Security Operations / By Sebastien Tricaud With all the cyberthreats around today, security operations center (SOC) analysts need the right tools to identify, respond to, and stop those threats. Increasingly, threat intelligence sharing is one of the key tools for preventing threat actors from breaching organizations’ network, infrastructure, and operational environments, including the cloud. Could organizations rely exclusively on their own threat-intelligence activities? They could try, but why go it alone when you could get help from an open-source threat intelligence sharing community? This article will explore the importance of threat intelligence sharing to the modern SOC. We’ll also look at implementation best practices, benefits, and the gold standard of open-source threat intelligence. The Importance of Threat Intelligence for Modern Security Operations First, let’s establish exactly what we mean by threat intelligence. Threat intelligence is a data feed of emerging threats, and the actors behind them. Cybersecurity teams use that information to identify, hunt, and stop threats from harming their organizations. Participation in a threat intelligence community amplifies every participating organization’s threat intelligence capabilities. Successful threat intelligence requires a broad source of threat information. That’s why trying to do it all in-house—even for very large organizations—is unlikely to deliver the detailed, timely information required to battle sophisticated attackers. That’s where threat intelligence sharing comes in. Threat intelligence sharing enables SOC teams to learn from the experiences of those who have already seen a given threat. Without that external information, when analysts see a new potential threat, there is no in-house playbook for dealing with it. The Benefits of Threat Intelligence Sharing If every SOC operated in isolation, analyst teams would first have to go it alone and figure out the nature and source of every potential threat before they could try to stop it. This would give threat actors too much time to strike, which is why many organizations are embracing threat intelligence sharing. There are different approaches to threat intelligence sharing: It can be performed by multiple teams within the same organization By companies operating in the same industry By organizations of all types and sizes working with a much broader community By sharing threat intelligence within a broad community, participating organizations are stronger together. It’s great to know that when your SOC analysts see a potential threat they can apply intelligence shared by experts who have seen and successfully stopped the threat. When details about threats are shared widely, every participating organization benefits, and collectively those individual organizations are much better informed and prepared to take on even the most sophisticated threat actors. Considerations for Implementation There are nuances to effective threat intelligence sharing. Sometimes, when SOC analysts first see a potential threat, it might be unwise to share that sighting widely because it could alert the threat actors that you’re on to them, leading them to accelerate their mission. Whether it’s done by multiple teams within a single organization, among industry peers, or by a community of many organizations, everyone benefits from threat intelligence sharing. In general, the sooner threat intelligence is shared, the better. But there is a responsibility to choose the right time to share threat intelligence and the best way to do it. Analysts who see a previously unknown threat have an obligation to assess the threat and its potential impact, as well as the tactics and tools they used to identify and stop it. There must be value in the information that is shared. Otherwise the overall value of the intelligence is diminished. MISP: The Gold Standard for Threat Intelligence Sharing One global threat intelligence sharing community—MISP—plays a vital leadership role in the battle against cyberthreats. The goal of the MISP project is to help member organizations stay secure by sharing threat intelligence widely and easily. There are two primary reasons MISP is making such an impact on threat intelligence sharing: It’s open source and independent Members worldwide shape and improve it Because MISP members run the community, there’s no central authority telling users what to do. Each member organization independently decides how much intelligence to share, how to use the information available from MISP, etc. And if a member organization wants to change how MISP is built, they work from the inside to improve it. The community has made the MISP dashboard easy to use. For example, MISP threat intelligence is built into Devo Security Operations, our next-gen security information and event management (SIEM) product. Customers who deploy Devo Security Operations receive full access to the MISP feed. And Devo customers have the choice of whether they want to share their own threat intel with the MISP community or not. Devo does not share any private customer data with MISP, only public, open-source data. An example from the Devo MISP dashboard available for all Devo Security Operations customers. Devo helped shape MISP by contributing SightingDB, an open-source database that stores indicators of compromise (IOC) and shows how many times we have seen them. We built the database because we needed it and then we shared it with the MISP community, where it’s now widely used worldwide. In addition to threat sharing, MISP also provides threat enrichment. The MISP dashboard presents information that enhances users’ understanding of threats and what those threats might be doing within their environment. For example, MISP can show that an indicator seen by one community member is part of a group of indicators from an attack campaign. SOC analysts use MISP to see how multiple IP addresses and related attributes can be tied to a particular campaign because all of that collective data displays as a MISP event. That level of threat intelligence detail provides a richer picture of a given threat than any organization could create on its own. The collective power of MISP threat intelligence fuels a stronger response from SOC teams, typically reducing mean time to resolution (MTTR) of an attack. Devo is proud to be part of the community working together to make MISP threat intelligence sharing a vital tool for the future of SOC analyst productivity.