Isn't there more to cybersecurity information sharing than subscribing to threat intel feeds?
There has been an increased focus on information sharing in our industry in the last three to four years, with good reason. We see our adversaries quickly share new tools and tactics within their circles, leaving cybersecurity defense teams continuously playing catch-up. But before we invest a portion of our limited budgets in products or services that tout actionable intelligence and decreased response times, we should take a step back and assess what we are really trying to accomplish through cybersecurity information sharing.
What's our goal? Cybersecurity information includes a wide range of focus areas: potential attackers, their changing motivations, new vulnerabilities, indicators of compromise, etc. These topics are what's typically associated with information sharing. But what about other subject matter: security system configuration advice from partner organizations or incident response mutual assistance programs. It's important to identify what kinds of information will benefit our organizations the most and build programs to emphasize those areas.
Information and Intelligence are not the same thing. The phrases “information sharing” and “threat intelligence” are frequently used synonymously in our industry when, in fact, they are significantly different. Intelligence is a subset of information. Information sources and intelligence sources may be different. The processes to create, use, and share information versus intelligence are different as well. Let's discuss an example using Indicators of compromise to elaborate further.
Information: The FBI distributes an alert containing a list of malicious IP addresses that have been associated with a malware campaign targeting the electric sector within the last month. This is information utilities can use to cross check against their system logs for any matches. However, the comparison will return some false positives as the malicious activity has likely changed source IPs since the initial detection. Nevertheless, the utility will still benefit from a historical analysis of network activity against those IPs.
Intelligence: A partner utility shares a list of malicious IP addresses it has identified as a source of malware targeting a type of SCADA system that is also installed in our environment. The partner utility began detecting the malicious activity approximately 30 minutes before the notification was shared.
When put in that context, it is easier to see the different processes that would be used to create, use and share information versus intelligence. Also, in this example, the shared information drives a reactive approach while the intelligence supports a pro-active response.
Clearly define roles and responsibilities. The skillsets of an intelligence analyst and security analyst are different. An intelligence analyst focuses on building and maintaining their network of contacts that acts as a valuable information source. These networks are built over years of industry experience, rely on the analyst's credibility, and are maintained by supporting a bi-directional flow of valuable information with the network. Security analysts are more technically focused on the environments they protect and tools at their disposal. Because of this, assigning the responsibility of threat intelligence to security analysts within a SOC will produce limited results. Intelligence analysis and security analysis responsibilities should be clearly defined and assigned to different resources.
Think bigger than cyber for intelligence. Organizations benefit from information sharing programs that include cybersecurity as well as other focus areas, such as physical security. Including other areas of expertise promotes a holistic view of how the various intelligence products affect the organization and drives collaboration across disciplines. We also should take an objective look at where the intelligence program should reside within the organization. Simply assuming the program belongs in the cybersecurity team could cause us to miss opportunities in building relationships across the organization and the ability to produce higher quality intelligence products.
Dax Streater is manager of cybersecurity operations at the Lower Colorado River Authority (LCRA). He will be a featured speaker at RiskSec NY on May 2. Please visit risksecny.com to register.