Posted
I am excited to see threat intelligence sharing is catching on as a way to empower cyber security defenders with timely, relevant, and actionable threat intelligence data. I believe, and I actually always have, in “crowd power”. Our Intelligence Research Team, contributes daily to our ThreatConnect Communities. The team takes great pride in sharing with the community, enriching community contributed data, and deepening and strengthening our community members’ threat intelligence.
As incentives from the insurance industry and tax credits accelerate the adoption of sharing, analysts will no longer ask, “Can I share?” Instead, the question will become, “What can I share?”
While most sharing communities, Information Sharing and Analysis Centers (ISACs), Information Sharing and Analysis Organizations (ISAOs), and our own ThreatConnect Communities, have rules that govern community participation, they do not dictate what data should be shared and when. Corporate policies should provide guidance, but often those policies do not get established.
Is it possible to learn from organizations that have mastered the art of sharing?
ThreatConnect Communities consist of some very sophisticated and mature organizations who regularly contribute threat intelligence data, and can serve as useful examples or role models for sharing newcomers. So, let’s take a look at what some of our more active members are doing across a few different scenarios. Perhaps the following best practices provide some general guidelines for organizations who are just starting to share their threat intelligence.
Open Sources (Reports and Blogs): If a report or published article is uncovered, I recommend you share the article as soon as possible. If the content is analyzed, it is helpful for you and the community to provide enrichment updates. ThreatConnect’s Common Community is a great choice for sharing open sourced data.
Spear Phish: With a spear phish email, share the indicators associated with it along with any enrichment you might find in any external or ThreatConnect ISAO/ISAC, private, and/or themed Communities. I recommend that you do not share target or victim information.
Threat Groups: After you finish an analysis related to a threat group that your and your team might be tracking, share the data with the ThreatConnect ISAO/ISAC, private, and/or industry themed Communities. In general, most tracking is done on an adversary using registrant email addresses and C2 nodes. However, sometimes tracking can be done using a target entity – a conference, geography, a conflict area, or an oil field as examples.
Historical Data as Enrichment: Share historical indicators as enrichments whenever possible. Historical data, as illustrated in this Community Collaboration Case Study, can be quite useful in understanding patterns and trends.
My overall view is that you should share indicators whenever possible, you should enrich shared data whenever possible, and you should share the enrichments back into the community as soon as possible. Our organizations and our data are stronger when we work together. Like the old age analogy, one stick is easy to break, a bunch of sticks together are hard to break.
ThreatConnect makes aggregating, analyzing, and sharing of threat intelligence easy. ThreatConnect provides users the ability to create custom security labels based on their corporate policy. Data can be tagged with the security labels which can be used to redact sensitive data, like victim information, during the process of sharing.
If you are looking to join a community, our Communities Marketplace offers a variety of choices. Match your personal and organizational interests to Communities of interest – by industry, threat, short term events (like the World Cup or Olympics), geography, and more. If you want to start an ISAO (Information Sharing and Analysis Organization) or are looking for a Threat Intelligence Platform for your existing ISAC (Information Sharing and Analysis Center), let us know. We understand that analysts want relevant intelligence to make smarter data-driven decisions, and ThreatConnect’s Marketplace offers a la carte intelligence sources, collaborative communities and defense integrations.
Christy Coffey is the Director of Business Development and Communities Evangelist for ThreatConnect. Christy has worked in the information technology industry for 25 years. After spending 15 years with EDS (now HP) designing and building systems for Fortune 100 customers, Christy applied her technical background to business relationship management across the telecom, defense, and security industries. She has served as a Client Services Director for a start-up and the Security Management Program Director for a large not-for-profit industry association. Christy holds a degree in Computer Science, and is working toward an MBA with a concentration in Cyber Security from the University of Dallas. Professional achievements include two Computerworld Honors Laureate Awards, a General Motors President’s Award, and has been awarded a patent for software developed while at Verizon. She has been married to her high school sweetheart for 25 years, has a son, daughter, two dogs and calls Texas home.