What is Cyber Threat Intelligence Sharing? And Why Should You Care?

Table of Contents

Why Threat Intelligence Sharing Matters?

What Type of Threat Intelligence Should be Shared?

What are the Ways to Share Threat Intelligence?

How does Threat Intelligence Platform Improve Threat Intelligence Sharing?

How Threat Intelligence Platforms Automate Threat Intelligence Sharing?

Sharing Threat Intelligence is Good for Everyone

View More guides on Cyber Threat Intelligence

What is Cyber Threat Intelligence Sharing? And Why Should You Care?

  • Cyber Threat Intelligence

Posted on: October 06, 2022

What is Cyber Threat Intelligence Sharing? And Why Should You Care?
The cyber threat landscape has reached a point where it is beyond any individual’s or organization’s capability to defend themselves on their own. As a sheer number of new threats are identified on a daily basis, it is only a matter of time when an organization can fall victim to the shape-shifting arrays of attacks unless they have access to timely and high-fidelity threat intelligence. The issue can be adequately addressed by sharing threat intelligence that also enables effective security collaboration between the internal security teams and external partners. In the ever-shifting landscape of cyber threats and attacks, threat intelligence sharing plays a vital role in the threat intelligence lifecycle and makes a big difference in protecting firms against malicious attacks and security incidents.  

Why Threat Intelligence Sharing Matters?

Today, numerous teams within an organization rely on cyber threat intelligence sharing to prioritize and manage enterprise risk. Depending on the operational needs and level of expertise, the threat intelligence is relayed to each team to help discover blind spots and make better security decisions while gaining a complete understanding of the evolving threat landscape. When the right intelligence is disseminated to the right kind of audience, it boosts the overall situational awareness and facilitates the organization to have a better defense system needed for thwarting emerging threats. For example, Security teams would be more focused on tactical and technical threat intelligence that provide technical information such as malware findings and high-risk IP addresses, while non-technical audiences such as stakeholders or board members would rely on strategic threat intelligence to understand how cyber threats impact business risk, liability, and profit. To ensure that sensitive information is shared with the right audience for effective security collaboration, a set of designations called Traffic Light Protocol (TLP) is used. 

Moreover, in today’s digital ecosystem, most organizations work with a wide range of business partners, software vendors, and supply chain partners, who may themselves be dependent on other software vendors for business operations. Given this inter-dependency among various entities, a single cyber incident can trigger an impact beyond an individual ecosystem or company environment to multiple connected organizations, sectors, or nations. Furthermore, as no organization has all the tools, resources, skills, and knowledge necessary to get complete visibility into the threat landscape, dealing with advanced or emerging cyber threats that may need specialized knowledge and intelligence becomes a challenging task. This can be compensated through participation in threat intelligence sharing via trusted communities such as information sharing and analysis communities (ISACs) or information sharing and analysis centers (ISAOs). Furthermore, organizations can participate in cross-sectoral threat intelligence sharing through their ISACs and ISAOs, wherein an organization in one sector can learn from the threats seen by organizations in other sectors and proactively take necessary mitigation measures. By exchanging intelligence on a cross-sectoral level, organizations can realize the possible extent of their vulnerabilities (if exploited), understand sectoral threats targeting critical infrastructure assets better, co-develop mitigation strategies, and evaluate their investment in cyber controls, as well as direct the security spending to high-priority areas based on the observed threat activity. 

What Type of Threat Intelligence Should be Shared?

Threat intelligence provides the desired security outcomes when it is relayed to the right people at the right time. Mostly, the shared information includes:

  • Technical and Tactical Threat Intelligence: These include technical details about an adversary’s assets obtained from threat intel feeds. It includes information such as the type of attack vector used, Command-and-Control (C2) domains employed, and vulnerabilities exploited. However, it is not limited to these and also includes:
  • Indicators of Compromise (IOCs): These are artifacts or observables that indicate an impending attack or it is underway or that a compromise may have already occurred. These observables include malicious IP addresses, suspicious domain names, URLs that reference malicious content, file hashes, or the subject line text of a malicious email message. 
  • Tactics, Techniques and Procedures (TTPs): These describe the behavior, methods, tools, and strategies used by threat actors to plan and execute cyberattacks on business networks. It includes high-level information to describe an adversary’s tendency to use a specific malware variant, order of operations, attack tool, delivery mechanism or exploit. 
  • STIX Domain Objects: STIX 2.1 offers around 18 higher-level intelligence objects such as attack patterns, vulnerabilities exploited, intrusion sets, and related courses of action to keep up pace with the rapidly changing cyber threat intelligence sharing dynamics. By connecting these STIX Domain Objects (SDOs), security teams can obtain a meaningful and structured presentation of cyber threat intelligence.

  • Strategic Threat Intelligence: This intelligence usually comes in the form of threat advisories, human-readable alerts, bulletins, and vulnerability notes. This threat intelligence includes technical notifications regarding vulnerabilities, exploits, threat actors, malware, etc. These are from trusted sources such as the United States Computer Emergency Readiness Team (US-CERT), Information Sharing and Analysis Centers (ISACs), the National Vulnerability Database (NVD), Product Security Incident Response Teams (PSIRTs), and commercial security service providers. Several large enterprises have now started to create their own alerts based on their ingested threat intelligence using advanced strategic advisory sharing tools to keep their business units and security teams situationally aware of threats. 

However, information such as Personally Identifiable Information (PII) and trade secrets, which are often the target of cyberattacks, are not considered threat intelligence and hence should not be shared. 

What are the Ways to Share Threat Intelligence?

There are primarily two ways of sharing cyber threat intelligence:
  • Unidirectional sharing: One entity generates and shares the threat intelligence with others. However, those consuming the intelligence do not contribute in return. This type of source includes Open-Source Intelligence (OSINT), or publicly available reports covering a recent attack with indicators and methods used.  

  • Bidirectional sharing: This enables bi-directional sharing and consumption of threat intelligence between industry peers, vendors, clients, and sharing communities such as Information Sharing and Analysis Centers (ISACs). Threat intelligence, in this model, flows between two sharing entities. This approach also unlocks the private-public security collaboration by enabling private organizations to collaborate with government entities such as the National CERTs, and Cybersecurity and Infrastructure Security Agency (CISA) to improve their understanding of emerging cyber threats.   

How does Threat Intelligence Platform Improve Threat Intelligence Sharing?

Developing and sharing threat intelligence requires a tremendous amount of effort from security teams. It is cumbersome to manually sift through heaps of threat intel feeds and correlate and analyze them to produce high-fidelity intelligence. As a result, this not only impacts the response process but also the timely sharing of actionable intelligence. Modern threat intelligence platforms help security teams efficiently deal with these challenges by automating the ingestion, normalization, correlation, enrichment, analysis, and dissemination of threat intelligence. Unlike traditional models of threat intelligence sharing where legacy threat intelligence platforms allow only consumption of threat intelligence in a unidirectional manner, the next-gen threat intelligence platforms efficiently enable the automated bidirectional exchange of threat intelligence. This promotes seamless sharing or receiving threat intel with/from business units, TI providers, ISAC/ISAO members, regulators, partner organizations, and subsidiary companies. A top-notch threat intelligence platform facilitates both analysis and dissemination of not only IOCs but also tactics, techniques, and procedures (TTPs), threat actors, course of actions, incidents, etc. All these artifacts are shared in a real-time and machine-readable format using the Trusted Automated Exchange of Indicator Information (TAXII) client-server model in Structured Threat Information Expression (STIX) format. 

A large organization or an ISAC/ISAO or a National CERT leverage the hub and Spoke model of threat intelligence sharing. This greatly enhances threat security collaboration amongst sharing partners and facilitates real-time sharing of IOCs, TTPs, incidents, and threat actor data and courses of action significantly improving threat detection, analysis, and actioning processes.

For security collaboration and unified action to be truly effective, threat intel sharing needs to extend beyond individual sectors to cross-sectoral (ISAC-to-ISAC) collaboration, with organizations across sectors and governments coming together to fight common threats and adversaries and protect critical infrastructure. This can be enhanced by leveraging advanced threat intelligence platforms to ensure that all sharing partners have access to the most up-to-date information about the threats.
With evolving threats and attackers’ TTPs, organizations have started adopting a more proactive approach like cyber fusion to foster collaboration between different teams and accelerate the threat intel dissemination process using advanced security orchestration and automation capabilities. 

How Threat Intelligence Platforms Automate Threat Intelligence Sharing?

A fully automated threat intelligence lifecycle enables faster actioning and analysis of threat intelligence by ingesting, normalizing, enriching, and disseminating actionable threat intelligence to internal security teams and external partners within a trusted sharing network. Internal security teams such as the security operations center (SOC), incident response teams, vulnerability management teams, and threat hunters can carry out their analysis, actioning, and hunting process effortlessly by looking at confidence scores without being overwhelmed with endless threat intel feeds collected from various sources. Furthermore, incident responders can leverage the shared actionable threat intelligence to automate response workflows such as blocking malicious IPs in firewalls, updating SIEM data, etc. The response workflow can also be automated through a rule engine that comes with around 1000 predefined conditions such as updating false positives and triggering a playbook for an incident. This increases the efficiency of security teams and improves the Mean Time To Detect (MTTD) by automatically detecting the critical IOCs and blocking them without the need for manual intervention. 

Sharing Threat Intelligence is Good for Everyone

In today’s era where threat actors are becoming equipped to launch sophisticated cyberattacks, it is increasingly essential for organizations to share threat intel and leverage sharing communities’ collective knowledge to improve the overall security posture. With detailed and contextualized threat intelligence at hand, organizations, vendors, clients, and other industry peers can proactively implement adequate defensive measures in real time. 

Schedule a free demo to know how threat intelligence sharing is done using Cyware Solutions!

Share Blog Post

Related Guides

Related Guides