Since its inception,The discipline of cyber threat intelligence has always been about sharing, including providing cybersecurity teams, tools, and best practices with information about attackers and their tactics, techniques, and procedures(tactics, techniques and procedures, ttp))to help them strengthen their defenses. In turn, data about threats and events discovered by security tools, as well as experience with external threat sources, can also contribute to the overall level of threat intelligence to some extent. It's a virtuous circle. Therefore, it is not difficult to understand inOver the past 25 years, a range of interest groups have emerged, and countless public and private partnerships have emerged, culminating in an entire area of the cybersecurity industry focused on sharing threat intelligence.
But the purpose of this article is not to discuss the importance of threat intelligence sharing. Recently, at a panel discussion with experts from FS-ISAC and SECCalliance, audience polls showed that respondents unanimously agreed"Threat intelligence sharing is beneficial, combining technical details with contextual information to provide the most value. ”
Worryingly, however, only 17 percent of respondents are confident in their organization's level of cyber threat intelligence sharing, while 17 percent say the opposite – very unconfident. More worryingly, the survey targeted security professionals in the financial services industry, which is considered an early adopter of threat intelligence sharing. A number of steps are needed to close the confidence gap and engage more security professionals in sharing.
Regulatory compliance
Since 2020,Threat intelligence is gradually coming back into the spotlight. This is due to the increasing frequency of opportunistic attackers exploiting events such as the pandemic, catastrophic weather, and the geopolitical environment to launch sophisticated attacks that compromise organizations and the critical services they provide. As a result, a deep understanding of sophisticated cyber threats has become so important that in 2021, a White House executive order document on improving the nation's cybersecurity,Make "removing barriers to information sharing" a top requirement.
More regulations are on the horizon, such as those expected to come into force in January 2025Digital Operations Resilience Act (DORA)., which aims to fill the gaps in EU financial regulation regarding operational resilience. One of the pillars under the new law focuses on the sharing of information and intelligence related to cyber threats and vulnerabilities.
Regulations are often seen as a means of enforcing desired behavior, acting as a "stick" to enforce them. However, as more and more organizations meet these sharing requirements, the "carrot" effect of a reward mechanism comes into play, which has been described as herd immunity.
Herd immunity
Today, most organizations operate in complex ecosystems that are interdependent. This means that the resilience of the industry is a prerequisite for the resilience of the organization.
In addition, it is not enough for the large players in the market, whether they are the largest financial institutions, healthcare providers, retailers, manufacturers, or energy providers, to share threat intelligence. There are interconnections between organizations and third parties of all sizes. Therefore,Every organization needs to be actively involved in the sharing community, and the exchange of reports, best practices, and workflows is best practiced. The synergies created by cooperation for the common good allow participants to access information that they would otherwise not be able to access and strengthen their defenses faster and at a lower cost through the pooling of resources.
Key considerations when developing a threat intelligence sharing practice
There are several reasons why organizations lack confidence in their ability to share threat intelligence. There are three key elements that are considered to be able to increase the viability and impact of threat intelligence sharing for any sharing community.
User-friendly technology platform: In recent years, there has been a growing momentum towards integration, with the aim of enabling sharing between machines, including compatibility with standards such as STIX TAXII and the normalization of threat intelligence itself. These advancements have made it easier to share data. In addition, context helps make threat intelligence more relevant. As a result, organizations should focus on threat intelligence tools and platforms with built-in automation capabilities that enrich and prioritize threat data with context to quickly find relevant intelligence and filter out the noise.
Data anonymizationEvery organization expects to receive shared information, but they often worry that they won't be able to maintain a good contribution value in the shared community without causing legal problems. Today, many communities have processes in place that enable participants to choose what to share, and in what format. Information can be generalized enough not to disclose personally identifiable information or business-specific information. Data anonymization helps address legal concerns about privacy and security, while also helping other members of the community look at their own networks to determine if they too are under a perceived threat by the organization.
Promote trust mechanismsTrust is a key component of sharing, and every sharing initiative requires a range of mechanisms to promote trust, including the creation of smaller groups, comprehensive vetting of members, enforcing privacy and sharing policies, and leveraging technology and processes to protect and facilitate the flow of data. For example, the ISAC (Information Sharing and Analysis Center) for different industries and organizations has extensive experience in intelligence classification, traffic protocols, sharing frequency, and how members use intelligence, providing a good execution and security environment for intelligence exchange. Private initiatives provided by technology vendors may subject to additional vetting of members, as well as a process through which members nominate colleagues or peers to become candidacies. The ultimate goal is to provide a nurturing environment where contextual threat intelligence can flow continuously, helping security teams and organizations evolve in maturity and capabilities. To share or not to share is not the question. It's all about how, what, where, and with whom. Finding these answers early will help make the industry safer on both a collective and individual level.
Comment on the consultation of several generations
Threat intelligence sharing isn't just a practical security strategy, it's the foundation for building trust, strengthening collaboration, and providing the necessary support to meet evolving threat challenges.
While focusing on legal compliance and privacy protection, threat intelligence sharing should also pay attention to the real-time nature of intelligence sharing and the adaptability of the sharing system.
Achieving timely transmission of threat intelligence, establishing two-way communication, building a foundation of trust, and adapting to the ever-changing threat landscape are the keys to ensuring that the sharing system is credible, efficient, and flexible.
the end 】—