October is the month where most of us are excited to plan our fun Halloween celebrations. However, we also celebrate it as Cybersecurity Awareness Month, which gives us a great opportunity to talk about the spooky things in cyberspace and how organizations can avoid being tricked by disguised cyber miscreants. In this blog, we talk about how organizations gain many advantages from sharing threat intelligence with each other to create a more secure cyberspace.
The growing risks of cyber threats are more evident than ever in today’s hyper-connected world. Cybercriminals are continuously finding new vulnerabilities and developing more targeted attack methods every day. Cybersecurity professionals face a massive challenge in keeping up with the evolving capabilities of cybercriminals.
The year 2021 recorded the most zero-day attacks ever, which often prove to be disastrous due to the lack of mitigation measures available. Taking the spotlight this year, ransomware attacks surged 64% year-on-year between August 2020 and July 2021. Meanwhile, the average cost of a data breach hinged at a record-high level with about $4.24 million in expense during the COVID-19 pandemic. These trends paint a very concerning picture of the cybersecurity landscape, with organizations of all sizes and from all industry sectors facing greater risks to their data security, technology infrastructure, and brand reputation.
Addressing the cyber scourge
In order to keep a check on the growing risks posed by cyber threats, security teams today increasingly rely on threat intelligence to help them analyze and defend against specific adversary behavior. Cyber threat intelligence is derived from the analysis of threat indicators and attack patterns of cybercriminals. It helps develop an informed outlook about the threat environment for an organization. The importance of threat intelligence for security operations cannot be overstated. It drives a substantial part of the security roadmaps for organizations, allowing them to keep pace with the rapidly changing threat environment and appropriately protecting their data, assets, and operations.
Significance of threat intel sharing
When organizations share threat information proactively with other private or public stakeholders, it helps the broader ecosystem take measures to stop similar threats in the future. It helps strengthen everyone’s cybersecurity posture and helps standardize response and mitigations for potential threats. Thus, threat intel sharing enables a collective defense approach among organizations that share similar security concerns and pitfalls, while helping optimize the resources allocated to security operations by focusing the attention on the most critical threats. Threat intelligence is not just about monitoring the evolution of various threats but also about building strategies to help the industry get ahead of the curve. Threat intelligence sharing enables organizations to accurately evaluate the efficacy of their existing security teams, processes, and technologies against prevailing threats, while also improving their readiness for future threats. The deployment of advanced threat intel sharing capabilities by information sharing communities in operational technology and professional services sectors has resulted in up to 300% year-on-year gains. A bidirectional intel sharing network can also allow for easy machine-to-machine sharing of threat observables without any false positives. Thus, collective defense truly becomes a reality when organizations are able to communicate and collaborate through large-scale threat intel sharing while gaining relevant and actionable insights.
Stakeholders in threat intel sharing
The personnel in key security and decision-making roles within an organization gain numerous benefits from threat intelligence sharing. Below are some examples of the benefits gained by such stakeholders in different roles.
- Security Analysts: Optimize prevention and detection capabilities and strengthen defenses for a variety of emerging threats using timely intelligence.
- Incident Response Teams: Accelerate incident investigations and mitigative actions based on the adversary behavior learned through tactical threat intelligence.
- SOC Managers: Prioritize incident management based on risk and impact to the organization revealed through strategic threat intelligence.
- Intel Analysts: Uncover and track potential threat actors and campaigns targeting the organization.
- Senior Executives: Understand the risks the organization faces and what the options are to address their impact through strategic threat intelligence.
Outside the boundaries of an organization, there are further stakeholders who can benefit and play an active role in threat intelligence operations. This includes:
- Customers/Clients: One of the key objectives of security operations is to protect the customers or clients of an organization from the adverse impacts of any security incident. Threat intel sharing enables organizations to effectively communicate security risks and mitigations to prevent the customers from falling prey to any intrusions.
- Vendors: In modern times, several major supply-chain attacks have originated from third parties associated with a large organization. Any kind of vendor or service provider with whom sensitive information is shared for business purposes automatically becomes a stakeholder in the security of the larger organization as well. Thus, it is crucial for organizations to proactively address security gaps that may exist on the end of their partners through real-time threat intel sharing.
- Government Agencies: In the age of rising state-backed cyber operations, governments also have an important role to play in ensuring the security of various industry sectors by sharing timely threat intel to enable collective defense.
- ISAC/ISAOs: The various organizations within an industry share many common threats due to similarities in their technology stack, business processes, the kind of data they possess, or other commonalities. An Information Sharing and Analysis Center/Organization (ISAC/ISAO) is a trusted community to facilitate intel sharing among entities from the public and the private sector to improve an industry’s cybersecurity resilience.
Sharing threat intel with peers
While businesses often see their peers as competitors, in the case of cybersecurity, threat intel sharing brings together a diverse set of industry peers, vendors, national CERTs, government authorities, researchers, and other stakeholders. The rise of information-sharing communities in the form of ISACs/ISAOs across numerous industries points to the growing recognition that organizations must come together to combat the threat of today’s highly organized, resourceful threat actors.
It is not enough for organizations to simply consume threat intelligence from various sources, but to also contribute to the security ecosystem through learnings from their own set of cyberattack experiences. It is often the case that notorious threat groups specialize their attack campaigns against specific industry sectors or certain kinds of vulnerable technology infrastructure. Without timely threat intel sharing, the industry is left vulnerable as every organization has to fend on its own when it comes to responding to such shared threats.
Maximizing threat intel operations
Within an organization, threat intelligence plays a key role in communicating cyber risks to people in different roles, including SOC teams, security managers, IT teams, and even C-level executives. Even more importantly, dissemination of threat intel to the right people in the right form enables proactive actioning that can help fill the loopholes in their defenses. Different types of threat intel—strategic, tactical, technical, or operational—serve different purposes for an organization, such as uncovering specific tactics, techniques, and procedures (TTPs) employed by threat actors, technical details about threat campaigns, and trends to know for a non-technical audience.
As the adoption of threat intelligence in cybersecurity grows, organizations are moving toward a non-reactionary outlook to their security operations. Threat intelligence sharing within and across organizations further drives a collective defense against emerging threats which is the need of the hour.