The Expert's View with Jeremy Kirk

Incident & Breach Response , Information Sharing , Managed Detection & Response (MDR)

The Threat Intelligence Hangup: Why Don't Organizations Share?

Australia Is Pushing for Better Threat Intel Sharing
The Threat Intelligence Hangup: Why Don't Organizations Share?
PwC's Steve Ingram

Cybercriminals and hackers have no problems sharing tips and tricks for how to break into networks. So why are companies and organizations still somewhat reluctant to share their threat intelligence?

See Also: Ransomware Demystified: What Security Analysts Need to Know

It's long been a thorny question, and the lack of sharing is one reason why hackers are nearly always ahead. Organizations cite a multitude of reasons for holding back from sharing intelligence, ranging from worries about revealing too much to competitors to trust questions and, ultimately, fear of embarrassment.

Still, better threat intelligence won't solve all of an organization's problems. 

But in the end, none of the worries are justified. To one company, an attack appears as "new" only insofar as it hasn't seen it before. The same hacking technique may have been used frequently against others. The lack of coordination puts attackers at a strong advantage.

The topic of sharing threat intelligence came up several times at a half-day forum in Sydney called Cyber Security - The Leadership Imperative 2017. The forum broadly addressed how to support Australia's plan to create a homegrown cybersecurity industry and better protect businesses.

Crooks Already Know

There's a pervasive belief that if organizations share threat intelligence, "the crooks will know what we're doing," says Steve Ingram, Asia-Pacific cyber lead for PwC.

"That's right," Ingram says. "So what? They [the crooks] don't [learn] anything they don't already know," Ingram says. "We're just giving back what they've done. And if they know we're active, we'll become a harder target. We'll become a better place to do business because we know they'll go for the easier hits."

Efforts are underway in Australia to improve intelligence sharing. The government's AU$230 million (US$173 million) cybersecurity strategy, launched in April 2016, called for improved coordination between private industry and government.

The government also plans to establish joint cyber threat sharing centers stationed in Australia's capital cities, along with an online threat intelligence portal. Brisbane has been selected for the first pilot center.

Organizations in certain verticals, such as financial services, do share among themselves but won't share outside their sector, Ingram says. In the U.S., the Information Sharing and Analysis Centers program is successful, but still, there are 24 separate ISACs representing verticals in the country's sprawling economy.

Australia is in a unique position because its economy is much smaller than that of the U.S., Ingram says. Access to threat intelligence should be an open circuit. Threat intelligence can be collected, standardized and anonymized and shared "with everyone, from the medical center down on the corner here to the biggest corporate on the ASX (Australian Securities Exchange)," he says.

Sharing in the Valley

In Silicon Valley, many companies have overcome the hangups, says Craig Davies formerly Atlassian's director of security and now CEO of the Australian Cyber Security Growth Network. Atlassian shared threat intelligence with a number of cloud providers, including some of its competitors.

"We do it because the bad guys are better organized that us anyway," Davies said during a panel discussion. "You're not sharing anything private or confidential. You're sharing indicators of compromise."

The sharing among Silicon Valley companies came largely as a result of personal relationships between security professionals, Davies says.

"Everyone knew each other," he says. "You could trust them to use the data appropriately. That is so key to defense. You're all fighting the same adversaries."

Australia's efforts to take a formalized approach to sharing presents an opportunity to create a system that may work better than others, Davies says. Still, better threat intelligence won't solve all of an organization's problems.

"Don't race in," he says. "Step back and really be clear about why you're doing it and what you're expecting to get out of it because it's just another input. It will not solve your problems. But it will certainly go a long way to save you reinventing the wheel."

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Executive Editor for Security and Technology for Information Security Media Group. He's the creator of "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware, the greatest crime wave the internet has ever seen.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.