4 Key Benefits of Community-Based Intelligence Sharing
Nowadays, the sad truth is that many cybersecurity circles still function as an “island”, which means that there’s an ongoing reluctance to exchange and share intelligence. On the other hand, adversaries join forces by working in groups to share and exchange information and experiences. In order to face rising cyber threats, companies, organizations and experts from the industry need to shift their mind set and focus on more community-based approach to cybersecurity.
Key Benefits of a Community-based Approach to Cybersecurity
Sharing intelligence is especially effective in cases when companies and organizations that operate in the same industry can share information about broad-based cyber attacks they’re facing with. The simple act of sharing intelligence, whether it’s ransomware, malware, or spear-phishing C-level executives, enables experts to respond faster and more effectively and prevent a cyber attack.
People tend to think more creatively and feel more inspired in groups when it comes to problem solving. In cyber security, participating in formal or informal discussions and intelligence sharing (for example, malware samples or potential attack scenarios) enables organizations to learn from their peers how to avoid breaches.
Participating in a trusted community group also means that organizations and companies there can share resources such as scripts, workflows, runbooks, playbooks, etc. Members could ask and answer a variety of technical questions regarding specific concerns or threats.
Successful Intelligence Sharing Models
The exchange of security intelligence through formal or informal channels prevails in the banking industry. One of the most prominent groups there is FS-ISAC (Financial Services Information Sharing and Analysis Center), which is a resource for cyber and physical threat intelligence sharing and analysis.
This center enables members to share information anonymously across the entire industry. After receiving a submission of a threat, experts analyze and verify it, and afterwards they share solutions before alerting other members. This means that member organizations receive the latest authentic best practices and procedures for defending against rising cybersecurity threats.
Moreover, this center has developed closed and trusted community for companies to share relevant industry information with great success, knowing that at some point their contributions will be reciprocated.
Along with the banking industry, law enforcement agencies also create formal and informal communities, particularly in the digital forensics realm. These communities serve as technical resources and answer questions on cyber threats, especially those that are completely new.
Some of the biggest obstacles in establishing these types of communities is the issue with management. In the case with financial services, each bank that forms intelligence sharing group will have to assign staff members who will contribute to the community, or even hire a full time expert from within their circle to manage the group.
Another serious obstacle is the company’s concern about information sharing, and any data related to targets or individuals. Basically, the main concern of any company or organization when it comes to security information is sharing something that could potentially damage the business. For example, if a Fortune 500 company is part of a community group and experienced an attack or a breach, it might mean a disaster for it to share that with its competitors, because some companies could exploit that information for financial and business gain.
Another serious concern is that the information could come handy for some other hacking team that is looking to launch a similar or even more devastating attack. But it is important to state that the advantages of security intelligence sharing greatly outweigh the concerns and doubts whether adversaries would discover the company’s defence mechanisms and plans, or those about competitors finding out about incidents of others.
Scepticism of these community groups revolves around the idea that they enable attacker to collect information on the company’s defence tactics and/or vulnerabilities. This is more of a panic, because adversaries are already very skilled at executing their own reconnaissance, without having to compromise a security collaborative.
The benefits are obvious and well documented. Companies that actively participate in sharing information on security threats are more likely to minimize the risk of a serious breach.
Once a company decides to participate in a community-based security information sharing, one of the core steps is to establish what kind of consumed intelligence can be used and can be contributed.
Threat intelligence can become a burden for an organization, since it requires significant time and investment before it can become actionable. For instance, a community that provides threat intelligence on IP addresses won’t be much of use if the organization lacks the solutions in place to take action on this intelligence.
Another important consideration is what intelligence the organization can share with the community on its end, and how hard would it be to provide it in a format useful for the others. This is particularly important when it comes to smaller communities where it might be obvious who contributed certain piece of intelligence. In the event of such occasion, contributors might not be that willing to share with those that are takers, not givers.
When the company’s needs are established, as well as the information it can provide, the following step is to choose the right community. It is very likely that there is already a professional group associated with the industry that the company belongs to, even if it not strictly focused on security. This might be a good starting point. Moreover, there are a number of regional, national and international security organizations that support different types of intelligence sharing.
Launching a new community is also an option, but maintenance requires a lot of time and effort, and this has to be taken into consideration before deciding on this approach.