From Information Sharing to Building a Collective View of Intelligence
We need to resuscitate, not renounce, information sharing initiatives.
Is Information sharing the security industry’s get out of jail free card?
Information sharing has been dubbed the “thoughts and prayers” of cyber security, given its perception as a vague and easy fix. At times when more challenging and substantive solutions are deemed too difficult, critics claim information sharing represents a meaningless band aid. It allows us to move on with a pat on the back, having at least done something to help.
Yet, exchanging threat data presents clear opportunities to improve security outcomes. We need to resuscitate, not renounce, these sharing initiatives.
In this blog, I suggest how we can make sharing more useful and relevant to today’s security practitioner. I explore current limitations with information sharing mechanisms and consider how we can build progress by shifting our focus towards building a collective view of intelligence instead. I explain how effective cyber threat intelligence (CTI) processes and workflows can help the security community design more effective sharing mechanisms.
Limitations of Information Sharing
Information sharing critics typically raise fears about the potential for free riders. The concern is that sharing platforms will be stuffed with participants that only want to consume information, rather than share anything useful themselves. However, I don’t believe this is where the real problem lies.
This is because there are numerous examples of productive sharing taking place. Whether it be within TLP red conferences or Information Sharing and Analysis Centers (ISACs), meaningful threat data is absolutely being exchanged behind the scenes. The Russia-Ukraine crisis also provides a great example of the positive and collaborative sharing that now occurs within the public domain.
Of course, there remain plenty of undisclosed intrusions that will never make their way onto sharing platforms. Yet, the obsession over organisations’ willingness to share mean a range of other first-order problems with information sharing are too-often neglected. For example:
- Information is typically unverified, unprocessed, and lacks context. This means there is often a long process between receiving information and turning it into something useful. Sharing information can be useless when it puts a significant analytical burden on recipients. This is because many security functions simply do not have the resources, scale, and maturity to convert shared raw threat data into action.
- The information sharing conversation has become hopelessly vague and disconnected from ground truth. There is a clamour of voices on the topic, yet few engage with the logistics of what information exchanges actually involve. Pundits will simply say we should be sharing more threat data, yet does this mean YARA rules, indicator lists, or remediation guides? The conversation requires far more precision — whether around the type of data being shared or the stakeholders that will benefit from it. Too often, there is a clear chasm between those opining on the topic and those actually leveraging threat data. The conversation has got to become more serious on the details. Connecting strategic recommendations with operational realities is essential.
- Information sharing is too often detached from ends. Focus tends to be on information sharing mechanisms themselves, rather than on what they are actually trying to achieve. Assuming the desired outcome is to improve cyber security outcomes, the starting point for any threat exchange should be to begin identifying current challenges within participating security functions, before exploring how and if additional threat data can assist. Simply providing some data associated with ‘bad stuff’ without serious thought on how it will be consumed leads nowhere.
Building a Collective View of Intelligence
Information sharing has its limitations, yet there is clear promise in the underlying spirit of exchanging threat data to improve defences.
This is why we should shift our focus to building a collective view of intelligence. This concept overcomes many of the current limitations with information sharing, as discussed below.
‘Intelligence’ vs ‘Information’
If information lacks context and validity, intelligence is instead defined by its actionability. Intelligence is geared around first understanding the challenges network defenders are facing, before building products and reports geared towards solving them. This makes intelligence far more focused on solving practical problems and improving decision making.
Intelligence is also more likely to yield immediate benefits. For example:
- A list of ‘bad indicators’ would be considered information. Intelligence, on the other hand, might instead be a list of indicators associated with high risk threat activity active within an organisation’s sector during the past six months.
- A list of all vulnerable systems in an organisation represents information. By contrast, a vulnerability intelligence report would go further and assist with prioritisation by identifying which of those vulnerabilities are being actively exploited.
Intelligence therefore provides insight that can immediately drive better and more efficient decision-making.
Intelligence is also much easier to consume. Information requires processing and analysis before it is truly useful. Sharing information therefore pushes challenging work and heavy lifting onto recipients.
If multiple recipients are having to process raw information, it creates needless duplicative efforts. It is therefore always going to be more effective to share actionable insight. This is particularly apt for smaller security functions with minimal resources, as they will particularly struggle to utilise shared information that requires a lot of manual effort to become useful.
Getting Collection Right
An effective collection strategy is a vital pillar of any effective threat data exchange. This means building an understanding of the threat landscape based on unique and complementary perspectives, as well as having a clear connection between the collection of threat data and desired end goals.
Different organisations will inevitably have different visibility into the threat landscape. That is where I believe the idea of building a collective view of the threat landscape is far more powerful than just sharing.
Ultimately, there is no point in merely sharing “bad stuff” in a platform if everyone is uploading the same commodity malware IOCs. Threat data exchange initiatives should therefore focus on fusing unique and complementary perspectives around nascent threats.
For instance, a government will always be able to conduct more proactive operations against adversaries while security vendors will typically have access to threat data across a wider spread of industries and regions. Even different security vendors’ visibility will likely vary dramatically — an incident response provider will hold different data when compared to an endpoint vendor for example. Likewise, different organisations within the same sector will experience different intrusions or attempted intrusions.
The key point here is no one entity has the best insight. In fact, we should largely avoid trying to directly measure different institutions against each another. Rather than squabbling over who knows the most, it is far more helpful to instead see the threat landscape as an area where various organisations — both public and private — simply have different lenses and perspectives.
Rather than seeking to loosely share information, forming a collective understanding of intelligence entails a more substantive discussion on the unique perspectives of different parties. From there, participating entities must understand how and where such insight can be shared in a manner that recognises the various sensitivities and security interests involved.
The collection process should also be tied back to desired end goals. This means thinking carefully about what sort of data is required in order to build the insight and analytical products that will make stakeholders’ lives easier. This is an area where the intelligence discipline excels. Collecting data relevant to addressing stakeholder’s intelligence requirements is baked into the intelligence lifecycle, as well as the underlying processes of intelligence production.
A Focus on Stakeholders
Getting the right people in the room is one of the most important components of meaningful exchanges.
Information sharing mechanisms packed with senior security leaders might appear superficially impressive, yet will inevitably lose momentum if they fail to speak to the tangible problems facing a security function. Successful initiatives will therefore be remorselessly focused on addressing the key challenges facing security practitioners.
Getting to know intelligence stakeholders, understanding their challenges, and working alongside them to develop relevant intelligence products are all processes baked into the intelligence lifecycle. CTI processes can therefore provide the focus and mission clarity required for sharing mechanisms to succeed.
Collective intelligence should therefore be focused on building products matched to specific security function demographics. This could include intelligence specifically for a vulnerability management team, SOC analysts, or even security leadership. A focus on specific stakeholder demographics therefore introduces much-needed precision into sharing initiatives.
Intelligence products built to speak to a wider vulnerability management or SOC community will inevitably have a less tailored feel when compared to CTI products developed in-house. However, building an awareness of the key requirements within a sharing community will drastically improve the relevance of intelligence.
The Challenge Ahead
Building a collective view of intelligence imports CTI processes and workflows. This introduces a far greater sense of both mission clarity and discipline when compared to many of today’s information sharing initiatives. This approach is far more focused on what stakeholders actually need from an information sharing mechanism. It then builds up the actionable and relevant insight required based on combining unique perspectives of the threat landscape.
Building a collective view of intelligence overcomes many of the current deficiencies of information sharing, yet also presents challenges of its own. For example, building a collection plan based on complementary perspectives introduces far more complexity and would require serious thought to be successful.
Building collective intelligence also poses awkward questions on who funds and carries out the work within an exchange. Should participants volunteer more of their internal CTI resources for the cause? Could this mechanisms involve a larger role for vendors to do the heavy lifting? Or do ISACs and threat data exchanges require better funding to develop more centralised analysis and intelligence products?
Developing a collective view of intelligence is ultimately more costly, time-intensive, and ambitious. But we urgently need new ideas at a time when information sharing is increasingly dismissed as a buzzword. This approach not only overcomes many of the current limitations with information sharing, but provides tangible value to security practitioners.