has evolved in recent years in direct response to cybercriminals doing the same thing from the other end of the attack perspective. Hackers have become very effective in sharing their secrets, which is why sophisticated attacks can go undetected for months — even years.

By sharing information, the cybercriminal community has become extremely well-organized, providing valuable tips and tricks to each other. Through various online communities, they love to brag about their exploits and eagerly share their experiences as well as the attack tools and methods that work particularly well.

Hence the recent rise of threat intelligence sharing to help protect organizations on the receiving end of those attacks. Internal information security teams, along with security vendors, consultants, and researchers are now providing information to each other, and those who are breached share their experiences with security experts. And, in turn, the security vendors are building more effective defense, detection, and incident response solutions.

A Community With a Wealth of Intelligence Information

As collaboration technologies and platforms continue to mature, the threat intelligence sharing community is looking for standard ways to operate in a more efficient manner. Organizations that participate can now leverage many services, associations, standards, and frameworks to learn how to best protect their digital assets. A good place to start is the threat intelligence feeds of the security vendors who provide the solutions your business is currently using.

Another good resource to turn to is the Cyber Threat Intelligence Integration Center (CTIIC), a U.S. government entity. The organization provides information on foreign cyber threats to U.S. national interests by integrating information from the defense, intelligence, and law-enforcement communities. CTIIC also facilitates information sharing and analysis of cyber threats by publishing intelligence alerts that place cyber threats in context and provide assessments of an adversary’s capabilities and motivations.

Also consider IT industry-specific information sharing and analysis, such as IT-ISAC — ​the Information Technology-Information Sharing and Analysis Center. The organization provides security information that impacts the IT sector and features a forum that includes experts from the world’s leading IT companies to help businesses minimize threats, manage risk, and respond to cyber incidents.

Your organization can also turn to a wide variety of standards and frameworks to help guide your IT security strategy. Given the number of available resources, check with your colleagues, your security partner, or a threat intelligence expert to determine which ones might be best for your organization:

  • Open Indicators of Compromise (OpenIOC) framework
  • Vocabulary for Event Recording and Incident Sharing (VERIS)
  • Cyber Observable eXpression (CybOX)
  • Incident Object Description and Exchange Format (IODEF)
  • Trusted Automated eXchange of Indicator Information (TAXII)
  • Structured Threat Information Expression (STIX)
  • Traffic Light Protocol (TLP)
  • Open Threat Exchange (OTX)
  • Collective Intelligence Framework (CIF)

While all of these standards and frameworks provide helpful guidance in devising a threat protection strategy and implementing security technologies, one in particular that has worked well for many is STIX. STIX is a set of XML schemas that comprise a language for describing cyber threat information in a standardized manner. Regardless of the standard(s) utilized, it is paramount that the threat intelligence information be available in a format that allows it to be both machine readable and human digestible; ultimately, this information will be used to make a decision, and the decision makers need to be able to make sense of it.

This is important because cyber threat sharing currently occurs manually between trusted parties. By using a standardized way of describing the data, automated threat sharing becomes possible. STIX can be used to characterize indicators, tactics, techniques, indicators, exploit targets, and other aspects of a cyber threat.

You Can’t Do It Alone, But There Is Help!

Threat intelligence sharing is all about realizing you can’t protect your digital assets all on your own. Today’s cybercriminals are simply too sophisticated. They share information readily and quickly evolve their techniques. The IT defense technologies that work today will likely not work tomorrow.

But by working closely with your security vendors and your colleagues at other companies — as well as the many organizations in the threat intelligence sharing community — you can check to ensure you’re doing everything you can to identify risk and block the pending attacks. That makes it much more likely that you will keep your IT network running so your end users — employees, partners, and customers — can continue to access the data and the applications they need to get their jobs done.

A threat intelligence provider can help make this information easier to find and analyze, as well as add vital context to internal security data. Read our white paper, “Best Practices for Applying Threat Intelligence,” for more information.