Most organisations don't share cyber threat intelligence externally, according to new research.
In a recent survey of over 5,000 global IT decision-makers, Russian cyber firm Kaspersky found more than half of respondents were not allowed to share threat intelligence outside of their business.
The practice of sharing tactics and techniques of bad actors helps the broader community defend when they are inevitably targeted by new tools and attack vectors, as seen during the recent SolarWinds hack and Microsoft Exchange Server vulnerabilities.
But while cyber security companies and large tech firms often share curated information about some of the latest cyber security concerns they have detected, silence from the broader security community could make it difficult to mitigate against new attack vectors.
Head of Kaspersky’s operations centre, Sergey Soldatov, said it was reasonable for security hunters to keep mum about ongoing campaigns in order to not spook attackers.
“It’s just like in a criminal investigation – once underway, everything must be kept secret so that the perpetrator does not disappear,” he said. “And when it is clear who committed a crime, the entire organised criminal group must be immediately caught.
“Likewise, in the cyber world, until you know whether a response’s actions will be successful or not, you can’t reveal that a company is doing something, since attackers will easily understand that they were detected and go underground.”
Delays in telling peers about a new threat can be costly, especially since bad actors set up machines to scan the internet for vulnerable systems and deploy exploits without their victims’ knowledge.
Despite not necessarily sharing their own intelligence, a majority of IT experts speaking with Kaspersky said they used external threat intelligence services in the course of maintaining day-to-day cyber security.
Vulnerability databases, such as the MITRE Common Vulnerabilities and Exposures (CVE) database, are the most regularly used form of threat intelligence in the broader community, followed by professional forums and blogs.
Of late, the Australian cyber industry has been working to develop local threat intelligence capabilities to build a more collaborative cyber security landscape.
Last year, ACT firm Cybermerc received $2.44 million in funding to put together its Aushield Defend platform where organisations can share information about ongoing cyber attack campaigns for analysis to help mitigation.
Cybermerc CEO Matthew Nevin said at the time it was about “building a community” in security.
“Right now, Australian businesses are defending themselves in isolation,” he said. “We want them to collaborate."
RMIT University started leading a similar project for the university sector in late 2020. Its threat intelligence network would see greater collaboration between governments and universities to help protect intellectual property and data.