In August 2019, the World Economic Forum (WEF) argued that cybersecurity should be framed as a âpublic good.â
With technology at the heart of many of our lives, we all face an ever-increasing risk of loss and theft of personal data as cybercriminals evolve to target us from all directions. As such, the WEF believes that cybersecurity should be made more widely accessible to drive the betterment of society as a whole.
A key aspect of making things more freely available is the sharing of threat intelligence by organizations.
On paper, it seems rather straightforwardâ companies come together to share experiences to further enhance overall knowledge. In reality, there remains a hangover from more conservative times which continues to be a barrier.
Many business leaders regard their organizationâs security posture as a private matter and are unwilling to discuss any weaknesses it may have.
They areâ not unjustifiablyâ concerned that disclosing such information could lead to attackers uncovering and exploiting existing vulnerabilities. On the occasions they do share, it tends to be with trusted peers and partners, effectively within a walled garden.
However, attacks are becoming more frequent and their focus is intensifying. Private businesses, government services, and critical national infrastructure are all being targeted far more regularly. There has never been a greater need for shared intelligence, so businesses must overcome their reticence and explore ways of sharing this vital information in confidence.
Turning the tables on cybercriminals
Even for the most skilled criminals, building new cyberattacks from the ground up isnât a quick job. Each variant needs to be more advanced than its predecessor to ensure itâs able to stay ahead of new defenses.
That means more advanced coding and testing alongside greater research and understanding of defenses and employee behavior. It often takes around three months for a new attack to be ready.
When companies and the other âgood guysâ share up-to-date threat intelligence, they place the pressure on cybercriminals to shorten development times.
Suddenly, they donât have three months to exploit vulnerabilities. They rush out new variants that arenât as equipped and, therefore, deliver a decreased ROIâ if anything at all. When businesses share intelligence faster than criminals can build, they are winning the battle.
The lucrative bug bounty market
With cybercriminals facing the pressures of developing their own solutions more quickly, the value of zero-day vulnerabilities has increased hugely. If criminals know that an unpublicized vulnerability exists, they can simply target it before vendors and businesses have a chance to patch. This demand is driving the lucrative âbug bountyâ market.
When an individual discovers a new vulnerability, they then have a choice to make. They can give or sell it to the vendor responsible for where the vulnerability resides; they can sell it to a vulnerability broker who will then auction it off to the highest bidder; or, they can go full rogue and peddle it directly to cybercriminals.
Vendors are unlikely to offer the most money so they must hope that the individualâs moral compass will point them in the ethical direction. That isnât always the case and itâs the lure of cold hard cash that means businesses consistently remain at severe risk.
To make matters worse, itâs not simply cybercriminals who can exploit zero-day vulnerabilities, but governments too. In a world of growing geopolitical tensions, governments are likely purchasing âbugsâ from vulnerability vendors to use against an enemy state.
It really is no different from loading up the armory with missiles. Critical infrastructure organizations, in particular, will find themselves in the crosshairs.
Defending comprehensively against zero-day attacks is incredibly difficult as you simply have no idea where or what the vulnerability is. Yet, threat intelligence sharing can help to stifle the bug bounty market.
The more data that is being shared increases the chances of organizations discovering potential vulnerabilities first through their own bug hunters who are supported with more information. It also reduces the time available for nefarious actors to sell vulnerabilities before theyâre discovered and patched by white hat counterparts.
How to share threat intelligence with confidence
The open-source (OS) community is an asset that not all organizations make use of. Vendors can license and release code and encourage other members to use it within their own efforts. This public collaboration speeds up development and enables the vendor to gather huge quantities of rich threat intelligence which they can then put into further innovation.
Businesses need to consider that keeping some secretsâ such as those around cybersecurityâ is much more difficult than simply releasing it to communities. Even organizations such as the National Security Agency (NSA) has understood the value of OS and has developed tools within it.
Despite the benefits of sharing, many companies remain apprehensive. Fortunately, there is technology available to alleviate some of the fears that their own data will be used against them. Pseudonymization and anonymization are techniques recommended under the EU GDPR as means of enabling âdata processorsâ to protect the privacy of individuals.
The techniques could be employed by organizations to protect their identities, allowing them to share threat information while maintaining complete anonymity. By hiding or replacing identifying data fields such as the names of companies, directors, products or IP, more cautious organizations would be at liberty to freely share threat information, confident in the knowledge that data canât be traced back.
Ultimately, The WEFâs vision of cybersecurity as a âpublic goodâ will never be realized if threat intelligence is kept behind closed doors. If we truly hope to use cybersecurity for the betterment of society, the onus is on every organizationâ public or private, and regardless of sizeâ to proactively share its threat information.
Only together can we take the fight to the criminals.
This article was contributed by Martin Rudd, CTO at Telesoft Technologies.Â
Gloss