Intelligence Sharing 2.0: Beyond Threat Intelligence

The attack surface in financial services has evolved rapidly, and the pain of necessity has forced organizations to learn how to share and create a collective defense through threat intelligence. However, with an audience built around threat intelligence, current trust groups and tooling are bursting at the seams with non-threat intelligence that deserves a proper home. With years of successful sharing behind us, the necessary guard rails and protocols have been established and value in private sector collaboration has been proven. Threat intelligence, however, is just one sliver of a properly resourced information security department. To meet the next wave of challenges facing us, we must take what we’ve learned and apply it beyond threat intelligence. 

The Early Days

The advent of cybersecurity threats caught most organizations flat-footed in the late 1990s.  Previous challenges to traditional IT - no less business - lacked the element of an adversary.  Pre-internet IT managers weren’t up against secretive nemeses yanking out cables or altering software, and despite occasional tall tales, corporate executives were rarely willing to bet the farm to spy on each other in the board room. The risk of getting caught kept the bad guys at bay, but that all flew out the window with the reach and anonymity provided in the internet age.  To pivot mentally into a theater that included a capable and motivated adversary, businesses had to look to law enforcement and military teachings.  This quickly ushered in the notion of threat intelligence and studying adversary capabilities and tactics. Unlike law enforcement and military challenges, however, the most useful data on corporate cyber adversaries was held in the private sector among partners, peers, and rivals.  It took a threat as significant as cybersecurity for commercial and legal teams to allow limited relationships, rapport, and lines of communication among historic competitors. By 2000, national governments had recognized the need for private sector entities to collaborate and closely share information, and one of those pushes gave rise to FS-ISAC.

Enter Information Sharing 1.0 and FS-ISAC 

FS-ISAC was founded in 1999 in response to a US Presidential Decision Directive but was created and operated entirely within the private sector.  Per the directive, FS-ISAC was self-governed and chose the manner and depth in which it would engage with government entities in the US and other countries. This independence and freedom proved critical to success, as the nature of cyber crime found much of the intelligence benefits in peer-to-peer interaction rather than peer-to-government. Further, the lack of a formal tie to any specific country allowed multinational and international members to share cross-border observations and begin identifying trends and data that would be germane to specific regions across the world. The private sector model with government resources available to counsel, share analysis methodology, or engage during specific large-scale incidents proved invaluable and rewarded those willing to try information sharing with the best track records in cybersecurity.  By 2010, FS-ISAC was well-established as the gold standard in information sharing, emulated across other sectors, and cited as a key control by regulators and auditors. Information sharing was here to stay. 

Intelligence That Needs Its Own Channels 

Fast-forward another decade and real-time, continuous sharing of threat intelligence has become a staple of any mature financial services security shop. Threat intelligence has become a standard department, job description, and skillset among cybersecurity programs with a burgeoning commercial sector in place to deliver enriched intelligence and assist in automation tooling. 2020 finds sharing alive and well, but signs point to a need to expand beyond threat intelligence. Within trust groups, a pattern has emerged of overloading intelligence channels with “off-topic” information about cyber defense practices and solutions beyond raw data. One factor that contributed to this evolution was the limitations on resources among smaller teams that saw the intelligence analyst function served by a jack-of-all-trades who processed intelligence one hour, performed incident response the next, and deployed infrastructure deployment and tuning that night. Heroes of the small shops found themselves talking preventative and detective controls, risk management, or governance and strategy within intelligence channels. Conferences and summits have seen more talks and interest in “non-intelligence” topics than pure intel, and detection and prevention rule sets and configurations are being normalized and shared for automated deployment now.  In a rare twist of fate, the larger, better-resourced teams with dedicated threat intelligence personnel have been the ones least served by this organic arrangement, as their dedicated risk management, red teaming, and governance personnel haven’t benefited from this overflow of helpful data taking place within intelligence channels. Ad-hoc workgroups and communities of interest have begun forming among clusters of large firms led by forward-leaning CISOs, but there are often duplications of effort or a word-of-mouth barrier to entry that limit their efficacy. 

Beyond Threat Intelligence

With the proof of value that occurred in threat intelligence sharing and inadvertent wins taking place in sharing defensive tactics and strategy, the time is nigh to formalize intelligence sharing beyond threat intelligence. Looking to the next decade, we will see formal channels dedicated to second line functions like governance, risk management, compliance, application security, and red-teaming. First-line functions such as incident response, use-case engineering, and security automation will find dedicated spaces to collaborate. Whether they manifest as mailing lists, chat channels, or summit themes, these initiatives will expand the benefits of intelligence sharing to entirely new audiences within firms and extend the force-multiplier advantage to new teams inside and outside traditional information security roles. When our red teams, developers, or even auditors start comparing notes, we should find a rising tide lifting all ships once again.