Building Security Threat Intelligence Networks: 10 Best Practices
Information Should Be Shared in Increments
Open threat sharing requires more detailed, incremental programs for sharing; ones that start out with simple statistical sharing and then ramp up through programs of threat agent information (such as information about unsuccessful attacks and indicators of compromise information from discovered compromised hosts). Full data sharing of issues, such as breach details and successful threat actor attribution, will remain within a more limited audience.
IT Must Adapt to Support More Complex Levels of Sharing
More ambitious standards for communication of shared data are needed. These will encourage further expansion of sharing arrangements with the promise of more advanced security data analytics down the line. Currently, enterprises must create their own solutions for consuming intelligence data; without new standards, a high level of communication cannot happen.
Adoption of Tokenization
This can be implemented without significant effort and will be an important factor in allowing organizations to collaborate without undue legal or operational liability. Tokenization is the process of substituting a sensitive data element with an easily reversible benign substitute. It can be used to safeguard sensitive data involving, for example, bank accounts, financial statements, medical records, criminal records, driver's licenses, loan applications, stock trades, voter registrations, and other types of personally identifiable information. Tokenization is a way for companies to share information about what they're seeing on their networks, without giving away sensitive data in the process.
More Advanced Big Data Research
As the range of data necessary to formulate effective and adaptive intelligence can be applied automatically within the security program, exposures, attack surfaces and threat models will become immersed in data processing. This will enable some level of predictive processing to occur as security intelligence is consumed into the workflow.
Signals Intelligence Is an Important Resource
The private-sector information security world is continually following a path taken by the defense intelligence community decades ago. But where human intelligence bears the greatest fruit in their world, signals intelligence is the more fruitful resource in the private sector, where there is limited access to living people willing and able to provide information. Security analysts need these force multipliers to even stand a chance of being able to effectively cross-reference the vast number of security markers pouring out of their monitoring systems into a stream of directly actionable information that can keep pace with the opposition.
Engage Your Legal Counsel in the Process
Consult your company's legal counsel early in the process before you are left cleaning up a data breach. Get advice about information sharing with existing business partners and public projects and let them advise you on the liability implications involved in doing so. Have a clear case to present to them about the levels of risk involved in sharing threat intelligence outside the organization, and most importantly, have them examine any formal agreement paperwork and author anything you issue in return. They are your experts; use that expertise.
Use Threat-Based, Not Risk-Based, Workflows
The primary driver of more information-sharing programs inevitably has to be the need for them, and a program that isn't used is worse than none at all. On the other hand, an information-sharing program that is the key driver of daily security monitoring and investigation generates information in return and improves the value of the program for everyone. By focusing on who is getting an initial foothold on your infrastructure and comparing that information with others, attack responses can be prioritized based on a model of their intended goals and level of impending threat to your overall security.
Sharing Elicits Valuable Intelligence
The most critical piece of information leading up to any attack is how much knowledge of the attack the enemy possesses. Open information-sharing networks will be infiltrated by attackers, without a doubt. This should not be construed as a failure of the system if the system is robust enough to absorb it. Returning to the assertion that long-term success in information security is a matter of economics, the more time we can occupy the opponent in trying to find a staging location for their attacks that are already not publicly known, the more of his resources we waste.
All Data Holds Value
The more open an intelligence source, the more generic the format in which it must be communicated. Public sources of threat intelligence are published in the lowest-common denominator format-text files of IP address, comma-separated values (CSV) files and others. Many security organizations using these feeds process the information manually via analysts performing searches across logs.
Always Keep Moving Forward
Our attackers scour public knowledge for target information. Every press release gives some insight into activities and circumstances at the targeted organization; every LinkedIn profile contains a cornucopia of marks to infiltrate; every public mailing list posts another data point on what lies behind the firewall. When combined with directly acquired information from the target, detailed and directed plans of attack are easy to formulate, and attackers share their findings. Whatever the arguments for and against public information sharing on the defensive side, we can all agree that our own intelligence grid is still woefully inadequate.