To stop the hackers, security teams need to share more data on attacks
Just under half of cybersecurity professionals use any form of shared cyberthreat intelligence (CTI) in their efforts to protect their enterprises from cyberattacks and hackers, despite CTI’s potential to significantly improve security in the fight against cybercrime.
The reasons for this, according to a new report by Intel Security’s McAfee Labs, range from policies determining that data can’t leave the organisation, concerns over privacy and legality, and fears that use of CTI could interfere with ongoing investigations and the capture of suspects — all of which McAfee attribute to a lack of understanding.
While the McAfee Labs Threats Report March 2016 suggests that the 42 percent of cybersecurity professionals who’ve already engaged in cyberthreat intelligence sharing see intrinsic value in it, and 97 percent believe that it enables them to provide better protection for their company, the majority of security professionals are yet to be convinced.
Of those who haven’t implemented CTI within their organisation, 54 percent say it’s because of corporate policy which states that no confidential data or personally identifiable information should leave the network.
That, the report suggests, is a “generally good policy” but in the case of CTI, the “lack of understanding of the content being shared becomes self-defeating” because the hash value it creates to represent the file in question can’t be used to replicate the content.
Similarly, there are worries that sharing information on cyberthreat intelligence could breach privacy rules, with 24 percent of respondents who don’t use CTI expressing concerns they could risk fines as shared data would be linked back to their firms or themselves as individuals. It’s something McAfee suggests is an issue because “regulations regarding the sharing of personal information are not always fully understood”.
Those who don’t use shared cyberthreat intelligence even suggested they aren’t doing so because deploying such a technique could interfere with ongoing investigations, particularly those in government agencies and the military, which the report suggests take a different approach to fighting threats.
“For these organizations, it often makes sense to allow the exploit to succeed, while monitoring it — in order to gain more information about who is behind the attack and its target, as well as to determine a better way to mitigate future attacks,” the report says, although it concedes that in this case, not sharing information might be the best option.
“If the threat data is shared with a CTI community and the attackers participate in that community, they could be alerted that their activities have been identified — resulting in new tactics to avoid further detection,” the report states.
Nonetheless, McAfee remains adamant that cyberthreat intelligence is something which all organisations should consider in order to protect against “increasingly complex attacks”.
“Cyberthreat intelligence sharing is a crucial strategy to ensure that enterprises across entire industries are able to learn from each other and set up proactive defences to safeguard both their corporations and the industry as a whole,” says Raj Samani, CTO of EMEA at Intel Security.
“In many cases, advanced stealthy attacks can lay hidden on a network, undetected. With corporations proactively sharing details of threats and attacks, similar enterprises will also be able to more rapidly detect threats and correct their systems. Detection and correction of a cyberattack is just as important as the initial protection stage when safeguarding company and customer data,” he continues.
“Our report highlights that CTI must overcome the barriers of organisational policies, regulatory restrictions, liability risks, and a lack of implementation knowledge before its potential can be fully realised.” he says.
The McAfee Labs Threats Report for March 2016 is based 500 interviews with security professionals.