The Threat Intelligence Hangup: Why Don't Organizations Share?Australia Is Pushing for Better Threat Intel Sharing
Cybercriminals and hackers have no problems sharing tips and tricks for how to break into networks. So why are companies and organizations still somewhat reluctant to share their threat intelligence?
It's long been a thorny question, and the lack of sharing is one reason why hackers are nearly always ahead. Organizations cite a multitude of reasons for holding back from sharing intelligence, ranging from worries about revealing too much to competitors to trust questions and, ultimately, fear of embarrassment.
Still, better threat intelligence won't solve all of an organization's problems.
But in the end, none of the worries are justified. To one company, an attack appears as "new" only insofar as it hasn't seen it before. The same hacking technique may have been used frequently against others. The lack of coordination puts attackers at a strong advantage.
The topic of sharing threat intelligence came up several times at a half-day forum in Sydney called Cyber Security - The Leadership Imperative 2017. The forum broadly addressed how to support Australia's plan to create a homegrown cybersecurity industry and better protect businesses.
Crooks Already Know
There's a pervasive belief that if organizations share threat intelligence, "the crooks will know what we're doing," says Steve Ingram, Asia-Pacific cyber lead for PwC.
"That's right," Ingram says. "So what? They [the crooks] don't [learn] anything they don't already know," Ingram says. "We're just giving back what they've done. And if they know we're active, we'll become a harder target. We'll become a better place to do business because we know they'll go for the easier hits."
Efforts are underway in Australia to improve intelligence sharing. The government's AU$230 million (US$173 million) cybersecurity strategy, launched in April 2016, called for improved coordination between private industry and government.
The government also plans to establish joint cyber threat sharing centers stationed in Australia's capital cities, along with an online threat intelligence portal. Brisbane has been selected for the first pilot center.
Organizations in certain verticals, such as financial services, do share among themselves but won't share outside their sector, Ingram says. In the U.S., the Information Sharing and Analysis Centers program is successful, but still, there are 24 separate ISACs representing verticals in the country's sprawling economy.
Australia is in a unique position because its economy is much smaller than that of the U.S., Ingram says. Access to threat intelligence should be an open circuit. Threat intelligence can be collected, standardized and anonymized and shared "with everyone, from the medical center down on the corner here to the biggest corporate on the ASX (Australian Securities Exchange)," he says.
Sharing in the Valley
In Silicon Valley, many companies have overcome the hangups, says Craig Davies formerly Atlassian's director of security and now CEO of the Australian Cyber Security Growth Network. Atlassian shared threat intelligence with a number of cloud providers, including some of its competitors.
"We do it because the bad guys are better organized that us anyway," Davies said during a panel discussion. "You're not sharing anything private or confidential. You're sharing indicators of compromise."
The sharing among Silicon Valley companies came largely as a result of personal relationships between security professionals, Davies says.
"Everyone knew each other," he says. "You could trust them to use the data appropriately. That is so key to defense. You're all fighting the same adversaries."
Australia's efforts to take a formalized approach to sharing presents an opportunity to create a system that may work better than others, Davies says. Still, better threat intelligence won't solve all of an organization's problems.
"Don't race in," he says. "Step back and really be clear about why you're doing it and what you're expecting to get out of it because it's just another input. It will not solve your problems. But it will certainly go a long way to save you reinventing the wheel."