View More guides on Cyber Fusion
Information Sharing in Cyber Fusion
- Cyber Fusion
- Cyber Threat Intelligence
Posted on: April 06, 2021
If one organization detects a threat, another can learn from it and prevent it from entering its network. However, this is only possible with information sharing. Cybersecurity experts are making continuous efforts to defend against agile and persistent cyber adversaries who find new attack vectors and vulnerabilities every day. In such conditions, a reactive approach to deal with threats is not sufficient, information sharing is needed. For effective incident detection and response, improved and proactive information sharing is essential, which can be carried out in a cyber fusion-based environment.
What is Information Sharing?
Information sharing in cybersecurity refers to the exchange of threat information among different organizations. In order to smoothen their information sharing processes, organizations are building virtual cyber fusion centers (vCFCs) that leverage end-to-end, bidirectional threat intelligence platforms (TIP) for automated sharing of strategic and technical threat information. In a virtual cyber fusion center (vCFC), sharing allows security teams to communicate, receive, and access threat information in real-time, which enhances their ability to understand and respond to cyber threats. Essentially, information is nothing but analyzed and enriched threat intelligence, derived from the resources and knowledge of many organizations and technologies. Sharing makes the information accessible and operational, boosting every participating organization’s knowledge pertaining to adversaries, assets, tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and much more. It raises awareness about lurking cyber threats as they happen, and also helps in reducing response time to incidents and implementing security measures.
Cyber fusion strengthens information sharing, providing exposure to resources and additional insights that add value to security operations. The idea behind threat intelligence sharing is to gain contextual awareness of threats and toughen security readiness against cyberattacks, enabling organizations to understand attack patterns and define necessary defense mechanisms. By fostering collaboration between security teams from different organizations, cyber fusion empowers them to derive and employ intelligence on a greater level to address all kinds of threats. This builds collective defense, allowing security teams to come together and mitigate cyberattacks more effectively.
An end-to-end, bidirectional sharing TIP, which is one of the core components of virtual cyber fusion centers (vCFCs) allows organizations to both share and receive threat intelligence with/from information sharing communities such as Information Sharing and Analysis Centers (ISACs) and Information Sharing and Analysis Organizations (ISAOs), commercial feed providers, National CERTs, peer collaborators such as vendors, clients, and others. More organizations are now engaging in real-time bidirectional threat intelligence sharing with their industry peers, vendors, clients, and sharing communities.
The Role of Threat Intelligence Platform (TIP) in Information Sharing
By using an advanced TIP, security teams can ingest strategic and technical threat information from all kinds of human and machine-readable sources. The advanced enrichment capabilities of a TIP allow security teams to enrich and contextualize threat data from several trusted sources to perform correlation, analysis, deduplication, and indicator deprecation in real-time. Such platforms also leverage advanced frameworks like MITRE’s ATT&CK to correlate information on threat actors’ TTPs, identify trends across the cyber kill chain, and map attacker footprints based on historical or contemporary incidents and threat data. Moreover, the cyber fusion features allow threat data sharing to other security tools for real-time actioning.
A cyber fusion-based TIP can ingest tactical and technical intelligence from several external sources such as threat intel providers, peer organizations, ISACs, regulatory bodies, the dark web, and more. It automatically converts, organizes, and store threat data from multiple formats such as STIX, JSON, XML, MAEC, Cybox, and others. Nowadays, advanced TIPs also support algorithms boosting the confidence of IOCs through scoring and utilizing the validated intelligence to perform actions such as automated dissemination to preventive and response technologies. Because of such unique features of a TIP, organizations are realizing its need and therefore embracing it.
Standardization Before Sharing
Organizations must define what they want to share. Describing the content, topic fields, and aspects they want to share when the incident takes place can lead to challenges, therefore threat information needs to be standardized. In order to make intelligence valuable, every organization needs to understand what they are receiving and be able to use it to gain a better understanding of the threats and make informed decisions. This requires the intelligence to be standardized, converting it into the shared language and format for ease of use. An advanced TIP supports sharing standards such as Structured Threat Information Expression (STIX), Trusted Automated eXchange of Indication Information (TAXII), and Cyber Observable Expression (CybOX). These are open community-driven efforts and a set of free specifications that represent threat information in a standardized format for threat intel sharing.
A state-of-the-art TIP leverages STIX/TAXII server-based feeds to collect threat data, automate real-time information sharing and intelligence submission with different industries, government bodies, and other organizations. This makes threat intelligence sharing more automatable, flexible, extensible, and easily readable. By leveraging these standards in a cyber fusion-based environment, organizations collect and share threat intelligence feeds in a structured format, reducing the manual effort required for the normalization, enrichment, correlation, and analysis of threats. Standardization of threat intelligence sharing allows organizations to exchange and deliver crucial threat warnings and incident-related information in real-time. It also enables organizations to automate and orchestrate threat intelligence workflows effectively. Furthermore, if a large number of organizations start ingesting and sharing threat intelligence in standard formats such as STIX, it would also increase the overall threat intel participation rate and eventually help in creating large threat data repositories that could be used for advanced processes such as confidence scoring.
Threat Intelligence Platforms (TIPs) for Information Sharing Communities (ISACs/ISAOs)
With the rising use and importance of threat intelligence, information sharing among organizations has become paramount. Industry-centric sharing initiatives, such as ISAOs and ISACs, have led to a significant increase in threat intelligence sharing. Moreover, government-led initiatives such as the Cyber Information Sharing and Collaboration Program (CISCP) and the Cybersecurity Information Sharing Partnership (CiSP) are promoting threat intel sharing collaborations between governments and private institutions.
The modern-day cybersecurity landscape has transformed the way organizations are responding to threats. Many organizations are now becoming a part of information-sharing communities such as ISACs and ISAOs to get involved in bi-directional threat intelligence sharing in real-time.
Outdated threat information sharing solutions prove inept when it comes to gaining insights into the attacks faced by member organizations of these sharing communities. More and more ISACs and ISAOs are now leveraging advanced TIPs to overcome the threats targeting their industries by sharing appropriate and actionable threat intelligence in real-time with their member organizations. A TIP leverages avant-garde capabilities that facilitate real-time alerting and automated threat intelligence sharing to deliver advanced information sharing. It helps ISACs and ISAOs to reduce the time taken to ingest, enrich, and disseminate threat intel while also boosting member collaboration.
Changes in any kind of intelligence-related information can easily be communicated with the help of threat intelligence sharing. This allows member organizations to pass information more quickly, make informed decisions, and deliver better insights to their stakeholders and consumers. By sharing threat intelligence, member organizations gain access to knowledge and information beyond their network and deploy tools and leverage it for a higher level of visibility and awareness.
Threat intelligence sharing helps organizations detect threats in real-time and protect their users from malicious encounters. Further, sharing threat intel within an industry significantly minimizes the risk of cyberattacks by providing an organization with increased awareness and predictive knowledge of impending attacks. Threat intelligence sharing gives early warnings, which enable security teams to use the right tools and save time in looking for the root causes of attacks. The costs involved in responding to an attack can be huge, so by minimizing risks security teams can reduce the potential expenditures.
The Bottom Line
Today, every industry is looking forward to embracing robust tools, technologies, and processes as part of its cybersecurity roadmap. Information sharing has become a crucial aspect of driving cybersecurity initiatives. By leveraging the cyber fusion capabilities of a TIP, customers can share threat data freely and take relevant actions.