Why sharing threat intelligence is vital to cybersecurity

In August 2019, the World Economic Forum (WEF) argued that cybersecurity should be framed as a “public good.”

With technology at the heart of many of our lives, we all face an ever-increasing risk of loss and theft of personal data as cybercriminals evolve to target us from all directions. As such, the WEF believes that cybersecurity should be made more widely accessible to drive the betterment of society as a whole.

A key aspect of making things more freely available is the sharing of threat intelligence by organizations.

On paper, it seems rather straightforward— companies come together to share experiences to further enhance overall knowledge. In reality, there remains a hangover from more conservative times which continues to be a barrier.

Many business leaders regard their organization’s security posture as a private matter and are unwilling to discuss any weaknesses it may have.

They are– not unjustifiably– concerned that disclosing such information could lead to attackers uncovering and exploiting existing vulnerabilities. On the occasions they do share, it tends to be with trusted peers and partners, effectively within a walled garden.

However, attacks are becoming more frequent and their focus is intensifying. Private businesses, government services, and critical national infrastructure are all being targeted far more regularly. There has never been a greater need for shared intelligence, so businesses must overcome their reticence and explore ways of sharing this vital information in confidence.

Turning the tables on cybercriminals

Even for the most skilled criminals, building new cyberattacks from the ground up isn’t a quick job. Each variant needs to be more advanced than its predecessor to ensure it’s able to stay ahead of new defenses.

That means more advanced coding and testing alongside greater research and understanding of defenses and employee behavior. It often takes around three months for a new attack to be ready.

When companies and the other ‘good guys’ share up-to-date threat intelligence, they place the pressure on cybercriminals to shorten development times.

Suddenly, they don’t have three months to exploit vulnerabilities. They rush out new variants that aren’t as equipped and, therefore, deliver a decreased ROI– if anything at all. When businesses share intelligence faster than criminals can build, they are winning the battle.

The lucrative bug bounty market

With cybercriminals facing the pressures of developing their own solutions more quickly, the value of zero-day vulnerabilities has increased hugely. If criminals know that an unpublicized vulnerability exists, they can simply target it before vendors and businesses have a chance to patch. This demand is driving the lucrative ‘bug bounty’ market.

When an individual discovers a new vulnerability, they then have a choice to make. They can give or sell it to the vendor responsible for where the vulnerability resides; they can sell it to a vulnerability broker who will then auction it off to the highest bidder; or, they can go full rogue and peddle it directly to cybercriminals.

Vendors are unlikely to offer the most money so they must hope that the individual’s moral compass will point them in the ethical direction. That isn’t always the case and it’s the lure of cold hard cash that means businesses consistently remain at severe risk.

To make matters worse, it’s not simply cybercriminals who can exploit zero-day vulnerabilities, but governments too. In a world of growing geopolitical tensions, governments are likely purchasing ‘bugs’ from vulnerability vendors to use against an enemy state.

It really is no different from loading up the armory with missiles. Critical infrastructure organizations, in particular, will find themselves in the crosshairs.

Defending comprehensively against zero-day attacks is incredibly difficult as you simply have no idea where or what the vulnerability is. Yet, threat intelligence sharing can help to stifle the bug bounty market.

The more data that is being shared increases the chances of organizations discovering potential vulnerabilities first through their own bug hunters who are supported with more information. It also reduces the time available for nefarious actors to sell vulnerabilities before they’re discovered and patched by white hat counterparts.

How to share threat intelligence with confidence

The open-source (OS) community is an asset that not all organizations make use of. Vendors can license and release code and encourage other members to use it within their own efforts. This public collaboration speeds up development and enables the vendor to gather huge quantities of rich threat intelligence which they can then put into further innovation.

Businesses need to consider that keeping some secrets– such as those around cybersecurity– is much more difficult than simply releasing it to communities. Even organizations such as the National Security Agency (NSA) has understood the value of OS and has developed tools within it.

Despite the benefits of sharing, many companies remain apprehensive. Fortunately, there is technology available to alleviate some of the fears that their own data will be used against them. Pseudonymization and anonymization are techniques recommended under the EU GDPR as means of enabling “data processors” to protect the privacy of individuals.

The techniques could be employed by organizations to protect their identities, allowing them to share threat information while maintaining complete anonymity. By hiding or replacing identifying data fields such as the names of companies, directors, products or IP, more cautious organizations would be at liberty to freely share threat information, confident in the knowledge that data can’t be traced back.

Ultimately, The WEF’s vision of cybersecurity as a “public good” will never be realized if threat intelligence is kept behind closed doors. If we truly hope to use cybersecurity for the betterment of society, the onus is on every organization– public or private, and regardless of size– to proactively share its threat information.

Only together can we take the fight to the criminals.

This article was contributed by Martin Rudd, CTO at Telesoft Technologies.