Unfortunately, in too many security circles the ‘island’ mentality still prevails, which is characterized by a reluctance to share and exchange intelligence – unlike hacker communities, which work in groups and share information.
Let’s consider the key benefits of a community-based approach to security.
Sharing Intelligence. This is especially effective in situations where organizations in the same industry can share information about broad-based attacks they are experiencing. Regardless of the nature of the attack – malware, ransomware, or spear-phishing targeting C-level executives – the simple act of sharing intelligence enables security professionals to respond more quickly and effectively to stop or thwart an attack.
Sharing Ideas. Not only do individuals think better in groups, they tend to be more creative and excel at problem-solving. When it comes to IT security, participation in formal or informal exchanges dedicated to the sharing of intelligence – such as malware samples or attack scenarios and how they were addressed – can help organizations learn from their peers to avoid breaches.
Sharing Resources. Being part of a trusted community group also means that member companies can share technical resources such as playbooks, runbooks, scripts, incident response workflows, etc. Members can feel comfortable answering very technical questions about specific threats or concerns.
Successful Intelligence Sharing Models
The banking industry is better than most at exchanging security intelligence through informal and formal channels. One of its most prominent groups is FS-ISAC, or the Financial Services Information Sharing and Analysis Center, a resource for cyber and physical threat intelligence analysis and sharing.
FS-ISAC provides an anonymous information-sharing capability across the entire financial services industry. Upon receiving a submission of a threat, industry experts verify and analyze it and recommend solutions before alerting FS-ISAC members. This assures that member firms receive the latest tried-and-true procedures and best practices for defending against emerging security threats.
FS-ISAC has successfully developed a closed, trusted community where companies can share information, knowing their contributions will be reciprocated at some point.
Law enforcement agencies also excel at creating formal and informal communities, especially in the digital forensics space. These affiliations do a very good job of serving as technical resources to answer questions on threats, especially those that have never been seen before.
One of the biggest obstacles to establishing a security intelligence sharing community is management: namely, who will manage it on a daily basis. For example, in a financial services scenario, each bank forming such a group would have to dedicate some employee resources to contribute to the community. Also, the member banks might have to hire a full-time person from within the circle to manage the group.
Another massive roadblock is company concerns about sharing information, especially anything related to highly valued targets or individuals.
The primary concern for virtually every organization when it comes to security information sharing is divulging information that could damage the business. For example, if a Fortune 500 company is part of a community group, and it has experienced an attack or, worse, a breach, it could be disastrous for it to share that information with competitors. One or more companies could exploit the information for financial and business gain.
The other serious concern: the information could provide fodder for another hacker team to launch a similar attack or an even more devastating one.
The benefits of security intelligence sharing far outweigh concerns over attackers finding out about a company’s defense mechanisms and plans, or competitors learning about incidents.
Critics of community groups complain that they enable attackers to gather information on a company’s defensive measures and/or vulnerabilities. This is mostly hype, since attackers are already very efficient at conducting their own reconnaissance without having to compromise a security collaborative.
The benefits are clear and well-documented. Companies that actively collaborate to share information on security threats are more likely to minimize the likelihood of a major breach.
Once an organization decides to participate in community-based security information sharing, one of the first steps is to determine what kind of consumed intelligence is useable and can be contributed.
Threat intelligence for the sake of threat intelligence can actually become a burden on an organization, since it requires significant time and financial investment before it becomes actionable. For example, a community that provides threat intelligence on IP addresses will be of little use if the organization does not have the solutions in place to take action on this intelligence.
It is also important to consider what intelligence the organization can share back with the community and how difficult it will be to provide it in a format that will be useful to others. This is especially important in smaller communities where it will be apparent who contributed a piece of intelligence, such as a new phishing campaign targeting the sector. Under these circumstances, contributors may be less willing to share with those who are seen as takers and not givers.
Once an organization has identified its threat intelligence needs, and the information it can provide, the next step is to choose the most appropriate community in which to participate. For example, is the intelligence sought after and able to be shared particularly suited to a certain vertical, such as manufacturing, retail or government?
Chances are, there is already a professional group associated with the organization’s industry, even if it is not specifically focused on security. Nevertheless, this may be a good place to start. If the industry vertical approach is not a good fit, there are a number of regional, national and international security organizations that support different types of intelligence sharing.
Starting a new community is another option. However, building and maintaining it requires a tremendous amount of time and effort, which must be taken into account before considering this approach.