Intelligence sharing is critical for organisations to ensure they remain ahead of the constantly evolving threat. Security Alliance have helped to address this need through building sharing communities across the world. However, each time we do, we always find we have to first explain the construct of the intelligence domain. When this is understood, the success of the sharing initiative is much greater.
On the face of it, ‘Intelligence Sharing’ should be self-explanatory, and in reality it is, until you get into the detail. Ultimately the objective, no matter the industry or domain, is the ability for entities to share amongst each other what they know about threats, as quickly, as easily and as safely as possible. Why? Because the best intelligence you can ever receive is near instant insights from an organisation similar to yours, that is experiencing an attack or has identified an immediate threat. No nation state or private sector can provide, or is able to, collect or share at this level, no matter what they claim.
“The best intelligence you can ever receive is near instant insights from an organisation similar to yours that is experiencing an attack or has identified an immediate threat.”
At this stage, it is worth setting out the differences between data, information and intelligence. Each has a value, a purpose, a place; each is important in its own way. Understanding this is an important first step in knowing what a good sharing initiative looks like. A very basic understanding is:
Data: Usually individual data points, sometimes structured, sometimes not. Usually provides little value by itself. In the cyber domain this is most often IOCs (Indicators of Compromise) such as malicious file names, domain names or IP addresses
Information: A collection of data that has been processed and could provide some insights. This is usually in the form of news reporting, blogs or commentary.
Intelligence: A product resulting from the collection, processing, analysis, and interpretation of data and information in order to provide insights but also actionable direction and assessment(foresight). I.e. it tells us if the threat is relevant, why, and what should be done about it.
To complicate matters slightly more, sharing usually exists at, and is shared across, three levels of intelligence; Tactical, Operational and Strategic. In its most basic form these could be seen as:
Tactical intelligence: usually technical in nature, such as IOCs mentioned above. In the cyber domain this is mostly (but not always) dealt with at machine level.
Operational intelligence: informs our actions and gives context around what an actor or threat may be doing.
Strategic intelligence: provides, in its most basic interpretation, ‘the bigger picture’, i.e. how things are likely to evolve and the wider impact this may have.
Sharing initiatives set up by Security Alliance have considered what type of data, information and intelligence should be shared at what level, via what means, at what cadence and in a suitable format for multiple audiences. Intelligence sharing is not just about SOC analysts or Intelligence Professionals. It is not only about SOC managers or Incident Responders. It is not purely about CISOs or Board members. It is not about data, information or intelligence. Nor is it about machine readable formats, technology, reports or verbal briefings. Cyber Threat Intelligence Sharing is about all of these things.
“Put simply, Intelligence Sharing is the single most effective tool to drive, at pace, cyber resilience across a sector.”
Intelligence Sharing is the intelligence analysis tradecraft in its truest form. The fusion of multiple formats from multiple sources that are analysed to provide context and direction in an accurate and timely fashion, to those that need it, in a format appropriate for the recipient, in order to provide protection at scale from an evolving threat. Put simply, Intelligence Sharing is the single most effective tool to drive, at pace, cyber resilience across a sector.
Currently there are multiple informal and formal sharing initiatives. From our perspective, we do not categorise most of them as, ‘Intelligence Sharing Initiatives’, as they are mostly groups of people or organisations coming together to share data or information via email or social media channels. Some have had more traction than others with some adopting sharing platforms (such as the MISP platform) and some are starting to inform more than just the technical level staff in the SOC/CIRT. Each has its benefit and each faces its own challenges, but fundamentally there is no common architecture or structure, no ‘known good’, and little focus on benefiting the sector and cyber resilience as a whole.
The next generation of sharing communities, like those set up by Security Alliance for various central banks and the European Cyber Resilience Board, have to be much more comprehensive, much more structured and must focus on the big picture: building cyber resilience across the sector, its supply chain, and the underlying critical service providers. They must deal with data, information and intelligence.
They must deal with tactical, operational and strategic level intelligence. They must incorporate technology solutions for the technical and non-technical. They should provide insight and foresight, both in written and verbal formats and they must provide value to audiences of all types; analysts, technical and non-technical management, senior leadership, board members, oversight and regulators. Ultimately, they must do this in a trusted and secure eco-system of partners but with the ability to cooperate with strategic partners should the need arise.
Changes in laws, regulations and oversight, plus changes in consumer expectations and financial losses associated with attacks have all started to come together to put pressure on organisations to do more.
For some time, we have been talking about how the cyber threat landscape and the actors in it are always evolving and are highly agile, but have not really done anything substantial to deal with it.
Furthermore, as more mature organisations become more secure, they have become aware that they are not truly secure until the rest of the market is, which includes the supply chain, critical service providers and the underlying infrastructure.
Existing legislation like GDPR and future legislation such as the Digital and Operational Resilience Act (DORA) in Europe, help drive individual resilience. However, to make the sector, and thus possibly the nation, more secure, people now finally understand the need for wider and deeper collaboration.
Financial services are leading the way on intelligence sharing. Central Banks and Regulators recognise that their involvement not only shows that they are being proactive and supporting the sector in a responsible manner but it also gives them a level of insight and confidence that steps are being made in the right direction.
If your organisation is considering setting up an information and intelligence sharing initiative, we would encourage you to work with a partner with experience and knowledge in this area. Successful and effective communities already exist and many lessons can be learnt from them to accelerate the design and development of new communities.
If you would like to read the full Intelligence Sharing White Paper, which lays out the framework in more detail, please contact us.