Cyber threat intelligence (CTI) sharing is a critical tool for security analysts. It takes the learnings from a single organization and shares it across the industry to strengthen the security practices of all.
By sharing CTI, security teams can alert each other to new findings across the threat landscape and flag active cybercrime campaigns and indicators of compromise (IOCs) that the cybersecurity community should be immediately aware of. As this intel spreads, organizations can work together to build upon each other’s defenses to combat the latest threat. This creates a herd-like immunity for networks as defensive capabilities are collectively raised.
Blue teams need to act more like red teams
A recent survey by Exabeam showed that 62 percent of blue teams have difficulty stopping red teams during adversary simulation exercises. A blue team is charged with defending one network. They have the benefit of knowing the ins and outs of their network better than any red team or cybercriminal, so they are well-equipped to spot abnormalities and IOCs and act fast to mitigate threats.
But blue teams have a bigger disadvantage: they mostly work in silos consisting only of members of their immediate team. They typically don’t share their threat intelligence with other security teams, vendors, or industry groups. This means they see cyber threats from a single lens. They lack the broader view of the real threat landscape external to their organization.
This disadvantage is where red teams and cybercriminals thrive. Not only do they choose the rules of the game – the when, where, and how the attack will be executed – they share their successes and failures with each other to constantly adapt and evolve tactics. They thrive in a communications-rich environment, sharing frameworks, toolkits, guidelines, exploits, and even offering each other customer support-like help.
For blue teams to move from defense to prevention, they need to take defense to the attacker’s front door. This proactive approach can only work by having timely, accurate, and contextual threat intelligence. And that requires a community, not a company. But many companies are hesitant to join the CTI community. The SANS 2020 Cyber Threat Intelligence Survey shows that more than 40% of respondents both produce and consume intelligence, leaving much room for improvement over the next few years.
Common challenges for beginning a cyber threat intelligence sharing program
One of the biggest challenges to intelligence sharing is that businesses don’t understand how sharing some of their network data can actually strengthen their own security over time. Much like the early days of open-source software, there’s a fear that if you have anything open to exposure it makes you inherently more vulnerable. But as open source eventually proved, more people collaborating in the open can lead to many positive outcomes, including better security.
Another major challenge is that blue teams don’t have the lawless luxury of sharing threat intelligence with reckless abandon: we have legal teams. And legal teams aren’t thrilled with the notion of admitting to IOCs on their network. And there is a lot of business-sensitive information that shouldn’t be shared, and the legal team is right to protect this.
The opportunity is in finding an appropriate line to walk, where you can share intelligence that contributes to bolstering cyber defense in the larger community without doing harm to your organization.
If you’re new to CTI sharing and want to get involved here are a few pieces of advice.
Clear it with your manager
If you or your organization are new to CTI sharing the first thing to do is to get your manager’s blessing before you move forward. Being overconfident in your organization’s appetite to share their network data (especially if they don’t understand the benefits) can be a costly, yet avoidable mistake.
Start sharing small
Don’t start by asking permission to share details on a data exfiltration event that currently has your company in crisis mode. Instead, ask if it’s ok to share a range of IPs that have been brute forcing logins on your site. Or perhaps you’ve seen a recent surge of phishing emails originating from a new domain and want to share that. Make continuous, small asks and report back any useful findings.
Share your experience when you can’t share intelligence
When you join a CTI group, you’re going to want to show that you’re an active, engaged member. But sometimes you just don’t have any useful intelligence to share. You can still add value to the group by lending your knowledge and experience. Your perspective might change someone’s mind on their process and make them a better practitioner, thus adding to the greater good.
Demonstrate value of sharing CTI
Tie your participation in CTI groups to any metrics that demonstrate your organization’s security posture has increased during that time. For example, show any time that participation in a CTI group has directly led to intelligence that helped decrease alerted events and helped your team get ahead of a new attack.
There’s a CTI group for everyone
From disinformation and dark web to medical devices and law enforcement, there’s a CTI segment for everything you ever wanted to be involved in. Some are invite-only, so the more active you are in public groups the more likely you’ll be asked to join groups that you’ve shown interest in or have provided useful intelligence about. These hyper-niche groups can provide big value to your organization as you can get expert consulting from top minds in the field.
The more data you have, the more points you can correlate faster. Joining a CTI sharing group gives you access to data you’d never even know about to inform better decision making when it comes to your defensive actions. More importantly, CTI sharing makes all organizations more secure and unites us under a common cause.
While cybersecurity professionals are certainly aware of the growing threat posed by sharing data with third parties, many seem to lack the urgency required to address this challenge.
If there is one work-related New Year’s resolution I’d like CISOs to make as we enter 2020, it’s to give the challenge of third-party cyber risk the attention it needs. In fact, I no longer see this as optional or as an extension of an enterprise risk and cybersecurity strategy, because third-party data breaches will dominate the threat landscape in 2020.
Data breaches and third-party cyber risk
This is not a new challenge. Headlines over the last few years are filled with major breaches caused by hackers accessing companies’ data through their third-party vendors.
Six years ago, attackers breached Target by using login credentials stolen from a company that provided HVAC services to the retailer. That breach should have been a wakeup call for enterprises and cybersecurity vendors to address the challenge of third-party cyber risk, but years later these types of incidents are becoming even more frequent.
In the last year, for example, an unauthorized user gained access to data on 11 million Quest Diagnostics patients through the company’s partner debt-collection agency. Another bad actor accessed data on millions of Capital One credit card applicants through a misconfigured Amazon cloud container.
Estimates indicate that around 60 percent of data breaches are linked to third parties, and we can expect that percentage to increase as more companies embrace digital platforms and new operating models that require sharing of data with partners and service providers.
Enterprise boundaries will continue to blur in 2020 with more organizations investing in cloud computing, using file sharing platforms such as DropBox, Google Drive or OneDrive, and connecting more devices on the edge of their networks.
If CISOs continue to focus cybersecurity tools and resources within the company perimeter, they are fighting the wrong battle in an increasingly multi-front cybersecurity war.
Elevating third-party cyber risk to a C-suite and board imperative
One of the most important things CISOs can do to put the appropriate focus on third-party cyber risk is to make it a corporate reputation issue requiring support and oversight from C-suite and board executives.
Along with the opportunities for greater innovation, productivity, operational efficiency and customer engagement, digital transformation has created new vulnerabilities across the enterprise – and beyond its borders – that could impact corporate reputation if exploited.
With the average enterprise engaging with several hundred partners and other third parties, it’s not a question of “if” the data will be exposed, but of “when” and how much corporate reputation will suffer as a result of loss of trust.
CISOs must get better at educating business leaders about these unintended consequences of digital transformation. The reality, however, is that 63 percent of CISOs don’t regularly report to their boards, according to a recent Ponemon Institute study. Worse, a stunning 40 percent of CISOs said they never report to their boards at all. This lack of connection and accountability at the C-suite and board level is a major problem.
What CISOs should do
CISOs in 2020 must become stronger advocates for shifting from reactive to proactive cybersecurity postures. They must advocate for creating more resilient and cyber-aware cultures where cybersecurity is seen as everyone’s responsibility.
CISOs should also start to align their investments in cybersecurity with the new reality that threats are more likely to materialize through third parties.
That means not only assessing third parties for potential vulnerabilities, but using new approaches and tools coming to market that can identify actual data that a third-party inadvertently exposed, and that can enable immediate remediation.
Are you optimistic?
I am optimistic about the cybersecurity industry’s ability to rise to this challenge, provide those tools and help CISOs shift and elevate their organization’s cyber posture when it comes to third-party and other emerging risks. It’s why I left the FBI to join the industry after 20 years working in the bureau’s cyber, counterintelligence and counterterrorism branches.
I’ve seen firsthand how damaging third-party data leaks can be for businesses and other institutions, and I’ve seen the struggles CISOs undertake to just keep up.
With the right resolve and the right support from the cybersecurity industry, CISOs can take charge of this challenge in 2020, commit to shifting their focus toward third-party cyber risk, and engage C-suite and board executives about the strategic importance of doing so.