Monday, July 12th, 2021
Today’s threat and digital risk landscape stretch far beyond any single entity’s ability to comprehend. Often functioning as islands with the occasional outside data, financial institutions, healthcare organizations, webmail providers, utilities, tech companies, and everyone in between are constantly bombarded with cyber threats.
These islands are fortified with technology, processes, and resources to protect their inhabitants and connected systems, but even still incidents occur. The simple fact is that there is no silver bullet for protecting an organization from cyber threats; however, collectively, organizations can work towards a collective solution.
As organizations build proactive and hardened defenses, we can look in history books for use cases on how and why building a collective defense strategy offers the best potential solution. Take the Battle of Marathon, which after nine days of waiting for the Persians to attack, the Athenians directly charged their forces. Both outnumbered and outmatched, the odds were against them, yet they succeeded. But how?
Before going to war, the Athenians analyzed their adversary’s capabilities, techniques, and tools. The resulting intelligence showed that the Persians had the numbers and resources in their favor, which resulted in joining forces with the Spartans. Together, their collective defense led to a more assertive offensive solution, the Phalanx Formation. In this stance, warriors were formed collectively, neighbor beside neighbor, unifying their resources and processes to capitalize on their shared goal.
Like many battles that followed, time and time again, we see use cases of forces joining together and creating a collective defense. Today, cyber wars are faced not just in the public sector but range from small startups and enterprises to your grandparents and friends, but collectively they can be thwarted.
Collective defense is defined as a collaborative strategy that requires organizations, both internally and externally, to work together and across industries to defend against targeted cyber threats. In North America, this is commonly facilitated through Information Sharing and Analysis Centers (ISACs), in a few regions governments run Computer Emergency Response Teams (CERTs), but from there, the options become few and far between. The critical element for a collective defense strategy comes down to intelligence, both ingesting and sharing it.
By ingesting curated, validated, and enriched intelligence, a bank or credit union can thwart an attack targeting ATMs using IoCs from their peers. Likewise, the importance of sharing intelligence, even attacks that were successfully prevented, trumps that of ingestion. Data on malicious entities, such as malware, threat actors, threat indicators, and tactics, techniques, and procedures (TTPs), can make the difference in how the next attack impacts an organization, if at all. Externally, this intelligence offers security teams a view of the broader picture, gaining access to information they otherwise would not have.
Fortunately, technology also makes this even more accessible, as automation plays a role in sharing and ingesting intelligence. This process can remove most human intervention, which means security teams can function at machine speed. This empowers security teams with correlated and enriched data. Throw in a confidence score, and now what would usually take hours has the SOC actioning intelligence in minutes and prioritizing threats accordingly.
However, threat validation achieved through confidence scores and automation heavily rely on more organizations playing their part and sharing intelligence. One way to accomplish this is through a Hub and Spoke model, where ISACs, CERTs, and other organizations make sharing intelligence more accessible, primarily through automated means.
Threat intelligence sharing also helps organizations gain real-time situational awareness of threats lurking in their vicinity - an important value-oriented goal of collective defense. Threat intelligence platforms or a TIP allow organizations to ingest internal intelligence collected from on-premise and cloud-deployed and derive insights into how one might get compromised through advanced enrichment and correlation with the externally ingested intelligence.
The resulting intelligence can then be fed back into organizations’ existing security tools to proactively block malicious entities. The observations made from the analyzed threat data can also be used to create early-warning human-readable alerts and shared with security teams and employees to proactively warn them against threats such as spearphishing attacks. Threat intelligence sharing between organizations is also critical to building a knowledge repository that can be leveraged to connect the dots between disparate threat elements and campaigns to assist SOCs and security teams detect and respond to attacks faster.
The nature of global networks makes a collective approach to cyber security a necessity. The sharing of intelligence among organizations saves time, reduces duplicate efforts, and helps prevent future and ongoing attacks. In this era, where the security threat landscape is taking an aggressive and dangerous shape, building a collective defense through threat intelligence sharing is one of the most proactive strategies.
The quote by American Poet Mattie Stepanek, a collective defense offers strength in unity.
“Unity is strength. . . when there is teamwork and collaboration, wonderful things can be achieved.”