Although the US government is pushing initiatives and legislation to enable information sharing between federal agencies and private organizations, threat intelligence sharing is still an immature practice that remains a work-in-progress for many organizations.
Vorstack, a threat intelligence platform provider, announced the results of a Threat Intelligence Survey independently conducted by the Enterprise Strategy Group (ESG) of IT professionals engaged in their organization’s threat intelligence programs. The survey found that almost all respondents acknowledged the value of sharing threat intelligence information between federal agencies and private organizations.
However, only 37 percent of respondents’ organizations regularly share internally driven threat intelligence with other organizations or industry information sharing and analysis centers.
“For the most part, private sector information security professionals really don’t know much about federal cybersecurity programs for threat intelligence sharing,” Jon Oltsik, senior principal analyst at ESG, told Homeland Security Today. “Of course some do, primarily those from defense contractors, large critical infrastructure organizations, and financial services firms, but the majority have no clue on what the feds are doing.”
“In my opinion, Washington has to do a better job of communicating its policies and educating cybersecurity professionals about its strategy and offerings,” Oltsik added.
With a broad consensus that information sharing will allow quicker and more effective responses to cyber incidents, the government has introduced a number of initiatives to help advance cybersecurity threat and information sharing between the public and private sectors.
For example, the White House issued a proposal earlier this year designating the National Cybersecurity and Communications Integration Center (NCCIC) as the federal hub for receipt and distribution of cybersecurity information. The NCCIC will coordinate the sharing of cyber threat indicators between federal and non-federal entities.
In addition, the Cyber Intelligence Sharing and Protection Act (CISPA) and Cybersecurity Information Sharing Act of 2014 (CISA), require real-time information sharing. Although these initiatives represent an important stepping stone towards improved preparedness and response to cyber incidents, Oltsik said many organizations do not have the skills and technical infrastructure they need for efficient threat intelligence sharing.
“Organizations and federal agencies are prepared to participate but it is likely to be a manual process for a while as many organizations don’t have the skills and technical infrastructure they need for efficient threat intelligence sharing,” Oltsik said.
“They will need to build these skills and tools over time.” Oltsik added, “At the same time, private organizations will judge these federal programs via cost/benefit analysis. If they feel like they don’t get anything from the US federal government in return for their participation, these programs will not be successful.”
Although a work-in-progress, Oltsik indicated there are a number of ways organizations can improve their ability to share information. Most importantly, organizations must get better at analyzing threat intelligence.
According to the survey results, participants responded that 72 percent of their organizations plan to collect and analyze significantly or somewhat more internal threat intelligence over the next 12 to 24 months. Moreover, 55 percent of their organizations plan to collect and analyze significantly or somewhat more external threat intelligence over the next 12 to 24 months.
“Security professionals realize that they need to make risk management decisions based upon real-time data, and also recognize that security data analytics can help them detect and respond to attacks more quickly and accurately,” Oltsik said. “They’ve collected and analyzed lots of data in the past but want a wider data lens to help guide their decision making.”
However, a number of challenges stand in the way of collecting and analyzing threat intelligence. For example, when threat intelligence data is collected and analyzed by different individuals or tools, it’s difficult to get a holistic picture of the internal and external threats.
Respondents also cited integration problems — the inadvertent blocking of legitimate traffic as a result of a problem with threat intelligence collection/analysis and that threat intelligence is not always as timely or actionable as required — as challenges to collection and analysis.
These challenges highlight the importance of threat intelligence standards, which can simply the process by making it easier to analyze and operationalize threat intelligence. Oltsik gives the example of a cyber adversary in Eastern Europe called, “Odessa Cowboy,” on one threat intelligence feed. On another feed, this adversary could be known as “Carder 123.”
Oltsik said, “When this happens, the data has tobe normalized so security analysts can make sense of it and understand that these two monikers are actually the same person.”
The example emphasizes the importance of threat intelligence standards, which could provide enough other meta data about the adversary that the machine would recognize the two names as the same person.
“The key here is maturity,” Oltsik said. “Organizations must get better at analyzing threat intelligence, comparing internal and external data, normalizing it, redacting sensitive data, and then exchanging threat intelligence in a standard format. This is a work-in-progress.”
