For as long as I've been in cybersecurity, we've this "thing" about sharing threat intelligence. this is even more apparent in state and local government, as the public sector leans towards collaboration. There are two main drivers behind the sharing: one is enriching the cybersecurity community, and the other is a security flex to show your peers the security goodness you can generate, communicate, and accumulate. Most entities I know are sincere about the first motivation, but many aspire to the notoriety of the second.
The complication – and I think we can all agree – is that threat intelligence has a limited shelf life, meaning that the value and uniqueness of threat intelligence evaporates quickly. Attacks shift, the cyber landscape changes, and within a couple days the threat intelligence is old news. Because of this, security leaders need to maintain threat intelligence feed hygiene in order to avoid generating false alerts and chasing events that are ultimately a waste of time. This is especially true in state and local government because security resources are few and you can't have staff chasing ghosts. I've seen those pursuits too many times, and it's a sad tale.
Today's method of sharing threat intelligence is very public. You can share it, you can enrich communities, and you can buy it. Problematically, and this is also true for commercial entities, when you share it, everyone sees it, including the person or organization perpetuating or planning an attack.
Instead, imagine a world where a vetted threat intelligence sharing framework exists, using public-private key pairs, ensuring that only trusted entities and organizations can view the threat intelligence. Why would that matter? I'll tell you.
Threat intelligence is simply an artifact of what's known: known vulnerabilities, known attack techniques, and known compromises. Successful attackers thrive in a different world, the world of the unknown and undetected threat. The longer they go undetected, the more data they can exfiltrate. They evolve their techniques to remain undetected, and the fact we publicly identify them in threat intelligence feeds just forces them to evolve. Old attack techniques retire into college curriculums as table stake exploits, fun for script kiddies, and provide opportunistic hack drive-bys against companies who don't have even modest funding for cybersecurity.
Enter state and local government. These public servants struggle to maintain talent and resources capable of keeping up with the current threat landscape and can’t afford the effort to stay ahead of evolving attack techniques.
The way we share threat intelligence through public feeds, which are often stale, disrupts and erodes our ability to fight future cybercrime. It would be like our military publicly sharing threat intelligence on potential attacks and indicators of compromise in military personnel lines. Doing that would immediately tell our enemies where they've been detected and how to evolve to evade detection next time. In another example, the Enigma machine used by Nazi Germany in World War II allowed the German Army to share communications securely with a purpose. They were very successful until the Allied armies broke the Enigma code. Once that code was broken, the German Army was unknowingly communicating publicly (to the Allies) on their tactics and techniques. This allowed the Allies to evolve their own strategies to remain undetected and effective. It wasn't long after the Enigma machine code was broken that the tides of war changed.
When it comes to threat intelligence, we in the cybersecurity industry knowingly share everything. We tell our enemies and attackers what techniques work and which don't. Trust me when I say attackers appreciate the tips on detection so they can better use their time and money. After all, cybercrime is their business.
So, what's the answer to threat intelligence sharing? Most good answers require mass coordination of robust and secure sharing infrastructure and secure communities. It may seem aspirational, but it already exists, just not in ways you'd expect. It exists among local security companies that actually focus on cybersecurity and have invested in a threat intelligence framework. At NuHarbor, we have threat intelligence frameworks that are integrated and private to our clients. Each client we add makes the threat intelligence ecosystem and network stronger. It allows our client to see attacks sooner and allows us to respond faster, all without tipping off attackers. Together with our clients, we benefit greatly from this expanded view of the threats that everyone has to deal with.
Threat intelligence as a discipline requires a lot of focus. Done right, it can save you time and money. Done poorly, it can be like catching smoke. If you're looking for a cybersecurity partner with the threat intelligence capabilities and one of the largest state and local government threat intelligence ecosystems, contact us today.
Justin (he/him) is the founder and CEO of NuHarbor Security, where he continues to advance modern integrated cybersecurity services. He has over 20 years of cybersecurity experience, much of it earned while leading security efforts for multinational corporations, most recently serving as global CISO at Keurig Green Mountain Coffee. Justin serves multiple local organizations in the public interest, including his board membership at Champlain College.