Shared threat intelligence: Why businesses should cooperate instead of compete


Image Credit: Christiaan Colen (CC)

The costs associated with cybercrime are exploding, forcing businesses to adopt new and innovative approaches to digital security. More sophisticated attacks require more sophisticated security measures, and one such measure is shared threat intelligence. In a way, it’s a break from tradition, yet it’s one of the most effective aspects of an advanced and proactive cybersecurity stance.

Cyberattacks can be expensive

The average cost per minute of unplanned data center downtime was nearly $9,000 in 2013, according to Emerson and the Ponemon Institute. Cybercrime is the most common reason for these disruptions. The estimated costs for organizations are already staggering: $55,000 annually for small businesses and $1.25 to $2.5 billion for application downtime alone for large enterprises.

More to the point, such attacks threaten thousands of healthy, successful businesses annually. While many cybersecurity best practices and technologies have been around for a while, most of the organizations that suffer losses thought they had adequate protection when they were attacked.

You’re not alone

Reports exploring hackers’ observable strategies have found clear indications that such entities also attack other companies within the same vertical. Research from Verizon shows that 40 percent of attacks are directed at a second organization within an hour of the first; roughly three-quarters of attacks find another target within 24 hours. In many cases, these are direct competitors or related organizations being targeted by the same attacker.

Knowledge gained by experience can be used to identify, mitigate, and even stop attacks. But how do you get that knowledge? Shared threat intelligence is particularly effective for blocking the large-scale attack campaigns that broadly attack an industry, rather than a specific company.

Crowdsourcing digital security

Shared or community-based threat intelligence means sharing knowledge of attack vectors and other information that can enable partner organizations to make the necessary adjustments to close off vulnerabilities and maintain the integrity of their IT systems.

This can be done by signing up with a cybersecurity provider or an industry group with an information-sharing community, or both. While controversial, the Cybersecurity Information Sharing Act of 2015 allows American companies to share threat indicators with each other and the U.S. government. It also provides standards for information sharing that protect against liability if followed correctly.

Understandably, sharing enterprise data would have some limitations and disadvantages. For instance, when sharing data within a community that may include competitors, you would also need to remove sensitive business information, along with customers’ personally identifiable data. This addresses the biggest concern many businesses have with cooperative threat intelligence. 

For some organizations, however, the challenges of effectively scrubbing information make employing a third-party sharing platform more attractive.

Resources, organizations and communities

There are several standards like Structured Threat Information Expression (STIX), which is a standardized XML programming language that helps organizations, people, and technologies understand each other. There are collaborative industry projects like the International Information System Security Certification Consortium (ISC)2 for training and certifying experts, and businesses can begin participating in cooperative threat intelligence through industry-specific groups like Information Sharing and Analysis Centers.

Imperva, a security provider that advocates shared threat intelligence, has a short video and a helpful infographic that can serve as a good resource for understanding how application layer attacks work and what kind of defense is necessary to block these. 

Attacks like cross-site scripting (XSS) injections, SQL injections, and comment spam — automated and repeated over as many vectors as possible — tend to find weak points in unprepared companies. XSS vulnerabilities, which Imperva’s crowdsourced research shows is currently the most popular attack vector, are a good example of a vulnerability which, in practice, is more difficult to detect than to fix.

The takeaway

In order to protect the enterprise as completely as possible from costly digital threats, every organization needs a strategy that includes cooperative threat sharing to aid its defense against large-scale attacks. The tools and institutional structures meant to enable a cybersecurity transformation toward automated intelligence sharing are in development, and specialized service providers are able to leverage wide networks to address threats as they approach.

Through increased cooperation, the completion of government and industry projects, and experience, the damage from downtime and breaches can be minimized.