From Reactive to Proactive: Refocus Your Cybersecurity Program's Threat Intelligence

Rick O’Leary
| 7/17/2017
From Reactive to Proactive: Refocus Your Cybersecurity Program's Threat Intelligence

Establishing an effective cybersecurity program is a complex process that all organizations have the daunting task of addressing. Threats loom large from denial of service attacks, to the more recent ransomware attacks that have plagued all industries. Mitigation strategies that should be included in your cybersecurity program include firewalls, intrusion detection systems (IDS), antivirus, and security information and event management (SIEM) devices.

When we take a step back and look at these products, though, one telltale attribute stands out: These solutions are reactive, not proactive. While a reactive approach is and should remain an important aspect of an effective cybersecurity program, the industry is demanding more proactive approaches to mitigating the advanced threats we see today.

So how can organizations become more proactive with cybersecurity? Threat intelligence sharing is a great place to start. But before delving into the different threat intelligence sharing mechanisms and how they can help your organization, let’s define threat intelligence.

Threat intelligence is cybersecurity information that has been parsed, sorted, and delivered to provide insight into current cybersecurity events or incidents. Threat intelligence can include event logs, indicators of compromise, or alerts generated by any device on your network. Organizations, regardless of their industry, generate this information every day within their networks. So why do we, as a cybersecurity community, not share that vital information with each other in an effort to become more resistant to attacks? Collecting and analyzing vital information is the cornerstone of threat intelligence sharing.

There are many technical and interpersonal ways to get involved with sharing the threat intelligence. One way to get involved is to join a cybersecurity group (or groups) in your area. The Information Systems Security Association (ISSA) has chapters all over the world that provide a way for cybersecurity professionals to network, learn, and grow together. In addition to ISSA chapters, local Information Sharing and Analysis Centers (ISACs) provide another way to share industry-based threat intelligence within a community of information security professionals. The Federal Bureau of Investigation (FBI) also provides a public-to-private sector threat intelligence sharing mechanism through InfraGard, a partnership between the FBI and members of the private sector.

If you are already a member of one or more local cybersecurity groups, you and your organization can get involved with threat intelligence sharing in other, more technical ways. Data can be collected from both your network and external sources and then used to correlate cybersecurity events that may be present within your network.

An organization can achieve intelligence sharing through a series of steps. Threat information can enter your network through the sharing communities for evaluation by your cyberthreat analyst(s). This information can give vital details about indicators of compromise or patterns for new cyberthreats. The analyst(s) can then take this intelligence and apply the data holistically to the network to address threats before any damage is done.

Threat intelligence can positively affect your cybersecurity program, which can be developed via one of multiple threat intelligence sharing frameworks. Members of the Organization for the Advancement of Structured Information Standards (OASIS) consortium developed an intelligence sharing project that facilitates and standardizes threat intelligence known as Structured Threat Information Expression (STIX™), Trusted Automated Exchange of Intelligence Information (TAXII™), and Cyber Observable eXpression (CybOX™). Using these three frameworks together can enable your organization to standardize and share threat intelligence with other users of the frameworks. Another intelligence information sharing framework is called Open Indicators of Compromise (OpenIOC). Created by a security company in Virginia, OpenIOC provides similar services to STIX, TAXII, and CybOX.

In order to adapt and improve your cybersecurity process program, consider taking a proactive, instead of reactive, approach. Threat intelligence sharing should be evaluated and adapted into your organization’s networks. Start implementing threat intelligence by becoming a member of a local cybersecurity group, particularly if other members are in the same industry as you. If you want more advanced ways of implementing threat intelligence sharing, evaluate other potential software solutions that can help you standardize and share threat intelligence.

Building, maintaining, and improving an effective cybersecurity program is a complex process that is better shouldered by a supportive community, not just by individuals. Contributing to the intelligence sharing community can help you and others in your organization become well-rounded cybersecurity professionals. Joining a community can also help fellow members become more resilient to sophisticated attack vectors. Working together makes us all stronger.