What is Cyber Threat Intelligence Sharing? And Why Should You Care

Shamim Ahammed
6 min readFeb 22, 2023

The cyber threat landscape has reached a point where individuals and organizations are beyond their ability to defend themselves. With the sheer number of new threats identified every day, unless an organization has access to timely and highly accurate threat intelligence, it is only a matter of time before an organization falls victim to a changing host of attacks.

This issue can be better addressed by sharing threat intelligence. This also enables effective security collaboration between internal security teams and external partners. In the ever-changing cyberthreat and attack landscape, threat intelligence sharing plays a key role in the threat intelligence lifecycle and can make a big difference in protecting your organization from malicious attacks and security incidents.

Why Threat Intelligence Sharing Matters?

Today, many teams within organizations rely on sharing cyber threat intelligence to prioritize and manage business risks. Depending on operational needs and expertise, threat intelligence is shared with each team to uncover blind spots and fully understand the evolving threat landscape while making better security decisions. When the right information is distributed to the right people, it improves overall situational awareness and makes it easier for organizations to build the better defense systems they need to guard against emerging threats.

Additionally, most organizations in today’s digital ecosystem work with a variety of business partners, software vendors, and supply chain partners, who may rely on other software vendors for their business operations. there is. Given this interdependence between various entities, a single cyber incident can affect multiple connected organizations, sectors, or countries beyond one ecosystem or corporate environment.

Addressing advanced or emerging cyber threats that require specialized knowledge and intelligence as no organization has all the tools, resources, skills and knowledge necessary to fully understand the threat landscape doing so becomes a difficult task. This can be supplemented by participating in threat intelligence sharing through trusted communities such as the Information Sharing and Analysis Community (ISAC) and the Information Sharing and Analysis Center (ISAO).

Additionally, organizations can participate in cross-sectoral threat intelligence sharing through ISACs and ISAOs. This allows organizations in one sector to learn from threats seen by organizations in other sectors and proactively take necessary mitigation actions. By sharing information at a cross-functional level, organizations can see the potential extent of vulnerabilities (if exploited) and better understand departmental threats targeting critical infrastructure assets. , can jointly develop mitigation strategies, assess cyber control investments, and manage security spending accordingly. Regarding threat activity observed in high priority regions.

What Type of Threat Intelligence Should be Shared?

Threat intelligence delivers desired security outcomes when delivered to the right people at the right time. In most cases, the information shared includes:

Technical and Tactical Threat Intelligence:
This includes technical details about the attacker’s assets obtained from threat intelligence. This includes information such as the types of attack vectors used, command and control (C2) domains used, and vulnerabilities exploited. This includes, but is not limited to:

Indicators of Compromise (IOC):
These are artifacts or observations that indicate that an attack is imminent, that an attack is already underway, or that a compromise may have already occurred. These monitors include malicious IP addresses, suspicious domain names, URLs pointing to malicious content, file hashes, or subject line text of malicious email messages.

Tactics, Techniques and Procedures (TTP):
They describe the behaviors, methods, tools, and strategies that attackers use to plan and carry out cyberattacks on corporate networks. It contains high-level information to describe the propensity of attackers to use particular malware variants, sequences of operations, attack tools, delivery mechanisms, or exploits.

STIX domain objects:
STIX 2.1 provides approximately 18 high-level intelligence objects such as attack patterns, exploited vulnerabilities, intrusion sets, and associated tactics to address the rapidly changing dynamics of cyber threat intelligence sharing . By connecting these STIX Domain Objects (SDOs), security teams can get a meaningful and structured view of cyber threat intelligence.

Strategic Threat Intelligence: This information typically comes in the form of threat advisories, human-readable alerts, bulletins, and vulnerability advisories. This threat intelligence includes technical notifications about vulnerabilities, exploits, attackers, malware, and more. These are the United States Computer Emergency Response Team (US-CERT), the Information Sharing and Analysis Center (ISAC), and the National Vulnerability Database (NVD), the Product Security Incident Response Team (PSIRT), and commercial security service providers. Several large enterprises are now starting to create their own alerts based on captured threat intelligence, using advanced tools to share strategic advice and enable business units and security teams to contextualize threats. making it recognizable.

However, information that is often targeted by cyberattacks, such as personally identifiable information (PII) and trade secrets, is not considered threat intelligence and should not be shared.

What are the Ways to Share Threat Intelligence?

There are primarily two ways of sharing cyber threat intelligence:

One-way release: Units generate threat intelligence and share it with other units. But there is no return for those who consume their intellect. Sources of this type include Open Source Intelligence (OSINT) or publicly available reports covering recent attacks and the indicators and techniques used.

Two-way sharing: It enables two-way and threat intelligence sharing among industry peers, vendors, customers, and sharing communities such as the Information Sharing and Analysis Center (ISAC). In this model, threat information flows between her two shared entities. This approach also unlocks public-private security collaboration, allowing private sector organizations to work with government agencies such as the National CERTs and the Cybersecurity and Infrastructure Security Agency (CISA) to better understand emerging cyberthreats. increase.

How does Threat Intelligence Platform Improve Threat Intelligence Sharing?

Developing and sharing threat intelligence requires a lot of effort from your security team. Manually sifting through large amounts of threat intelligence, correlating and analyzing it to get high-fidelity intelligence is tedious. As a result, it affects not only the response process, but also the timely sharing of actionable information.

A modern threat intelligence platform can help security teams efficiently address these challenges by automating the collection, normalization, correlation, enrichment, analysis, and distribution of threat intelligence. While traditional threat intelligence sharing models only allow one-way consumption of threat intelligence in traditional threat intelligence platforms, next-generation threat intelligence platforms enable automated, bi-directional sharing of threat intelligence efficiently. to be possible.

This facilitates the seamless exchange or receipt of threat intelligence with business units, TI vendors, ISAC/ISAO members, regulators, partner organizations, and affiliates. A best-in-class threat intelligence platform facilitates both the analysis and distribution of IOCs as well as tactics, techniques, procedures (TTPs), threat actors, procedures, incidents, and more. All of these artifacts are shared in real-time and in a machine-readable format using the Trusted Automated Exchange of Indicator Information (TAXII) client-server model in STIX (Structured Threat Information [removed]) format.

Large organizations, ISAC/ISAOs, or national CERTs use a hub-and-spoke model to exchange threat intelligence. This will greatly improve threat security collaboration between sharing partners, facilitating real-time exchange of IOCs, TTPs, incidents and threat actor data and practices, greatly improving threat detection, analysis and action processes. .

For security collaboration and collective action to be truly effective, threat intelligence sharing must extend beyond individual sectors to intersectoral collaboration (ISAC vs. ISAC). There, different sectors and governmental organizations work together to address common threats and adversaries fight and protect critical infrastructure. This can be enhanced by leveraging our advanced threat intelligence platform to give all sharing partners access to the latest information on threats.

As threats and attacker TTPs evolve, organizations are adopting more proactive approaches such as cyber fusion to facilitate collaboration between various teams and use advanced security orchestration and automation capabilities to reduce threats. We are starting to speed up the intelligence dissemination process.

How Threat Intelligence Platforms Automate Threat Intelligence Sharing?

Fully automated threat intelligence lifecycle captures, normalizes, enriches, and distributes actionable threat intelligence to internal security teams and external partners within your trusted network for faster threat intelligence action and analysis becomes possible. Internal security teams such as Security Operations Centers (SOCs), incident response teams, vulnerability management teams, threat hunters, etc. can review confidence scores without being overwhelmed by endless threat intelligence gathered from a variety of sources. , analysis, action, and hunt processes with ease. .

Additionally, incident responders can use shared, actionable threat intelligence to automate response workflows. B. Blocking malicious IPs in firewalls, updating SIEM data, etc. Response workflows can also be automated by a rules engine with nearly 1000 predefined conditions, such as false positive updates and incident playbook triggers. This increases security team efficiency and improves mean time to detection (MTTD) by automatically detecting and blocking critical IOCs without the need for manual intervention.

Sharing Threat Intelligence is Good for Everyone

In today’s era of enabling threat actors to launch sophisticated cyberattacks, organizations are increasingly looking to share threat intelligence and leverage the collective knowledge of their communities to improve their overall security posture. has become important. Detailed, contextualized threat intelligence enables organizations, vendors, customers and other industry peers to proactively implement appropriate countermeasures in real time.

--

--

Shamim Ahammed

Forty percents marketers+Forty percents designer+Twenty percent's writer= dudes; It’s me😎