View More guides on Cyber Situational Awareness
How Real-Time Cyber Threat Intelligence Sharing Enables Security Collaboration
- Cyber Situational Awareness
- Cyber Threat Intelligence
Posted on: July 08, 2022
The fast pace of new technology adoption over the past few years, in part necessitated by the COVID-19 pandemic, has brought with it both operational benefits and security challenges. Organizations that have been quick to adopt new computing and work models have seen significant improvements in efficiency, operational workflows, and team collaboration. However, rapid digital transformation has also introduced unprecedented levels of complexity in IT and created new entry points for attackers. Network perimeters are blurring, data is dispersed across geographies, and the people using that data are increasingly working outside designated office spaces - throwing up new challenges for security teams. While many organizations have switched to new ways of working with relative ease, they continue to struggle with cybersecurity and strengthening security programs to a point where they can successfully predict and handle known and unknown threats.
Cybercriminals and nation-state threat actors have been quick to take advantage of the flux. According to IBM’s 2021 Cost of a Data Breach report, the average cost of a data breach jumped from $3.86 million in 2020 to $4.24 million in 2021. Ransomware frequency and payments have both gone up over the past couple of years. DDoS attacks are becoming bigger than ever before with organizations now routinely reporting attacks in terabytes per second. In addition to attacks on individual organizations, threat actors are also increasingly capable of and willing to disrupt entire countries’ essential services and damage critical infrastructure.
The Need for Security Collaboration
The expansion of digital innovation initiatives has increased cross-sectoral interconnectedness and brought previously disparate systems and networks closer together. Individual entities and organizations can no longer realistically defend themselves against sophisticated attacks without external help and support. Cyber, as security experts like to say, is a team sport. Organizations across sectors can benefit from the shared knowledge, capabilities and experience of the wider community - something that is enabled by real-time threat intelligence sharing and collaboration on multiple levels - between organizations within the same sector, different industry sectors, and industry and government.
Security Collaboration is increasingly being seen as the ideal approach to countering state-sponsored and other well-funded cyber attack campaigns in a hyperconnected digital landscape. By building alliances with other private and public entities facing similar threats, individual organizations can leverage the collective intelligence and expertise of a whole community of defenders instead of struggling alone against advanced threats. Real-time information exchange and collaboration enable organizations that are exposed to common threats to collectively fight organized, well-funded adversaries while protecting their individual operational environments.
The US Department of Homeland Security’s whitepaper on security collaboration, “A Collaborative Perspective from the IT Sector”, emphasizes the need for a shared defense model to tackle adversaries who are often more organized than those within the defender community. Focused specifically on a government-industry partnership to strengthen national security, protect critical infrastructure and increase overall resilience, the DHS paper recognizes the issue of limited resources on both sides and calls for a coordinated and collaborative approach to narrow the security gap.
President Biden’s May 2021 Executive Order - Improving the Nation’s Cybersecurity - talks about why it’s necessary to remove barriers to information sharing between the public and private sectors for accelerating incident deterrence, prevention and response efforts. In order to effectively tackle the increasingly sophisticated threats to critical infrastructure, government agencies must collaborate with contractors and industry experts for seamless threat intelligence sharing and security collaboration.
The Four Levels of Security Collaboration
Organizations can collaborate and form communities and alliances for intel sharing on a number of different levels - (1) separate business units within a larger organization, (2) organizations within an industry sector, (3) different sectors within a geographical region or country, and (4) the public and private sectors.
Large enterprises and their business units and subsidiaries
Large organizations often have multiple business units and subsidiaries that operate independently - either within the same premises or in multiple locations. By sharing threat intelligence and collaborating with one another, all of these independent business units can reduce risk, increase resilience and improve their cyberdefense.
Organizations within the same industry sector (ISACs)
Organizations within the same sector (like Health, Financial Services, Telecommunications, etc.) collaborate and share intelligence via Intelligence Sharing and Analysis Centers (ISACs), Intelligence Sharing and Analysis Organizations (ISAOs), and other similar communities. This is important because threat actors often design attack campaigns to target specific sectors and use common Tactics, Techniques and Procedures (TTPs) to execute these attacks.
Organizations across sectors (ISAC-to-ISAC)
Cross-sectoral intelligence sharing, i.e., organizations from one industry sector sharing threat intel with other sectors, (ISAC-to-ISAC intel sharing), has become important due to the increasing interdependence of different business entities operating in a connected digital landscape. For successful defense against advanced attacks, organizations must have access to all the knowledge and expertise necessary to identify and mitigate threats - much of which may not be available within their own organizations or sectors.
Public and private sector organizations
Public-private cooperation and intelligence sharing is essential to protect critical infrastructure and essential services from adversaries. Both government and industry leaders acknowledge the resource, skills, and knowledge gaps on both sides. This can be addressed by real-time intel sharing to give security teams a complete picture of the wider threat landscape which enables them to successfully handle advanced threats and stop state-sponsored attacks.
Benefits of Threat Intelligence Sharing and Security Collaboration
For intelligence sharing to be truly effective, it needs to happen in real time, with intel consumers receiving alerts about critical threats and vulnerabilities as soon as the information becomes available or while an attack is underway. Strategic intelligence and a deep, wide understanding of the threat landscape, which happens over a relatively longer timeframe, helps with planning and strengthening security programs. On the other hand, real-time tactical and technical intel sharing for quick action is critical for defenders and threat responders to predict and stop threats and active attacks before they can disrupt operations. Real-time intelligence sharing, then, gives defenders a distinct advantage over-organized, well-funded adversaries.
Staying ahead of fast-moving threats - Organized cyber criminal groups move fast and are known to start exploiting new vulnerabilities within hours of a CVE being made public. To stay ahead of threat actors, security teams need information about emerging threats and critical vulnerabilities in real time so they can act quickly, patch systems and remediate issues at speed, and put mitigations in place to protect their organizations. Inter and cross-sectoral intel sharing enables organizations to act on critical threats before they become business disruptors.
Access to shared resources and research - Individual organizations not connected to others in the wider community may be expending extra effort reinventing the wheel and building mitigation strategies against threats that have already been seen and dealt with by others. This duplication of effort often comes at the cost of delayed threat detection and response and possibly a successful breach that could have been prevented. Security collaboration and information sharing give member organizations access to not just good intel on relevant threats but also resources and mitigation strategies to defend against these threats. This benefits everyone in the community and makes individual organizations stronger against determined adversaries.
Building situational awareness - Security teams can also leverage real-time threat intel generated by their communities to improve situational awareness and place-specific threats or a set of related indicators in their larger context. Community-generated real-time intel is usually far more effective at presenting the big picture to member organizations than any amount of intel they would be able to generate individually. When multiple members of a group see similar threats trying to enter their environments, a pattern emerges and each member is warned about imminent danger.
Proactive defense and preventive controls - Perhaps most importantly, threat intelligence can help organizations with proactive defense. With access to real-time intel on new threats, security teams can update blocklists, watch for specific TTPs, and establish appropriate safeguards to prevent emerging threats from entering their environments.
Faster post-compromise detection - Advanced threats sometimes lurk in enterprise environments for months before the threat actor deploys business-disrupting malware, or exfiltrates data. Real-time threat intel can help with setting priorities and building hypotheses for threat hunts, enabling early detection of threats that are already in an organization’s network. This minimizes potential damage and prevents attackers at the post-compromise stage from getting access to protected assets.
Thwarting zero day attacks - Threat actors can cause serious damage to organizations by exploiting zero day vulnerabilities that are not publicly known. With the ability to share intel with trusted peers and connected networks in real time, organizations targeted by zero day attacks can warn others in the community about specific threats to guard against, even before information about a vulnerability is officially published. Organizations within the larger network can then take preventive measures and apply mitigations to protect their systems and data.
Prioritizing threats with high-confidence data - There can be a large number of threats targeting an enterprise network at any given time. By leveraging the risk and confidence scoring features of modern Threat Intelligence Platforms (TIPs), security teams can get relevant, high-confidence data in real-time and zero in on threats that present the greatest danger. Automated correlation and analysis of threats separates false positives from relevant intel at machine speed so analysts only have to deal with real threats.
Defending against supply chain attacks - With third-party and vendor ecosystems getting more complex, supply chain attacks are impacting organizations at a scale that hasn’t been seen before. Organizations across sectors often work with similar vendors for specific operational needs, and may be part of the same extended IT supply chain network. With intel shared in real time, many organizations that may potentially have been impacted by a supply chain attack can take proactive measures to protect themselves.
Cybercriminal communities and networks - Threat actors are increasingly being seen using secure/encrypted communication channels to collaborate and share information about effective attack tactics to evade detection and maximize impact. If enterprises and government agencies do not do the same, there is no way for them to stay ahead of attackers. Constant, real-time intel sharing combined with 24/7 vigilance can give network defenders the edge they need to stop even the most advanced threats in their tracks.
How Cyware's Threat Sharing Solutions Enable Security Collaboration
Without security collaboration, intelligence sharing, and unified action, defending against well-funded, highly motivated, and often state-sponsored cyber criminal groups will remain difficult and inadequate. Seeing the scale of attacks in recent years, the move from a reactive approach to threat handling and cyber defense to a proactive, intelligence-driven approach is a step in the right direction. Security collaboration across organizations and sectors is the logical next step in further strengthening cyber defense and fighting cybercrime as a wider community grappling with common threats, rather than as individual entities.
Cyware’s threat intelligence exchange and situational awareness platforms enable enterprises, ISACs, and Managed Security Service Providers (MSSPs) to automatically ingest, aggregate, normalize and enrich threat data, and share actionable intel with connected organizations. The solutions enable security collaboration with real-time threat intel sharing at all four levels - large enterprises and their subsidiaries, organizations within the same sector (ISACs), organizations in different sectors (ISAC-to-ISAC sharing), and the public and private sectors.
Cyware Situational Awareness Platform (CSAP) - CSAP is used by ISACs, enterprises, and other threat intel sharing communities (ISAOs) to get the latest threat alerts that are relevant to them, and share strategic threat intelligence and crisis notifications with members in real time. The platform makes it easy for member organizations to collaborate, request for, and share information and alerts, and allows users to create dedicated groups to address specific needs. It provides a secure environment for members to exchange information and discuss emerging threats and mitigation strategies.
Cyware Threat Intelligence Exchange (CTIX) - CTIX uses a hub-and-spoke model to automatically ingest, normalize, enrich and analyze tactical and technical threat intelligence from a wide range of sources in multiple formats. Relevant intel can be fed into detection and response tools in real time for faster detection, investigation, and response.
For more information, schedule a free demo now.