Threat intelligence helps businesses and organisations make the right decisions in their fight against cyber threats, and strategically design their digital defences for an optimised and up-to-date security situation. Combined with advanced security analysis, threat intelligence helps reduce the time between the detection of an attack and its containment. This is achieved by continuously providing information, accompanied by data, on existing and emerging cyber threats and vulnerabilities affecting corporate networks.

The community has recognised the need to be able to share Cyber Threat Information (CTI) in a timely and reliable manner to enhance its ability to identify any malicious activity or sources and mitigate attacks in a timely manner, prior to damaging organisations’ assets. The types of cyber threat related information that can be produced and shared among communities include, among others, security appliances log entries and alerts, measurable and observable actions, security bulletins and advisories, identified vulnerabilities, news, reports and intelligent information. Analysis and evaluation of such information is considered essential for an organisation, as sometimes the information that is shared is not properly filtered or checked, thus adversely affecting the organisations.

Using unreliable sources poses risks to the organisations, as the information may not be accurate or complete. To confront this undesired situation, organisations go beyond closed groups and use multiple sources instead. As such, CTI sharing takes place among multiple actors, such as government agencies and organisations, private sector organisations and industry-focused groups. One of the most challenging issues in this process is achieving consensus regarding how this information should be shared among interested parties and the threat intelligence community. This requires having a common understanding on what information is shared, how it is shared and whether its sharing is law-abiding.

CTI information is generated and shared among devices and organisations that typically have well-established procedures to appropriately handle personal and classified information found within. When CTI is about to be shared, especially with external entities, several interoperability and security issues have to be confronted, including legal, semantic and technical.

Arnolnt Spyros

InnoSec, Greece