Five Things to Consider for a Successful Intelligence Team - Part 4
August 26, 2014
#4 - Don't Shy Away from Sharing
In Part 3, “Allow for Open Communication,” I talked about the need for open communication to and from the intelligence team. For this edition, I am going to go further into the necessity of communication, but from a sharing perspective; yes, even outside of your own organization.
For many, the thought of giving up information surrounding detected and even successful attacks to others in the same industry, competitors included, sends up red flags. Companies don’t just give up proprietary information or intellectual data, so why would they want to share intelligence on how they are being attacked? The number one reason is because it will help your business in the long run.
Our community has already recognized the importance of sharing information, technology and ideas. Look at the many conferences that are offered, such as the annual SANS Cyber Threat Intelligence Summit or Taia Global’s Suits and Spooks collisions. In addition, there are the Information Sharing and Analysis Centers (ISAC) that concentrate on industry specific physical and cyber security threats in cooperation with federal entities. There also community sharing initiatives, such as Mandiant’s OpenIOC Framework or Mitre’s STIX, CybOX, etc… All of these are fantastic programs that go a long way in sharing data on threats, groups and actors. However, without participation, they fall short of their intended goals and do not advance the actual sharing of information.
The goal of any community sharing intelligence is to improve the dissemination of information of intelligence value to those with shared interests, as well as to corroborate and validate sources of information. As shown above, there are already communities dedicated to sharing intelligence information throughout our industry.
How to Start
One way to gain traction is to visit local Information Security get-togethers. Most areas have localized Information Systems Security Association (ISSA) chapters. These meetings are a great avenue to meet and discuss with individuals that are interested in open sharing of intelligence information. These meetings are generally scheduled monthly and feature guest speakers who present on current trends and ideas in the InfoSec community. I would recommend contacting your local chapter president with the idea of starting a local community intelligence sharing project and asking to present on the idea to gain interest.
Another way would be to sign up for a remote community of professionals, like those detailed above. From there, you can begin to gauge the type of intelligence information being shared, how it relates to your industry vertical and make connections with other users.
What to Share
The major sharing initiatives in center around Indicators of Compromise (IOC), which are artifacts observed via attacks on the network or hosts. David Blanco has put together what is referred to as the “Pyramid of Pain” when trying to deny attackers the use of IoCs during an attack, but I like to use it to show the different types of indicators that can, and should, be shared.
David Blanco's Pyramid of Pain
Sharing indicators for intelligence dissemination does not give up proprietary data from one company to another, nor does it indicate to a competitor that an attack was successful. What is important is that these indicators are specific to the malicious traffic observed within your network, and once shared and potentially corroborated with others in your vertical can lead to identification and attribution of actors or campaigns.
Another great sharing initiative should center on tools. I went in depth on DEVOPS and the need to build tools specific to your analytical needs as a staff or organization. We all know that using whiteboards, MS Excel and PowerPoint will not get the job done. Tools such as the Collective Intelligence Framework (CIF), HUBOT and LAIR support open collaboration and can be used both internally and externally.
Sharing is Caring
The bottom line is that sharing initiatives - both from a community standpoint and along industry verticals - will go a long way in keeping up with the bad guys. They’re cooperating with each other to develop new malware, find exploits and conduct multi-pronged attacks. We should, too. Those of us in this industry are very passionate about the work we do to protect the assets we are charged with so that are organizations can be effective, competitive and profitable. We should take this passion to the next level and share our gathered threat intelligence so that we can stop playing catch up with our adversaries and be more predictive in our analysis; leading the security engineers and analysts we work for and with to detect and stop the next attack that is on the horizon.