Threat intelligence sharing is a hot and sometimes contentious topic. While its necessity and justifications are generally known, there are legitimate reasons why sharing information on a large scale has been met with resistance.
The Argument for Sharing
When sharing intelligence, it is important to establish from the outset that combining best practices for security protection with shared intelligence about threats and indicators of compromise provides an opportunity to shift the economics of cybercrime more strongly against criminals. Cybercriminals share information relentlessly, and so should potential targets. However, the latter must do so with some legal and other provisos.
The Complexities of Threat Intelligence
Threat intelligence is a complex, multifaceted concept. According to Gartner, it is composed of "evidence-based knowledge, including context, mechanisms, indicators, implications, and actionable advice about an existing or emerging menace or hazard to assets, that can be used to inform decisions regarding the subject's response to that menace or hazard."
There is a considerable amount of information in this single concept, and that is precisely the problem that arises when discussing threat intelligence sharing. For example, how can a company safely share all the context, indicators, and implications of a particular threat without disclosing proprietary information? Accordingly, in any intelligence sharing situation, detailed ground rules need to be established regarding what will be disclosed, how the parties will use the disclosed information, and how confidentiality will be ensured.
The Nature of Sharing
In this context, sharing is a reflection of the threat information definition established above. Threat information is only really useful and actionable if it is sufficiently complete. This point is articulated in detail by Kathleen Moriarty, global lead security architect at the EMC Corporate Office of the CTO, when she said, "Shared data is difficult to act upon. Threat intelligence often delivers low value because the information lacks sufficient detail, is unverified, or is not well-matched to an organization's business needs."
Her statement also expresses the interdependent nature of the intelligence sharing relationship. To be actionable and worth sharing, intelligence information must be reciprocally actionable by all parties involved in the sharing arrangement. This adequacy of completeness is hard to achieve, thus making it one of the fundamental challenges facing intelligence sharing.
Is There a Solution?
While there is no one set solution to overcome private-sector intelligence sharing challenges, it is a good start to focus on whether you and your partners' organizations have sufficient expertise to put the intelligence to work. Legal teams may need to be involved to ensure intellectual property, including trade secrets, are not disclosed and that the information shared would not otherwise place your organization at a business disadvantage. Thus, what to share and with whom should be determined on a very fact-specific basis according to your organization's needs. There is no single cut-and-dry solution. Successful deployment of threat information requires an individualized, targeted approach, but the benefits of a more level cybersecurity playing field can be worth the efforts.
Category: RSA Fundamentals, Blog Post
Keywords: Private-Sector, Threat Intelligence, Threat Intelligence Sharing