The Role of Threat Intelligence Sharing in Collective Defense
Threat intelligence • Jun 11, 2020
We use cookies to improve your experience. Do you accept?
Threat intelligence • Jun 11, 2020
492 BC - The Battle of Marathon was to begin. After 9 days of waiting for the other side to attack, the Athenians directly charged the Persians in a Phalanx formation. It should be noted that the Persian army was far greater in number and strength, and yet it was defeated by the Athenian force. Before going into war, the Athenians analyzed their adversary’s capabilities, techniques, and tools. Due to the significantly lower number of forces as compared to the Persians, they called for the collective deployment of forces from the Spartans. They followed the Phalanx formation - where the “ warriors were formed collectively; neighbor beside neighbor, friend by friend to stimulate unity and dependability and capitalize on camaraderie.”
The Battle of Marathon is one of the earliest examples of collective defense and an example for organizations to emulate when fighting against cyber threats.
Collective defense can be defined as a collaborative strategy that requires organizations, both internally and externally, to work together across industries to defend against targeted cyber threats. It is an old concept but has been time and again resurrected in military strategies to join the allied forces against common enemies at multiple battlefronts. The collective defense strategy is increasingly gaining widespread adoption in cybersecurity because of its congeniality with the geopolitical dynamics of nation-state actors and multiple attack vectors that require organizations to collaborate through intelligence sharing.
Threat intelligence sharing enables organizations to join forces by virtue of sharing intelligence on malicious entities, such as malware, threat actors, threat indicators, and tactics, techniques, and procedures (TTPs). With external threat intelligence, organizations are capable of looking at the broader picture. They gain quick access to information they, otherwise, would not have. When automated, the sharing framework eliminates the need for human intervention for 99% of the cases and speeds up the intelligence analysis, correlation, and enrichment processes, thereby, allowing organizations to collaborate at machine speed. Using advanced algorithms such as automated confidence scoring, threat intelligence can be leveraged by organizations to collectively validate threats and derive actionable intelligence for threat prioritization and triaging. However, threat validation achieved through confidence scoring only gets better when more organizations come together to share threat intelligence. As the intel sharing participation rate increases, the percentage of false-positives reduces because more organizations can certify whether the entity observed is displaying malicious behavior or not. With proper threat intelligence sharing frameworks such as those involving a Hub and Spoke model, where organizations can bi-directionally share intelligence with each other, the collective defense security strategy can be amicably implemented to proactively warn against and fight malicious actors.
Threat intelligence sharing also helps organizations to gain real-time situational awareness of threats lurking in their vicinity - an important value-oriented goal of collective defense. Threat intelligence platforms with next-generation capabilities allow organizations to ingest internal intelligence collected from on-premise and cloud-deployed and derive insights into how one might get compromised through advanced enrichment and correlation with the externally ingested intelligence. The actionable intelligence that is derived can be automatically fed back into the deployed tools to proactively block malicious entities. The observations made from the analyzed threat data can also be used to create early-warning human-readable alerts and shared with security teams and employees to proactively warn them against threats such as spearphishing attacks. Threat intelligence sharing between organizations is also critical to building a knowledge repository that can be leveraged to connect the dots between disparate threat elements and campaigns to assist SOCs and security teams to detect and respond to attacks faster.
The nature of globally wired networks makes a collective approach to cybersecurity inevitable. The sharing of intelligence among organizations saves time, reduces duplicate efforts, and permits an organization’s identification of threats to become another’s prevention. In this era, where the security threat landscape is taking an aggressive and dangerous shape, collective defense through threat intelligence sharing is the way to better security. The quote by Carl Jung summarizes the essence of threat intelligence sharing and the need for collective defense:
“Wholeness is not achieved by cutting off a portion of one’s being, but by integration of the contraries.”
Click here to read more on Collective Defense.