For as long as I’ve been in Cybersecurity, we have this “thing” about sharing threat intelligence. In State and Local Government, this is even more apparent, as the public sector leans towards being fairly collaborative. In this community, there are two main drivers behind the sharing: one is enriching the cybersecurity community, and the other is a security flex to show your peers the security goodness you can generate, communicate, and accumulate. Most entities I know are sincere about the first motivation, but many aspire to the notoriety of the second.
The complication, and I think we can all agree, is that threat intelligence has a limited shelf-life, meaning that the value and uniqueness of threat intelligence evaporates quickly. Attacks shift, the cyber landscape changes, and within a couple days the threat intelligence is old news and stale. Because of this, security leaders need to maintain the threat intelligence feed hygiene in order to avoid generating false alerts, chasing “events” that are ultimately a waste of time. This is especially true in State and Local Government because security resources are few and you can’t have staff chasing ghosts. I’ve seen those pursuits too many times, and it’s a sad tale.
Today’s method of sharing threat intelligence is very public. You can share it, you can enrich communities, you can buy it. Problematically, and this is true for commercial entities as well, when you share it, everyone sees it, including the person or organization perpetuating or planning an attack.
Instead, imagine a world where a vetted threat intelligence sharing framework exists, using public private key pairs, ensuring that only trusted entities and organizations can view the threat intelligence? Why would that matter? I’ll tell you…
Threat intelligence is simply an artifact of what’s known — known vulnerabilities, known attack techniques, known compromises. Successful attackers thrive in a different world, the world of the unknown and undetected threat. It’s obvious that the longer they go undetected the more data they can exfiltrate. They evolve their techniques to remain undetected, and the fact we publicly identify them in threat intelligence feeds just forces them to evolve. Old attack techniques retire into college curriculums as table stake exploits, fun for script kiddies, and provide opportunistic hack drive by’s against companies who don’t have even modest funding for cybersecurity.
Enter State and Local Government. These public servants struggle to maintain talent and resources capable of keeping up with the current threat landscape and can’t afford the effort to stay ahead of evolving attack techniques.
The way that we share threat intelligence through public feeds, which are also often stale, disrupts and erodes our ability to fight future cybercrime. It would be like our military publicly sharing threat intelligence on potential attacks and indicators of compromise in military personnel lines. Doing that would immediately tell our enemies where they’ve been detected and how to evolve to evade detection next time. In another example – the Enigma machine used by Nazi Germany in World War 2 allowed the German army to share communications securely with a purpose. They were very successful in World War 2 until the Allied Armies broke the Enigma code. Once that code was broken, the German armies were unknowingly communicating publicly (to the Allied Armies) on their tactics and techniques. This allowed the Allied Armies to evolve their own strategies to remain undetected and effective. It wasn’t long after the Enigma Machine code was broken that the tides of war changed.
When it comes to threat intelligence, we (our Industry) knowingly share everything. We tell our enemies and attackers what techniques work and which do not. Trust me when I say “they”, the attackers, appreciate the tips on detection so they can better use their time and money. After all, cybercrime is their business.
What’s the answer to threat intelligence sharing? Most good answers require mass coordination of robust and secure sharing infrastructure and secure communities. It may seem aspirational, but it already exists, just not in ways you’d expect. It exists among local security companies that actually focus on Cybersecurity and have invested in a threat intelligence framework. We, at NuHarbor Security, have threat intelligence frameworks that are integrated and private to our clients. Each client we add makes the threat intelligence eco-system and network stronger. It allows our client to see attacks sooner, allows us to respond faster, all without tipping off attackers. We, and our clients, benefit greatly from this expanded view of the the threats that everyone has to deal with.
Threat intelligence as a discipline requires a lot of focus. Done right, it can save you time and money. Done poorly, it can be like catching smoke. If you’re looking for a cybersecurity partner with the threat intelligence capabilities and one of the largest State and Local Government threat intelligence eco-systems contact us today.