Threat intelligence: Sources, sharing, utilization and the government
More than three quarters of IT security professionals (81%) believe the government should be sharing more threat intelligence information with the private sector, according to AlienVault research.
In a survey of more than 300 UK-based IT security professionals, when asked how they viewed the government in protecting their business from hostile nations and major threats, 23.5% of respondents perceived the government as consuming threat intelligence but not sharing. A further 13% said they would have no idea who to contact if they needed to share intelligence with the government.
In addition, UK companies do not depend on government sources for their own intelligence. When asked which sources of threat intelligence they rely on, only 26% thought that government information was reliable, while 58% rely on their own detection processes, and 28% on that of their trusted peers.
Most organizations are still under the impression that IP reputation feeds and subscription to their favorite ISAC is threat intelligence, where this in reality is very far from the truth, according to Rob Kraus, Director of Research for the Security Engineering Research Team at Solutionary.
“Sources are very diverse and really must be evaluated for the type of intelligence they can provide as well as the confidence of the source. It is important to understand that there is a significant difference in an information source as compared to a threat intelligence product. Organizations should invest time into understanding options and really digging into solutions before making a final decision,” Kraus added.
Javvad Malik, Security Advocate at AlienVault, said: “It’s worrying that so few security practitioners view government information as reliable. But it’s a case of chicken and egg – unless the private sector shares intelligence with government sources, its information is bound to be out of date. Without a consistent process for intelligence sharing, the situation will continue.”
When security professionals discover a threat, only 20% will share intelligence with the government. But 40% will share details with a closed community of their trusted peers. On the other end of the spectrum, 43% will only share information internally, and 10% won’t share it with anyone at all.
“Some government organizations are doing a better job with sharing indicators and threat information, but there is still a long way to go before enterprises gain any real value. There is often significant delays with information sources from government agencies, which diminishes the value of the data that often has a short lifespan. Additionally, government organizations do not always share information with each other, even amongst federal agencies, which can reduce overall confidence of the information or intelligence provided,” Kraus concluded.
When asked which specific types of attacks were of most concern to them, 43% cited insider threats from disgruntled employees. 40% were most concerned with hacktivists and 0-day exploits, and 30% were most concerned about state sponsored attacks.
The survey also asked about the role of law enforcement and the role it has to play in post-breach analysis. 19% of participants had called police and law enforcement agencies to help investigate a breach at their company. 71% of those deemed the service provided to be effective, with only 13% describing law enforcement response and support to be ineffective.