Failure to share threat intelligence harms UK's cyber-security
Most companies lack the security maturity to use more detailed threat intelligence efficiently, and their failure to share incident intel with government reduces the country's ability to react to attacks, according to a new report by AlienVault.
All businesses and governments use the transformation of raw data into reliable, meaningful and actionable information to improve their performance but some types of threat intelligence such as IP addresses, URLs, DNS information, malware samples and botnet data are a lot easier for companies to collect, ingest and utilise in decision-making. Free threat intelligence feeds exist and most security platforms can ingest open standards data, and use it in conjunction with internal telemetry and alerts such as IDS alerts, phishing attacks, malware trends and log correlation to provide a robust view of the threat landscape.
However, to improve their partner ecosystem, the information will need to be shared both amongst peers and between government and private sectors or many of the benefits will be negated.
Unfortunately, while intelligence sharing between public and private sectors is government policy in the UK with CISPs established specifically for that purpose, only a quarter of 300 UK-based IT security professionals surveyed believe UK government data on threat intelligence is reliable, according to new research from AlienVault. Most (81 percent) infosec professionals surveyed believe the government should be sharing more threat intelligence with the private sector, only 26 percent thought that government information was reliable, most (58 percent) rely on their own detection processes, and nearly a third (28 percent) on that of their trusted peers.
Yet when they discover a threat, only 20 percent share intelligence with the government, 40 percent with trusted peers, and 43 percent only share the information internally, often saying they wouldn't know who to contact if they needed to share something – and 10 percent won't share it with anyone at all.
Police and law enforcement agencies were called by 19 percent of those surveyed to investigate a breach and of those, 71 percent found the service effective, with only 13 percent describing law enforcement response and support as ineffective.
Noting the self-perpetuating situation, Javvad Malik, security advocate at AlienVault, told press: “It's worrying that so few security practitioners view government information as reliable. But ... unless the private sector shares intelligence with government sources, its information is bound to be out of date.”
He adds: “People worry about inadvertently sharing sensitive company information .... While this is a legitimate concern for many, it shouldn't be a stopping point – many items such as hash values, suspicious IP addresses and domain names are shareable with relative ease and without exposing any internal information.”
While most respondents viewed the government as a trusted partner in protecting them against nation states and other major threats, the lack of intelligence sharing results in degraded overall response to security threats which could limit response to nation-state attacks, particularly those targeting businesses.
Malik concludes, “If no one shares, you won't get good threat intelligence. Unless the government and private sectors can learn to trust each other and share intelligence effectively, our overall response is being slowed down.”