In recent months, it has become apparent that we’re fighting a cybercrime war — and we aren’t always winning. Several major companies have struggled to fend off increased attacks. These include Cartier, who found out that hackers had breached their systems and made off with customer data. Marks and Spencer recently suffered a staggering £300 million loss from a single, sophisticated attack. Victoria’s Secret had to shut its website down entirely.
The reason for this is that, despite decades of tracking cyber threat actors and accumulating huge intelligence databases, the cybersecurity community operates in siloes, each team defending against the same enemies while speaking different languages. As a result, the $10.5 trillion cybercrime economy grows stronger while our defenses remain an uncoordinated mess.
What Is the Role of Information Sharing in Cybersecurity?
Information sharing in cybersecurity enables organizations to pool intelligence on threats, reducing duplicate efforts and improving collective defense. Standardized frameworks, OSINT tools and alliances like ISACs and CrowdStrike-Microsoft help identify adversaries faster, raise attack costs and meet new disclosure regulations.
The Importance of Clear Signifiers
Currently, no unified conformity exists when it comes to tracking threats. One security vendor might track a threat group called “COZY BEAR,” while another refers to it as “APT29” and a third discusses something called “Midnight Blizzard.” The issue here is strategic rather than semantic.
This lack of clarity leads organizations to waste time and resources on correlating threats across vendor reports. The lost time and resources would be better used in improving defense mechanisms.
The recent CrowdStrike-Microsoft alliance is a testament to the success that can arise from collaboration between big names. By combining their efforts, they’ve already revealed the identities of more than 80 adversaries, effectively creating a Rosetta Stone for cyber threat attribution.
The Urgent Need for Transparency in Cybersecurity
Although an ongoing debate rages in the industry about how to handle this situation, regulators are releasing a wave of unprecedented mandatory requirements on incident reporting. The numbers give insight into just how big of a shift cybersecurity will see in the near term.
In the United States, 2024 saw the implementation of multiple overlapping disclosure mandates, such as:
- The Securities and Exchange Commission’s requirement that public companies are to report material incidents within four business days.
- The Federal Communications Commission’s requirements for telecommunications providers to report within seven business days.
- The Federal Trade Commission’s regulations that have mandated financial services notifications within a 30-day window.
This spate of regulatory change is not confined to the US. The European Union has matched this enthusiasm with its NIS2 Directive, which it called on all member states to implement by October 2024. This was followed by the Cyber Resilience Act and Cyber Solidarity Act. Combined, the impact was felt by hundreds of thousands of entities across service sectors.
Unlike previous compliance requirements, this regulatory surge is primarily focused on post-incident disclosure, with the new rules emphasizing rapid information sharing to engage defense at speed. This shift is evident in the United States’ Cybersecurity and Infrastructure Security Agency’s proposed CIRCIA regulations that require critical infrastructure entities to report incidents within 72 hours and ransom payments within 24 hours. These timelines that make it clear they prioritize a collective defense response over individual damage control.
Using Public Data in Private Intelligence
Many experts consider open source intelligence (OSINT) to be the great equalizer when it comes to tackling cyber threats. By scouring publicly available data, which could be anything from internet forums to the dicey underworld of dark web marketplaces, modern OSINT capabilities can quickly identify stolen credentials, leaked source code and emerging attack vectors — all in real-time.
As of 2024, the “normal” internet consisted of roughly 1.1 billion websites, while the dark web was anywhere between 400-550 times larger. Despite the huge gap here, OSINT platforms like Google Dorks or Mitaka are able to keep a watchful eye on the vast quantity of data, which helps companies to detect breaches much more swiftly than those that solely rely on in-house monitoring.
Unfortunately, one problem that some companies have come across when using OSINT is the lack of capacity for developing and maintaining resilient proxy networks, adaptive scraping tools and other technologies that are necessary for dealing with the increasingly robust anti-scraping efforts put into play by modern cybercriminal operations. These techniques can be anything from honeypots to IP blocking systems. As criminals advance their countermeasures, therefore, we must adapt and improve our scraping tools and proxy infrastructures to continue gathering crucial intelligence.
The Dark Web: Where Threats Start
Unfortunately, the dark web is a double-edged sword, serving both as a marketplace and a testing ground for cybercriminals. Although it does have legitimate users, such as investigative journalists and human rights defenders, it is largely dominated by criminal groups.
Most stolen corporate data ends up on these dark web marketplaces, sometimes within just days of a successful operation. One obvious solution to this problem appears to be continuous surveillance, but this sometimes leaves organizations exposed to malware infections or even potential legal trouble from engagement with illegal content.
Instead, the solution lies in collaborative intelligence frameworks that collect insights from the dark web while also shielding companies from direct risks. For example, expert OSINT platforms can take on the burden of compliant data collection on behalf of their clients and provide them with a sanitized version of the data that doesn’t contain malicious code, illegal content or personal information.
The Force Multiplier Effect in Cybersecurity
When threat intelligence sharing is done well, it creates exponential defensive improvements that benefit far more than individual organizations. Not only does it raise the cost and complexity for attackers, but it also lowers their chances of success across industries.
Information Sharing and Analysis Centers (ISACs) have been able to demonstrate this multiplier effect in practice. ISACs are non-profit organizations that provide companies with timely intelligence and real-world insights, helping to boost security. The success of these organizations has led to expansion efforts, with 26 U.S. states adopting the NAIC Model Law to encourage information sharing in the insurance sector.
Turning a Concept Into Reality
Despite its clear benefits, actually implementing information sharing is a different story. There are many common obstacles, such as legal issues regarding data disclosure, worries over revealing vulnerabilities to competitors and the technical challenge itself. It’s clear that devising standardized threat intelligence formats is not an easy undertaking. Yet, working toward this goal as a group can accomplish it.
One such case in point is the partnership between CrowdStrike and Microsoft, the success of which hinges on its well-thought-out governance system. This allows these two business rivals to collaborate on threat attribution while protecting their proprietary techniques and competitive advantages.
For smaller organizations, moving forward looks slightly different. They can make the most of what’s readily available instead of having to take on building new systems from scratch. By getting involved in sector-specific ISACs, signing up for professional OSINT services and adopting standardized threat intelligence platforms, smaller businesses can reap the rewards of enterprise-level intelligence capabilities without stretching their own resources too thin.
The Role of Collaboration Going Forward
Clearly, the cybersecurity industry is at a crossroads. We can either continue with the current haphazard approach to threat intelligence that’s leaving us exposed to attack, or we can adopt collaborative frameworks that allow for a collective defense unlike we’ve ever seen before.
The choice ahead is incredibly urgent. Threat actors are already functioning as synchronized networks, trading tools, techniques and intelligence about their targets. They’ve established that working together enhances their individual capabilities and reduces risks. It’s key that the defense community is able to rise to the occasion and surpass the collaboration that these groups achieve.
