Learning from the mistakes of others sounds great. Yet it's difficult to do when those ‘others' refuse to be transparent about their mistakes.
Why is intelligence sharing important? Cyber criminals find new software vulnerabilities and attack vectors every day. Cybersecurity experts are faced with an ongoing challenge to keep up. If peers open up to proactively share information–also known as intelligence sharing–it can help strengthen our collective resilience and reactivity to potential threats.
Cybersecurity experts do have tools to be proactive — penetration testing, anyone? But cybercriminals are highly motivated and often changing the rules of the game. They're also often willing to share their information freely so that new techniques spread rapidly among criminal communities.
That's why many in the industry have embraced the idea of information sharing. It's a "the more you know" mantra applied to cybersecurity. Intelligence sharing helps expand everyone's cyber threat intelligence (CTI).
"Proactive information-sharing about attacks and defensive mitigations builds resilience across organizations participating within a given trust community, evolving herd immunity against attacks that others have seen within their own networks," suggested Thomas Schreck, Chair of the Forum of Incident Response and Security Teams and Trey Darley, New Contexts Director of Standards Development noted in an InfoSecurity Magazine opinion piece.
Yet there are concerns about sharing information with just anyone. Sharing requires trust. Businesses are more likely to share information informally, behind closed doors, with partners and through personal discussion.
In an example of leadership in broadening the reach of a circle of trust, UBS, a Swiss-based multinational investment bank and financial services provider, partnered with the Financial Services Information Sharing and Analysis Center (FS-ISAC) to develop a series of cyber war games. The joint threat intelligence activity aimed "to improve security posture and incident response of the whole sector."
Without collaboration, response times are slowed, businesses are generally unprepared, and there is little coordination across companies or industries when a threat is discovered.
Some businesses are reluctant to share cybersecurity information. They may be worried about legal implications, attacker retaliation, or endangering intellectual property. Nevertheless, over the past decade the practice has become more common. Forums have been developed to share information and some intelligence providers have set up secure servers with daily threat updates and intelligence sharing.
These peer-to-peer networks though, while helping with confidentiality, "make it almost impossible to coordinate large-scale, industry-wide responses," wrote Nick Ismail in Information Age.
Crowdsourcing information for potential peer-review can make a big difference. In the U.S., the Department of Homeland Security's Automated Indicator Sharing (AIS) service shares threat intelligence broadly across the public and private sectors. The Cyber Information Sharing and Collaboration Program enables "analyst-to-analyst sharing of threat and vulnerability information."
The Federal Bureau of Investigation also participates in an intelligence sharing partnership. InfraGard is a non-profit organization that serves as a liaison between the FBI and the private sector for the purpose of combining the knowledge of government intelligence with the business community.
The UK's Defence Cyber Protection Partnership (DCPP) aims to boost private and public sector cybersecurity collaboration and "the chances of a successful threat response." Meanwhile, Information Sharing and Analysis Centres (ISACs), Information Sharing and Analysis Organisations (ISAOs) and other communities have been developed out of a "common desire for large-scale collaboration."
Particular industries might have their own ISAC. For instance, there's a Retail Cyber Intelligence Sharing Center (R-CISC) with small retail companies and Target or Home Depot-sized members.
Ultimately, the argument goes, that there is strength in numbers. Ismail suggested, "Forward-thinking organizations recognize that unifying people, technology, resources and intelligence are the foundations for future cybersecurity.
Yet laggards remain.
According to Paul Kurtz, founder, and CEO of TruStar Technology. "[CISOs] don't always recognize the benefits of information sharing." He suggested to DarkReading that data exchange helps everyone in that industry identify problems and react more quickly. He also reiterated it is legal to share as long as there's no personally identifiable information released.
The main thing is that you need to know what's going on in your IT infrastructure to identify suspicious activity. You can't share proactively if you don't understand when you're being threatened.
Information sharing helps everyone in cybersecurity do their jobs better. That's one of the reasons we partner with companies like Boulay Group, which provides businesses and public organizations with technology risk services. With these partners, we share our understanding of strategic planning to identify, detect, prevent, and protect IT networks, systems, applications as well as physical premises and IoT devices.
RedTeam Security's experts can also help your team to better understand its IT inner workings. Onsite IT professionals may be doing great work, but it always helps to have an external perspective. Schedule your free consultation with RedTeam Security today and let's open the conversation.