How CTIX Overcomes the Barriers of Intel Sharing?

The modern global economies are increasingly reliant on a digital and connected infrastructure to provide essential services including telecom, transportation, finance, healthcare, and energy. The increased digital perimeter for connectivity inevitably raises the security risks from cyber threats on these key services. Since these services form the bedrock for enabling further development, a large cyber attack on it can have cascading effects for the entire national and global economy.

In order to maximize the impact of their attacks and achieve their malicious goals, cybercriminals share information on attack vectors and exploits within their groups. On the other hand, there is a lack of information sharing and collaboration among the defenders who often operate in silos. Keeping this scenario in mind, experts from across various fields have called for the promotion of information sharing initiatives that can enable organizations to share Intelligence on various cyber threats such as malware, vulnerabilities, threats, and attacks. Information sharing, in this context, means the exchange of network and security-related information ranging from risks, indicators of compromise, vulnerabilities, to threat actors. The sharing of such information can not only help mitigate threats but also enable organizations to adopt a proactive approach to security.

The ideal arrangement for information sharing must involve stakeholders from both the public and private sector. And within the private sector, each organization must create its community for information sharing to create an enhanced security perimeter with organizations with which it works closely such as peers, subsidiaries, partners, affiliates, and third-party vendors, among others. However, several challenges lie in the way for organizations hoping to implement such a framework. Let us look at how some of these key challenges that can be overcome with the help of a next-generation threat Intelligence exchange platform like Cyware Threat Intelligence eXchange (CTIX).

Below are some of the challenges in sharing threat information that can vary from technical difficulties to people issues that plague the traditional platforms and sharing communities.

Inaccurate, inadequate or noisy information can often mislead the decision makers in allocating resources in the right places. It is necessary for security teams to act on the basis of relevant and credible information rather than losing time to false alarms from voluminous but irrelevant information. With an assortment of information in front of them, security teams often find it challenging to focus on the most relevant information at hand.

CTIX is an all-source Threat Intel platform that enables Intel ingestion from various internal and external sources and performs the contextualization of threat information based on the unique threat environment of the organization. On top of that, it performs automated Intel enrichment, correlation, and analysis, thereby tackling analyst fatigue from repetitive tasks. It enables prioritization of threats using its advanced Rule Engine and customized confidence scores for indicators. It also allows for direct automated dissemination of Intel for sharing with others in the network and taking actions in internal security tools.

Additionally, the Indicator Deprecation feature of CTIX helps reduce the burden on analysts by automating the graduated deprecation of irrelevant and inactive indicators. Furthermore, CTIX provides the gold standard in threat information sharing by leveraging the latest Threat Intel storage and exchange technologies such as STIX 2.0 and TAXII. In this way, CTIX not only enables the exchange of high-quality threat information in real-time but also helps analysts filter out the noise and focus on the relevant threats.

Information sharing communities or platforms can also fail in achieving their objectives if they are not structured and managed in an appropriate way. A poorly designed platform can exacerbate some of the human-to-human issues such as lack of a common vision, misaligned incentives, inefficient communication, lack of collaboration, lack of diversity among participants, lack of trust within and across groups, and improper administration due to vaguely defined roles.

A platform that is geared towards security professionals while also involving other decision makers in the effort of information sharing can help tackle such issues. Not only does CTIX provide security analysts with a rich feature set to effectively communicate and collaborate on Threat Intel, but it also enables organizations to have fine-grained control over their Threat Intel operations by allowing them to build their own Trusted Sharing Network.

One of the major constraints for private organizations in sharing security information is the risk of reputational damage and the possibility of leaking commercially sensitive information. This often prevents organizations from disclosing an attack or a vulnerability with sufficient transparency that can help prevent and mitigate any further occurrences of the same threats.

While sharing Threat Intel in CTIX, analysts can choose to share information anonymously to avoid exposing their identity. In this way, organizations can avoid reputational harm by anonymously sharing information within their network.

CTIX puts control in the hands of organizations by allowing them to build their own information sharing network using its Hub and Spoke Model. This means that organizations can maintain control while also establishing trusted information sharing channels with their subsidiaries, peers, regulatory bodies, sectoral information sharing communities, or any other stakeholder.

One of the issues with information sharing communities can be the size of the group which affects the behavior of the participants. The larger the group, the harder it becomes for all participants to find common ground. However, there is also no clarity on what an ideal group size might be. Another concern for organizations is regarding which kind of participants they share the platform with. This concern is especially valid in cases of communities that are structured as large monolithic groups. Such large groups can create conflicts of interest and conflicts in administration as well.

On the other hand, CTIX clients retain control over who they want to share information with and which network they want to join. In fact, they can form their own Hub and Spoke model-based information sharing network with various kinds of stakeholders. The beauty of Hub and Spoke model of CTIX is that it allows for “information sharing networks within networks” or what we call as “nested Hub and Spoke sharing networks” allowing organizations to form their own closed Intel sharing community while also receiving Intel from other bodies such as ISACs, CERTs, Threat Intel Providers, and more.

In any information sharing platform, it is vital to incentivize the participants to regularly share information and to maintain the quality and quality of information shared between participants.

As discussed earlier, with CTIX, clients can avoid the risk of reputational harm and freely share information without exposing their identity. At the same time, the quality and quantity of information on the platform can also be controlled through filtering mechanisms and custom Rules to take actions based on relevant information. Moreover, participants can add to the quality of information through the enrichment of threat data using internal telemetry.

With increasing cyber risks faced by both the public and private sector, it is evident that a single organization cannot effectively defend against all cyber threats without access to high-quality threat information. CTIX not only provides access to Threat Intel from various sources, but provides tools to analyze, share, and collaborate on the Threat Intel. However, private sector organizations may often be hesitant in sharing information with rival organizations due to a fear of losing a competitive edge. CTIX ensures that such factors do not prevent any client from sharing information by giving them an ability to anonymously disseminate threat information and collaborating on it to improve security postures of all participants.

Though there is an emphasis on information sharing in security policies of many organizations, there is a need to bridge the gap between security teams and the senior management in everyday operations. This disconnect arises due to the absence of features designed for governance and collaboration, thereby granting limited insights to employees in other roles.

CTIX ensures maximum visibility into Threat Intel operations for employees in various roles by providing a Multi-level Intel View. It allows the creation of specialized Intelligence views for different roles such as Analysts, SOC/IR Teams, Steering Committees, and the CISO. CTIX also provides a Centralized Threat Dashboard for viewing customized confidence scores, factor-based prioritization of cyber threats, and detailed statistical metrics. CTIX acts as a facilitator for convergence of “line of thought” between senior management and security teams, thereby promoting coordination and enabling the delivery of a coordinated response.

Apart from the issues mentioned above, various industry experts have also highlighted other technical obstacles for organizations willing to adopt and join information sharing platforms as listed below.

Changes in workflow - Often times, organizations need to make sweeping changes in their workflow to accommodate information sharing activities in their operations. Also, many organizations depend on manual processes for the collection and sharing of information. This creates extra friction in information sharing. On the other hand, CTIX smoothens the process of information sharing through automated Intel ingestion from internal tools or external sources, policy-based automation to filter out irrelevant information, and automated dissemination of Intel to internal or external entities. Moreover, CTIX speeds up the threat triage workflow with its Advanced Rule Engine to automate repetitive tasks to allow analysts to prioritize more relevant tasks and to automate actions in internal tools based on the Intel received.

Technology constraints - Another barrier in adopting certain threat Intelligence sharing platforms is the lack of support or compatibility with the existing software or hardware infrastructure used by the organization. With CTIX, organizations can ingest threat information from multiple internal tools in a variety of structured or unstructured data formats including MISP, STIX 1.0, STIX 2.0, MAEC, Cybox, and email. Additionally, CTIX supports sharing of threat indicators in STIX 1.1 or STIX 2.0 formats as well.

Threat correlation - It's not just enough to gather information from various sources. Security analysts also need to find the correlation between threat indicators to identify threat actors and attack campaigns. The raw information collected from internal security tools or external sources needs to be converted into actionable Intelligence through relevancy determination by considering various parameters relevant to the organization’s threat environment. CTIX allows analysts to do this by automatically identifying duplicate indicators, assigning a confidence score to indicators, geo-tagging Intel from various sources, and mapping threat indicators using MITRE’s ATT&CK Navigator to identify trends and perform TTP correlation. Thus, CTIX helps analysts connect the dots to identify the threats having the highest impact and move from Information sharing to Intel sharing.