Threat Intelligence Sharing: 5 Tips to Get Started

Threat intelligence sharing is growing in popularity, as evidenced by growing media coverage, the emergence of high-profile collaborations such as the Cyber Threat Alliance (CTA), and the proliferation of vendors offering threat intelligence solutions at the recent 2016 RSA conference.

But threat intelligence sharing remains a topic of some debate, as organizations in a wide range of industries try to determine whether it is a worthwhile, and safe, investment. The title of a 2015 RSA session—“Threat Intelligence Is Dead! Long Live Threat Intelligence!”—underscores the wide-ranging views that frame that debate.

In this first of a two-part series, we’ll focus on the benefits of threat intelligence sharing and the types of sharing options available. Then we’ll provide five recommendations to help you join the group, or groups, that will benefit your organization the most.

Ponemon Report: Criminals continue to target healthcare data

Key Benefits of Threat Intelligence Sharing

By sharing threat intelligence, organizations can expand their visibility and insight into potential and active threats. Both new and resurgent forms of attack can be discovered early and communicated quickly to prevent or at least reduce the damage done to members of the group.

Case in point: In late 2015, the CTA—a group of cybersecurity solution providers that shares threat information—announced that they had “cracked the code” on CryptoWall v3 ransomware, which has cost its victims over $325 million. CTA members Fortinet, Intel, Palo Alto Networks, and Symantec have used threat intelligence sharing to enhance protections against CryptoWall in their individual product offerings. In addition, CTA issued a report that includes findings and recommendations based on members’ “collective visibility.”

“Threat analysis information can help you identify malware or other problems in your environment that your particular security solutions haven’t detected yet,” said Keith Fricke, principal consultant with TW Security. “That advanced warning can help you prevent and fend off attacks more effectively.”

Another recent example of organizations recognizing the benefits of threat intelligence sharing is the partnership between Fujitsu of Japan and BAE Systems, which is based in the U.S. The two companies can share cyber threat information internationally, with cyber analysts on both sides of the Pacific reviewing shared intelligence and modifying security settings accordingly.

Organizations in every industry can benefit from threat intelligence sharing, but the need is particularly critical in the healthcare sector. In 2015, healthcare was the most frequently attacked industry, and according to the Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, conducted by Ponemon Institute, 89 percent of healthcare organizations suffered a data breach in the past two years.

Increasing awareness of cybersecurity risks in the healthcare industry may be why intelligence sharing is increasing across the sector. One of many more recent, region-specific examples is the collaboration among security teams at multiple hospitals and medical schools associated with the University of Maryland, Baltimore.

Information Sharing Options to Consider

A variety of options are available to organizations that wish to benefit from shared intelligence.

Organizations in the private sector can now share cyber threat information with the federal government through the new Cyber Threat Intelligence Integration Center, a central repository for cyber threat information for government agencies and private organizations. “Sharing this kind of information in real-time, and swiftly applying defensive measures, will allow both the government and private sector to more effectively prevent attacks,” according to the Department of Homeland Security.

Many security vendors offer intelligence sharing as a native part of their solution or for a subscription fee. If the vendor detects malware or another threat, they can distribute an alert or other information to all customers.

Another option is to join an industry-specific ISAC, or information sharing and analysis center. ISACs gather information about cyber threats in industries such as financial, healthcare, and oil and gas, and disseminate the information to members across the country. They provide an official mechanism to share insights into the latest cyberattacks and threats.

The Internet Storm Center provides a free threat sharing option. Created in 2001, the organization gathers millions of intrusion detection log entries every day, from sensors that monitor more than 500,000 IP addresses worldwide. The goal is to identify attacks earlier and disseminate information to thousands of internet users and organizations.

Fricke points out that non-technical sharing options are also available, which may be especially helpful for small and medium businesses that cannot afford or do not have the staff available to respond to alerts from larger threat sharing organizations. For those organizations, email lists, monthly gatherings, and other networking options may help identify threats early and disseminate best practices to fend off the latest forms of attack.

Five Tips to Choose the Right Intelligence Sharing Option

If you decide to reap the benefits of threat intelligence sharing, these five tips will help you choose the right solution for your organization.

1. Consider Your Budget and Capabilities

As described earlier, a variety of different types of threat sharing options are available. Consider whether you have the budget available to use one or more paid subscription services, or whether your needs can be met by a free service. Threat intelligence sharing also requires time, resources, and expertise. Do you have the internal resources necessary to act quickly on the information and alerts that are likely to come to you through the threat information sharing process? Even if you receive details on only five events a day, will you be able to follow up on each?

2. Assess Your Needs and Options

Which of the many threat sharing options available would best serve your organization’s needs? Do you want the industry-specific insights available through an ISAC? Does your security vendor offer a threat sharing option that might work for you?

Also consider whether you are currently taking advantage of informal, nontechnical threat sharing opportunities available through informal networking. If so, is that sufficient for now, or could it be ramped up or replaced by more formal threat sharing options?

3. Ask Around

When shopping for a doctor or a mechanic, it’s a good idea to ask your friends and neighbors whom they trust. Do the same with threat intelligence sharing: Talk with your contacts. Ask trusted security professionals at peer organizations if they share their threat information and how pleased they are with the experience. Depending on your budget, resources, and needs, ask detailed questions about the types of threat sharing that interest you.

4. Review Security and Privacy Practices

Whenever you share data about your organization, it goes without saying that you must ensure the data will be fully protected. Carefully vet threat intelligence sharing vendors on their security and privacy protections—and find out what happens if data gets out or some other problem arises. Will your organization be shielded from liability?

5. Give It a Test Run

Find out if the threat sharing options that appeal to you allow for a trial period. Use that time to determine whether the information you’re receiving makes membership worthwhile, and whether your internal resources can keep pace with the new demands placed on them through the collaboration.

Ponemon Report: Criminals continue to target healthcare data