Why people are the glue in collective defence

Cyber security has historically been an independent almost secretive activity. Organisations have long been extremely reluctant to share any threats they face for fear it will damage their reputation. Similarly, sharing threat data with other organisations has often been viewed as giving away a competitive advantage.

However, trying to face cyber threats alone only serves to leave the defender outnumbered. Very few attacks happen on a one-to-one basis – most threats are a collective effort. Cyber criminals can draw on a huge amount of global resources, buying and selling malware tools, attack techniques and expertise through dark web communities.

This is not a fair fight – and it’s one that all companies are going to lose eventually. To stand a chance against a collective attack, we need to have a collective defence.

A growing number of companies have become aware of the value of collaborating and sharing threat intelligence, and there are multiple national programs around the world to support this. The NCSC in the UK and DHS in the US both have their own Cyber Security Information Sharing Partnership (CiSP) programs, for example. ITC Secure are part of the NCSC’s CiSP program and regularly provide sponsorship for new members, if you would like further information, please get in touch.

But while these are a step in the right direction, there are still some major drawbacks. Those companies that are willing to share their threat intelligence must do so manually, and other organisations must likewise login and independently access and process the data to benefit from it.

Outside of official programs, we know some companies still share threat intelligence with each other over email, with all the delays needed to manually collate and attach data that entails.

This manual aspect is a major hold up that can be a serious problem in the lighting fast world of cyber security. To truly stand a chance against organised collective attackers, we need to share information at network speed.

This is where a collective defence strategy comes into play.

Sharing threat intelligence at network speed

As soon as an organisation detects and analyses a threat within their network, the data is anonymised and shared with all the SOC teams throughout the collective defence network. Only anonymous metadata is shared, eliminating any concerns about reputational damage.

An alert based on the data is automatically created and given a rating based on the threat it represents. These alerts are centred on malicious behaviour rather than specific threat signatures. If the same behaviours are detected in the networks of other members part of the collective network, the threat level will be upgraded.

This means that, for example, financial organisations would be able to identify an active campaign targeting firms in their sector. SOC teams can then collaborate, share findings and resources as they combat the threat.

Far from giving away a competitive advantage, sharing threat intelligence in this way will strengthen the entire industry.

The human factor

The key to fighting a collective attack is to collect and share intelligence at a speed only a machine can provide. In addition to powerful AI-driven automated tools playing a central role, genuine human experience and intuition is just as important as artificial intelligence.

Many networks have threats lurking in the background, going undetected by security solutions. More skilled attackers will use malware and techniques designed specifically to evade standard tools such as Endpoint Detection and Response (EDR). This is where a proactive approach to threat defending is needed and threat hunters step in. Drawing on years of experience in the field, they can identify the gaps in cyber security controls and spot the subtle signs of a high-level threat that will fly under the radar of automated systems.

Threat hunters are drawn from a variety of different backgrounds in IT security, but must all share a crucial analytical mindset and deep knowledge of cyber security. They need to be able to follow the breadcrumbs back to the source of a threat in order to contain it. Furthermore, they need to be skilled communicators, as they liaise closely with SOC teams and in-house security personnel of customers.  At ITC Secure, our SOC analysts work closely with the threat hunters at IronNet, for example, whilst utilising IronNet’s behavioural analytics technology within the IronDefense product. This relationship enables our analysts to focus on daily security activity while the threat hunters search for hidden threats.

While sharing streams of threat data between companies is still extremely beneficial, the advantages are multiplied when the raw information is given context and shaped by an experienced human hand.

Threat hunters and other security analysts can apply their experience and intuition to the threat data being shared across the collective network. This means that security teams at all ends of the network can provide each other with meaningful guidance for their investigations, pointing them in the right direction with actionable intelligence.

With a combination of advanced solutions identifying and sharing threat data with the speed and precision of a machine, backed by the combined knowledge and experience of skilled security analysts, organisations can work together to create a collective defence beneficial to all.

To view the full webinar, please visit here.

How to begin your journey

Our next webinar will take place on Thursday 27th August at 3pm BST. We will focus on how to start your collective defence journey, including:

  • Recap on collective defence as a strategy
  • Sharing attack intelligence and improving responses
  • The power of behavioural analytics when detecting attacks early in the kill chain
  • Prioritising and enriching threat data when sharing in the collective network
  • Panel: Ask the Experts

We conclude by introducing our new collective defence incentive.

To register, please visit here.