No organisation is an island: the rise of community-based security
Thousands of UK companies could be missing out on the benefits of sharing threat intelligence
Short of time?
With cyber-attacks and breaches happening on a daily basis, cyber security has had to evolve beyond static perimeter and endpoint management to become a sophisticated game of detection and response.
In this game, organisations have to constantly look at new and different ways of improving their own cyber security intelligence and capability so that they can match the growing skills of cyber attacker’s.
One of the areas organisations should be looking at is timely threat intelligence sharing. It’s not uncommon for attackers to use the same style of attack on organisations in the same industries, so details about an attack campaign provided by a peer organisation can accelerate threat detection and response and limit the damage. A 2015 report by the Cyber-security Information Sharing Partnership (CiSP) suggested that 30,000 attacks may have been prevented by a threat-sharing scheme.
The growing support for threat intelligence sharing
In March of 2015, Andrew H. Tannenbaum, Cybersecurity Counsel for IBM, submitted testimony in support of threat information sharing before the US House of Representatives Permanent Select Committee on Intelligence.
He argued that cyber threats have become too diverse and too dynamic to completely eliminate cyber risk, businesses need to identify potential risks in their IT systems, prioritise them, and allocate security resources accordingly, and cyber security is now a data analytics challenge.
Tannenbaum stated that in order to stay ahead of the attackers, companies need timely and actionable information about specific threats to their infrastructure. He pointed out that malicious actors can move through networks at light speed, so information about the attack needs to be available to potential victims in as close to real time as possible.
As the threat of cyber-attacks on both private and public sector organisations increase, security specialists of all levels need to be calling for greater sharing of threat intelligence data and knowledge.
The need for speed
Joining ISACs (Information Sharing and Analysis Centres) and communities such as those around Facebook’s ThreatExchange, is a great starting point for any organisation looking to be involved with sharing threat intelligence.
Many threat intelligence sharing groups even have their own industry specific sub groups, only accessible after an individual has been assessed and approved.
However, according to the 2015 Verizon Data Breach Investigations Report, using shared intelligence for ‘herd alertness’, just as animals on the plains share warnings when predators are near; requires speed to be effective.
That is because 75% of attacks spread from Victim 0 to Victim 1 in 24 hours while 40% hit the second victim organisation in less than an hour.
An increasing number of cyber security vendors are also championing threat intelligence sharing by making some data sources open and accessible, such as Passive DNS (PDNS) feeds, and by providing publically available threat reports.
Organisations can incorporate this information in their investigations along with their own research and information collected within their peer groups.
While this can be quite labour intensive for researchers there are tools that can help with the data aggregation and visualisation process, giving cybersecurity analysts the ability to connect attacks to attack infrastructure to better understand the adversary and put in place more effective counter measures.
Whilst significant changes have been made in the US to encourage businesses to share this information, there’s still more to be done in the UK and Europe to address this issue.
The more companies that share threat information, the easier it’s going to become for more companies to detect and respond to threats. Whether it’s private sharing of attack campaigns, long-form reports on threat actors, or just public lists of indicators--sharing should occur without friction.
The more vendors, service providers, and organisations that band together to fight security threats, the more difficult it will become for attacks to succeed.
Quite simply organisations that band together and share threat intelligence will detect attacks and resolve issues faster than those who attempt to go it alone.
Sourced from Ben Harknett, VP EMEA, RiskIQ