Threat Intelligence sharing is becoming more mainstream as ISACs and other industry sharing collectives gain popularity. As intelligence sharing becomes more popular, there are some things to consider to get the most out of it. Anomali’s new whitepaper, The Definitive Guide to Threat Intelligence Sharing explores this topic in-depth.
Like many other things, the more you put into sharing threat intelligence, the more you can potentially get out of it. It starts with choosing who to share with. Understanding what is good to share is another import aspect to consider. Most of all, collaborating with those you share with is key to improving the value for everyone involved. Adding context to what is shared, or including extra details observed from your own analysis is an important element of sharing threat intelligence.
Sharing with others in our own industry is the best place to start with sharing intelligence. This is essentially “home” for sharing intelligence and interacting with peers around threats and defenses. For most organizations, this is the full extent of who they share intelligence with and there is nothing wrong with that. There are other considerations for adding additional sharing partners, however. For one, not all attacks come over the Internet; some require a physical presence such as attacks against WIFI infrastructure. Finding local sharing partners, potentially not in your own industry, can be important for localized intelligence sharing. Also important is finding partners to share with outside the echo chamber of your industry or vertical. Sharing within your industry is certainly the best place to start, but looking for organizations to share with beyond your industry as a next step is a good idea.
In addition to sharing intelligence, other considerations might be sharing defensive measures such as YARA rules, snort rules, scripts, system or application configuration tweaks, security tool configurations, and so on. The idea is to collaborate closely with other sharing partners to:
- Improve visibility for better intelligence analysis
- Deliver stronger defenses that are optimized against observed and perceived threats
- Provide a useful vehicle for coordinating intelligence collection and analysis
Further thoughts on these topics as well as additional insights on threat intelligence sharing can be found in The Definitive Guide to Threat Intelligence Sharing.
Source: Honeypot Tech