One of the challenges of ramping up an internal threat intelligence team is developing processes for information sharing both between internal groups and potentially externally with ISACs or other sharing organizations. Timely sharing of threat intelligence is a key attribute to effective threat intelligence programs but is often complicated by conflicts in goals, responsibilities, and rules.
As we discussed in the blog post Augmenting Your Internal Threat Intelligence Team, most organizations are already producing useful cyber threat information that is available to share internally as part of their threat intelligence operations. By sharing this information (internally and externally), organizations can leverage a broader base of knowledge, experience, and capabilities to gain a more complete understanding of current and future threats. This can drive better decisions regarding defensive capabilities, threat detection techniques, and mitigation strategies.
Building an Actionable Threat Intelligence Funnel
Threat intelligence is an incredibly useful resource but only when it is rich in context and made actionable. These conditions require a collaborative approach to aggregating intelligence and in utilizing that intelligence post analysis.
Remember that internally, Threat Intelligence analysts need to acquire and store events from SIEMs, packet capture files, malware, incident-response reports, and other internally derived intelligence sources. The richer and better correlated this data set, the more valuable the intelligence product. Analysts should attach or produce metadata for each indicator that is generated. This metadata provides the context around each indicator by describing the intended utility of the indicator, why it is important, and how to relate it to other indicators.
Enrichment benefits greatly from independent confirmation of observations and indicators by reducing ambiguity and potential errors. This requires drawing information from as broad a set of sources as appropriate and possible, which will often require collaboration across security, operational and IT groups. A process should be in place for publishing indicators, updating them and their associated metadata. It should also be possible to retract submissions that are incorrect or perhaps mistakenly shared. By this means, a feedback loop can be created that improves the quality of indicators through continual enrichment and maturation.
Unfortunately, Things Seldom Work that Way in Practice
The problem is that security teams seldom have complete visibility across their threat landscape. They often are missing the relevant context that comes with ready access to internal and external data sources. A not uncommon problem is that silos exist between internal security teams due in no small part by the lack of integration between point solutions, and a lack of consistent information sharing processes across the organization.
Developing internal workflows and automation can be difficult. Agreeing on and supporting standardized data formats and transport protocols will simplify data sharing and the goal should be to standardize on common formats and protocols so that automation of data exchange can be supported. But many organizations are littered with point products that were not primarily designed to work within a larger threat intelligence ecosystem.
This concern can be addressed at the organizational level. Within larger organizations, an effective approach can be to put a threat intelligence “umbrella” over the Security Operations Center (SOC) and incident response (IR) teams, and to supplement them with experienced data and threat analysts. The SOC and IR teams should be relatively comfortable with some TI functions, so this type of collaborative approach can be effective at promoting better information sharing. It is important to remember that information sharing should not be driven by breach notification, rather it should be a proactive exercise practiced much earlier in the attack path and therefore benefits from continual cooperation.
How to Develop Internal Data Sharing Processes and Systems
More generally, alignment of goals and scope of responsibility between teams is an important best practice. NIST has created a Guide to Cyber Threat Information Sharing (NIST SP 800-150). It is chiefly designed to help organizations develop inter organizational information sharing programs, but its recommendations provide a good roadmap for establishing an internal information sharing program first. NIST recommends that organizations:
- Establish information sharing goals and objectives that support business processes and security policies.
- Identify existing internal sources of cyber threat information.
- Specify the scope of information sharing activities.
- Establish information sharing rules.
- Join and participate in information sharing efforts.
- Actively seek to enrich indicators by providing additional context, corrections, or suggested improvements.
- Use secure, automated workflows to publish, consume, analyze, and act upon cyber threat information.
- Proactively establish cyber threat sharing agreements.
- Protect the security and privacy of sensitive information.
- Provide ongoing support for information sharing activities.
We will run through these recommendations in Part 2 of this blog post as part of a discuss on external information sharing programs. But keep in mind, that the foundation of a strong external sharing program is a strong internal sharing program. Working through internal data incompatibilities, developing standardized process for sharing between groups, and building basic trust relationships are all important competencies that need to be mastered.
At King & Union, our goal from day one has been to help streamline investigations by making it easier for security teams to share information and collaborate on investigations in real-time.
To learn more about our Avalon Cyber Analysis Platform: