In an era where cyber threats are becoming increasingly sophisticated and widespread, collective insight has emerged as a vital tool in strengthening cybersecurity defenses.

This was a key topic under discussion on the closing session during the Cyber Rhino Threat Week in December 2024, where Matt McCormick, SVP of Corporate and Business Development at ThreatQuotient, Michael Daniel, President and CEO at Cyber Threat Alliance, Aaron Bierlein, Cyber Threat Intelligence Manager at DeepSeas were key panelists.

The session focused on the value of collective insight as a powerful tool for improving security outcomes across organizations. This article captures key highlights from the discussion.

Cyber Threat Intelligence is not easy

Cyber threat intelligence is not new. It has been used by military units for several years and we are now starting to see the merging of military-style intelligence and business intelligence approaches to bring these best practices to people on the cyber front line.

However, cyber threat intelligence is not easy. While the concept of sharing threat intelligence has been spoken about at length, it is a lot harder to implement in reality because it takes resources and effort on a continuous basis and needs to be built on trust between the sharing parties, which takes time to establish.

Further, there is a big challenge in fostering a sharing community. Many organizations are happy to passively receive threat intelligence but are less keen to share threat insights proactively. Yet, there is so much value that comes out of real-time intelligence that organizations can pull out of their logs to analyze and share outwards. To achieve this, companies should worry less about what they are getting and share everything first. Generally, it is through this process that others will be encouraged to share, and everyone will benefit overall.

The benefits of intelligence sharing cannot be overlooked

The simple truth is that no single organization sees all the malicious activity on the Internet and the only way to get a handle on what’s happening across this broad and enormous digital ecosystem is to collaborate and share. Without this, there is a good chance that organizations will inevitably miss parts of the picture.

Sharing the intelligence that organizations have gathered independently with other organizations, gives insight into what is happening across the industry and provides a community where asking questions about what others are seeing is allowed and encouraged. Through this community, it is expected that not every person or organization will know everything and recognize that everyone is looking for answers. Achieving this requires intentional work and effort but delivers immense value in shedding light on who’s targeting organizations in similar industries and geographies to help them effectively prepare for these attacks. This is gained by gathering incident response data analysing and sharing the data across the community.

The benefits of being part of a Cyber Threat Community

Many organizations are reluctant to share threat information but want to know what the other CISOs are seeing. However, in the face of disaster, this changes. For example, in the case of the MoveIt and Log4j vulnerabilities, organizations came together to share information on the internet, over email, and through texts to find out what was happening and what the next update was.

When the WannaCry incident happened, security teams were scrambling to find the email vector spreading it. After close examination and collaboration with other teams it turned out that it wasn’t being spread by email and security teams could look elsewhere to find out how it was spreading. These examples demonstrate the value of being part of a Cyber Threat Community and are something that organizations should be doing all the time because it allows a community to work together to solve real-time cyber threats and vulnerabilities.

There are many more examples of how security teams have come together to share valuable information and prevent further impact of potential threats. By having a neutral place to encourage information exchange the entire ecosystem can be more effective at fighting threats. In fact, being part of the ThreatQ sharing community has shed light on things that have shocked members as they learn about what is unfolding in the cyber threat landscape, even those who have been in the industry for 15 years and thought they had seen everything. It’s important to note that nothing bad comes out of coming together, talking to one another and learning about different perspectives.

Intelligence that does more than secure the environment

Shared intelligence provides insight into what the threats are, and how they occur and provides an overview into the situation that traditional security teams don’t have. This helps them to do more than secure the organization, it also keeps these individuals calm during an incident and enabling them to work through the situation systematically. When a breach or ransomware attack occurs, this can be a highly stressful situation and rather than focusing on the situation at hand, teams can be naturally concerned about the security of their jobs.

A threat intelligence community provides a voice of reason in the chaos, helps teams focus on the task at hand, and gain an understanding of what the real threat level is to the organization. It is only with this focus and insight that teams can address the threat effectively.

Sharing intelligence solves problems together

Threat intelligence is about having a hunger for knowledge and wanting to know what is happening in the world. In a competitive marketplace, we still have the power to help one another and this helps to strengthen the industry as organizations get stronger together.

Shared intelligence is about solving a problem and learning about new things together. It is about having a network to ask others if they have seen the same things, gaining different perspectives and making security more exciting and effective.

Several companies are already reaping the benefits of sharing insight into vulnerabilities, helping others to prioritize which threats are the most pressing and minimizing the potential impacts of those threats in a short time scale. With this kind of data sharing, there is no need to ask the question ‘What do we patch first?’ as they know what the adversaries are and can respond with the right tools and even potentially automate specific processes accordingly. This shared intelligence collectively improves security teams’ ability to serve their organizations and effectively address emerging threats.