Communities, sharing, and collaboration have hit the hype curve in cyber security circles. While the marketplace includes products that offer information exchange or are bolting on support for collaboration; sharing communities were one of the first realities of our vision since product inception and rolled out with ThreatConnect 1.0. Don’t be mistaken, sharing capabilities by themselves do not make a Threat Intelligence Platform, and ThreatConnect does many things to enable the aggregation, analysis, and action on intelligence in addition to sharing. Our philosophy has always been that collaboration amongst cyber defenders should be an out-of-the-box experience, must be more than a simple information exchange or data feed, and that the result should be threat intelligence which is timely, relevant, accurate, specific, and actionable. We are delighted that NIST, the National Institute of Standards and Technology, has validated our thinking with their Special Publication 800-150, “Guide to Cyber Threat Information Sharing”, which is currently in draft.
We have a saying here in the States, “when the rubber meets the road”. It basically means that the process, practice, or capability produces the intended results. The good news is that success stories have emerged from ThreatConnect customers who are using communities to collaborate with likeminded folks and/or sharing partners. They prove that community-based collaboration is more than hype. Case in point, our very first community success story, “Community Collaboration Enables Threat Detection”, shows how a private Community with as few as five sharing partners was able to collaborate and produce refined intelligence to better protect their networks. If you have two minutes, please take a quick read. This case study walks the reader through a chronological set of four simple steps to illustrate how shared situational awareness produced an additional malware sample, a spear phish, and a network infection detection by one of the community members. It all started when the moderator imported a set of 50 indicators, and shared them with the community partners. (As a matter of interest, this success story came from Europe, so clearly the rubber meets the road there too!)
Key takeaways from this success story include:
Community enrichment: Enrichment from one member leads to further enrichment from the other participants and the entire private community benefits from greater threat awareness. As each organization contributes what they know, the knowledge of the threat’s capabilities and infrastructure are more complete to all of the community participants. By sharing data with the community, the moderator has effectively increased the number of analysts looking at this threat.
Analyst learning: Analysts communicated across ThreatConnect’s community comment feed, and shared techniques on how to conduct analysis and find this adversary operating on their respective networks. Analysts grew their own skills through community participation and secure collaboration with structured data that was both searchable and pivotable via an email.
Faster threat awareness: A more comprehensive picture of an evolving threat by community members led to data being shared faster and more often.
Predictive defense: The threat continues to change and morph. By having analysts from multiple organizations using and sharing data on ThreatConnect, the ability to track infrastructure movements and collaborate around what they know creates defensive actions that are dynamic, and in some cases, predictive.
Secure sharing and notification: ThreatConnect enabled five organizations to have a common picture of the threat intelligence in a secure manner through a private community group. When something new was added, organizations “following” the threat received notifications, and were able to react and update accordingly.
Readers will notice that this case study states a few of the community’s established rules and guidelines. We recognize that it is important to establish community sharing policies up front. ThreatConnect offers fine-grained features to enforce community policies, and control what is shared, with whom and when.
NIST’s first recommendation (p. 18) states, “Leverage the knowledge, experience and capabilities of sharing partners to exchange threat intelligence, mitigation strategies, and tools to enhance the cybersecurity posture of participating organizations and reduce the overall cost of cyber attacks”.
Thanks, NIST, for telling our story.