Skip to main content

Five Things to Consider for a Successful Intelligence Team - Part 4

August 26, 2014

#4 - Don't Shy Away from Sharing

In Part 3, “Allow for Open Communication,” I talked about the need for open communication to and from the intelligence team. For this edition, I am going to go further into the necessity of communication, but from a sharing perspective; yes, even outside of your own organization.

For many, the thought of giving up information surrounding detected and even successful attacks to others in the same industry, competitors included, sends up red flags. Companies don’t just give up proprietary information or intellectual data, so why would they want to share intelligence on how they are being attacked? The number one reason is because it will help your business in the long run.

Our community has already recognized the importance of sharing information, technology and ideas. Look at the many conferences that are offered, such as the annual SANS Cyber Threat Intelligence Summit or Taia Global’s Suits and Spooks collisions. In addition, there are the Information Sharing and Analysis Centers (ISAC) that concentrate on industry specific physical and cyber security threats in cooperation with federal entities. There also community sharing initiatives, such as Mandiant’s OpenIOC Framework or Mitre’s STIX, CybOX, etc… All of these are fantastic programs that go a long way in sharing data on threats, groups and actors. However, without participation, they fall short of their intended goals and do not advance the actual sharing of information.

The goal of any community sharing intelligence is to improve the dissemination of information of intelligence value to those with shared interests, as well as to corroborate and validate sources of information. As shown above, there are already communities dedicated to sharing intelligence information throughout our industry.

How to Start

One way to gain traction is to visit local Information Security get-togethers. Most areas have localized Information Systems Security Association (ISSA) chapters. These meetings are a great avenue to meet and discuss with individuals that are interested in open sharing of intelligence information. These meetings are generally scheduled monthly and feature guest speakers who present on current trends and ideas in the InfoSec community. I would recommend contacting your local chapter president with the idea of starting a local community intelligence sharing project and asking to present on the idea to gain interest.

Another way would be to sign up for a remote community of professionals, like those detailed above. From there, you can begin to gauge the type of intelligence information being shared, how it relates to your industry vertical and make connections with other users.

What to Share

The major sharing initiatives in center around Indicators of Compromise (IOC), which are artifacts observed via attacks on the network or hosts. David Blanco has put together what is referred to as the “Pyramid of Pain” when trying to deny attackers the use of IoCs during an attack, but I like to use it to show the different types of indicators that can, and should, be shared.


David Blanco's Pyramid of Pain

Sharing indicators for intelligence dissemination does not give up proprietary data from one company to another, nor does it indicate to a competitor that an attack was successful. What is important is that these indicators are specific to the malicious traffic observed within your network, and once shared and potentially corroborated with others in your vertical can lead to identification and attribution of actors or campaigns.

Another great sharing initiative should center on tools. I went in depth on DEVOPS and the need to build tools specific to your analytical needs as a staff or organization. We all know that using whiteboards, MS Excel and PowerPoint will not get the job done. Tools such as the Collective Intelligence Framework (CIF), HUBOT and LAIR  support open collaboration and can be used both internally and externally.

Sharing is Caring

The bottom line is that sharing initiatives - both from a community standpoint and along industry verticals - will go a long way in keeping up with the bad guys. They’re cooperating with each other to develop new malware, find exploits and conduct multi-pronged attacks. We should, too. Those of us in this industry are very passionate about the work we do to protect the assets we are charged with so that are organizations can be effective, competitive and profitable. We should take this passion to the next level and share our gathered threat intelligence so that we can stop playing catch up with our adversaries and be more predictive in our analysis; leading the security engineers and analysts we work for and with to detect and stop the next attack that is on the horizon.

Additional Installments


    Danny Pickens

By: Danny Pickens

Senior Director, Theat Management Operations

See More

Related Blogs

September 04, 2014

Five Things to Consider for a Successful Intelligence Team - Part 5

The previous four parts in this series have covered subjects necessary to make an intelligence staff a successful endeavor for an enterprise. In this ...

See Details

July 17, 2014

Five Things to Consider for a Successful Intelligence Team - Part 1

I’ve had the opportunity to travel a bit and “evangelize” about Intelligence - what it is and the basic methodology surrounding it. The “Take Away” po...

See Details

July 24, 2014

Five Things to Consider for a Successful Intelligence Team - Part 2

In Part 1 of this series, I covered the need to invest in the proper people and tools for the intelligence team. This consisted of identifying those w...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Related Insights

July 29, 2016

2016 Cyber Threat Intelligence

Learn how Optiv’s cyber threat intelligence solution helps clients improve their threat response approach.

See Details

October 06, 2017

Managed Security Services - Service Guide

Learn about our flexible and scalable services to improve your security capabilities.

See Details

April 19, 2018

Cyber Threat Intelligence-as-a-Service

Learn how Optiv’s Cyber Threat Intelligence-as-a-Service solution provides you with an advanced "beyond the perimeter" capability as a part of your cy...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.