Sage Advice - Cybersecurity Blog

The Basics of Threat Intelligence Sharing

sharing-threat-intelligenceThere is no question that threat intelligence is an essential part of your cybersecurity defense strategy. But it’s not just about monitoring feeds. Sharing the threat intelligence your gather is also a huge component.

Information sharing may be a new concept for many organizations, but hackers having been doing it for years. Their ability to share knowledge throughout the hacker community is one of the things that has made them so successful.  In today’s threat environment, we need to fight fire with fire.  We stand a far better chance of beating back the bad guys if we join forces to collaborate and share information.  

So, where do you start?  First, you need to choose who you will share information with. It's best to find (or develop) an information sharing network that, in addition to being industry-specific, is also local to your organization.  Here’s why:

  • Shared situational awareness.
  • Enhanced threat understanding.
  • Knowledge maturation.
  • Greater defensive agility.
  • Improved decision making.
  • Efficient handling of information requests.
  • Rapid and relevant notifications.

While there aren’t many formal local networks currently available, more should develop as demand grows. Most likely, state and/or regional industry organizations will provide a centralized service, repository, or mechanism for sharing information, especially in critical sectors, like Financial Services and Healthcare. On a national level, there are a variety of sector-based Information Sharing and Analysis Centers to choose from.  Learn more at www.isaccouncil.org.

The next step is to figure out what information you want to share. Knowledge-based intelligence could include threat bulletins from public and private sector sources, information gathered from a user’s group, or intelligence gained from other sources that you have selected as part of your threat intelligence program.

If you experience an incident, sharing the intelligence you gathered – including information on the attack vectors (what happened), how you responded, and any lessons you learned – can be extremely helpful to other organizations within your network who may be victims of the same, or similar, type of attack.  

Finally, you need to determine how to share the information.  Here are a few simple steps.

  1. Use the secure channels with the standard formats and transport protocols that you already have in place.
  2. Sanitize all the information shared with your Information Sharing Network before sending, so that all legally protected Non-Public Personal Information (NPPI) or proprietary confidential information is completely removed, deleted, or redacted.
  3. Consider signing mutual non-disclosure agreements when sharing information with local network partners where there may be competition, privacy, or security considerations.

At the end of the day, the whole point of threat intelligence and information sharing is to make us stronger.  We need to create an environment that is resilient to cyber attackers.  It’s time to get out of our insulated, individual compartments, and into a community of people with a common goal… business continuity.  Just because we’re in direct competition with some of our peers, it shouldn’t stop us from entering into this type of relationship.  We all have something to gain by sharing threat intelligence, and an industry that is healthy supports more healthy organizations in the industry.

Are you starting a Threat Intelligence Program? Check out Developing a Cyber Threat Intelligence Program and A Guide to Cyber Threat Intelligence Sources from the Sage Advice Blog to learn more!


Strengthen Your Security Team with a Dedicated Expert

Available only from Tyler Cybersecurity, Tyler Detect provides independent security information analysis of your network logs from highly-trained cybersecurity experts. With over a decade of experience, we continually improve our methodology based on the latest threat intelligence. That means unauthorized access, malware, and suspicious activities are quickly detected and can be easily acted on.

Learn More   

Topics: Threat Intelligence, Information Sharing

The Tyler Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

Cybersecurity Lifecycle

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More