Cyber criminals often focus their efforts on targeting specific sectors. It’s well-known that adversaries from nation states such as China, Russia, Iran and North Korea are attacking critical national infrastructure (CNI) in order to weaken the West’s defences.
This creates a need for safety in numbers — something that many industries and governments are already good at — by sharing threat intelligence covering new and emerging forms of attack.
The idea of intelligence sharing is so key that the former head of GCHQ has warned businesses that they should pay closer attention to geopolitics and collaborate on fighting the next generation of threats.
It comes as the big four nation states engage in prepositioning, in which attackers hide in CNI systems to prepare for future attacks. This tactic is rising warned Jeremy Fleming, director of GCHQ from 2017 to 2023, when speaking at a recent event.
So, what are the benefits of intelligence sharing with your peers and how can businesses take advantage of this practice more broadly?
A boost to overall security
It might seem counterintuitive to share data with rivals but intelligence sharing boosts everyone’s security. Sharing knowledge with peers in similar roles holds “inherent value”, says Chris Jacob, VP, global field operations, at ThreatQuotient. “Some companies may come across new threats sooner, others might be larger targets based on the industry they operate in. Having a way to keep everyone informed and sharing up-to-date data allows all firms to have the best possible defenses in place.”
Intelligence sharing offers “a united front against cyber threats”, agrees Dray Agha, senior manager of security operations at Huntress. “No single company can see the full picture, but sharing real-time intelligence helps everyone detect and block attacks faster.”
Intelligence sharing helps businesses identify common vulnerabilities, patch them proactively and learn from each other’s experiences, says Nathan Charles, head of customer experience at OryxAlign.
For example, organizations might share the latest malware indicators, phishing campaigns, or vulnerabilities in critical software. In theory, this will enable other businesses to update their security measures before becoming victims, he explains.
Sectors that handle sensitive data or are frequent targets of cyberattacks, such as finance, healthcare, energy, transportation and critical national infrastructure should “pay particular attention” to opportunities for intelligence sharing, Jacob says.
Intelligence resources
Intelligence sharing doesn’t have to be complex, with organizations such as the UK’s National Cyber Security Centre (NCSC) serving as facilitators. “Through platforms such as the Cyber Information Sharing Partnership (CISP), the NCSC allows organizations from various industries to collaborate and exchange vital information,” says Charles.
In the US, the Cybersecurity and Infrastructure Security Agency (CISA) offers real-time threat updates.
In Europe, one of the best options available to organizations and businesses for effective threat intelligence sharing is the numerous Information Sharing and Analysis Centers (ISACs) available in different industry verticals, says Jacob.
These non-profit organizations provide a central resource for gathering information on cyber threats, in many cases to critical infrastructure. They also allow two-way sharing of information between the private and the public sector about root causes, incidents and threats.
At the same time, the NCSC’s Active Cyber Defence Program is a free service including automated tools designed to protect against common cyber threats such as phishing and malware. “The program also integrates with threat intelligence feeds, enabling organizations to stay up to date on the latest threats,” Charles says.
How to share intelligence for security
There’s no doubt that intelligence sharing is a useful practice within the cybersecurity community. But how can leaders use intelligence sharing as a tool within their cybersecurity strategy? For broad benefits, businesses should seek to use a mix of general purpose and sector-specific threat intelligence, says John Shier, field CTO threat intelligence at Sophos.
“Using threat intelligence starts with a comprehensive understanding of each business’ individual capabilities and weaknesses.”
This assessment allows a business to be more prescriptive in how they use threat intelligence by targeting those areas where it can have the greatest impact, he says.
Another means to get involved is by adopting one way sharing, which has been set up by the US and other countries and sees threat advisories published based on investigations performed by organizations, Jacob explains.
A basic intelligence principle is that the product should be suitable for the audience, says Rob Dartnall, director of intelligence at SecAlliance. “Seeing as we want an intelligence community to include managers, CISOs and even board members, we need to make sure there is a diversity of product that supports decision members of all levels.”
Threat intelligence should include a long list encompassing automated data outputs, technical papers, intelligence summaries, intelligence reports, verbal intelligence briefings, best practices and lessons learned, says Dartnall. “Ultimately each ‘product’ needs a ‘so what’ – what does this mean, what do we do about it?’”
At the same time, it’s a good idea for firms to join sector-specific ISACs, Jacob says. This is especially key for businesses in critical sectors such as finance, energy and healthcare. “These groups offer a focused approach to threat intelligence sharing, helping businesses address threats unique to their industry,” he says.
To take full advantage of threat intelligence and sharing within their sectors, businesses should “engage actively”, regardless of size or resources, Jacob advises. However, there are issues to take into account, he concedes.
For example, a disparity in the resources available across organizations is one of the first barriers to creating and maintaining a healthy sharing community, he points out. “Often, those with less are seen as leeching from the community, while not providing information back.”
To overcome this, an equitable culture should be established, he says. “And those with less resources should be unapologetic in taking part, since these organizations and businesses would benefit the most from the communities.”
To ensure better overall security, it’s also important to work with law enforcement and regulatory bodies, says Charles. “Businesses should maintain relationships with UK law enforcement agencies such as the National Crime Agency and regulatory bodies. These organizations provide broader intelligence and help businesses stay informed about trends and new attack methodologies used by cyber criminals.”
