How threat intelligence sharing can improve the security posture of whole industries

The speed at which cybercriminals operate can be worrying for those tasked with defending networks from attacks. Threat actors can weaponize vulnerabilities within days of them being discovered, and successful exploits or techniques will rapidly spread among criminal communities.

Companies need to be sharing more security intelligence with industry peers to better defend against and more rapidly adapt to ever-changing threats. To foster greater collaboration and share best practices, UBS partnered with the Financial Services Information Sharing and Analysis Center (FS-ISAC) to bring together organizations from banking and finance across Europe to take part in a series of cyber war games.

War games with peers improves incident response

UBS is a Swiss-based multinational investment bank and financial services provider with over 60,000 employees managing assets with a total value of over $950 billion. UBS Business Solutions (BS), created in 2017, is a separate entity performing back-office services (including IT, transactions, trading systems, risk management, legal services, human resources and marketing) that ensure key services can continue in the wake of any major financial crisis at UBS.

As CISO and head of cyber assurance testing at UBS BS, Carlo Hopstaken is responsible for testing the resilience of various systems and the responses of teams designed to protect them within UBS. He also ensures that UBS adheres to financial services-focused testing frameworks such as CBEST in the UK, iCAST in Hong Kong, or Tiber in the European Union.

To further test the capabilities of his teams and foster knowledge sharing among his and other companies in the sector, Hopstaken and UBS partnered with FS-ISAC to conduct a war games exercise in February 2019.

The war game consisted of defending a virtual network designed to mimic those you might find within a financial services organization from a WannaCry-like ransomware attack. A red team executed a coordinated attack to keep all the blue teams involved on their toes. It gave Hopstaken a chance to test his company’s playbooks as well as see how other companies would respond in similar situations.

“I think it was really good to see as well how different analysts interact with each other,” he says. “We enjoyed working with representatives from other organizations and saw firsthand the impact that collaboration and information-sharing had on the participants’ decision-making and response times.”

As well as UBS and 14 financial services and trade associations from Europe, various retail and investment banks, asset and wealth management and financial services companies also attended the event. “One of the strengths of doing that together with a group like this is that you get that cross-collaboration,” says Ray Irving, managing director, Global Business Services, FS-ISAC. Different organizations will have different strengths and knowledge, and maybe they can pull those together. It’s a very valuable learning experience for everybody to learn from each other’s best practices. If you combine what you all know, what you have between you is much more than you would have had operating in your individual silos.”

Sharing security intelligence is good for business

The war game is just one part of UBS’s efforts around sharing and collaboration in the security field. “We share a lot of threat intel, but we also talk a lot about our defense capabilities on the protective as well as the detective side,” says Hopstaken. “If you share threat intel you also know what different techniques cybercriminals are using, so you can build up your defense capability accordingly.”

“I participate by presenting certain topics and our SOC provides threat intel back. I’m using it to exchange with peers; what they are currently doing, looking at the current trends, but also  emerging threats. From my point of view, it’s really good to have this peer discussions,” says Hopstaken.

As well as indicators of compromise or information around threat actors and vulnerabilities, Irving explains that FS-ISAC members also share information around strategy and what security programs companies may be running or planning to run. “Sharing doesn’t have to be about an incident or a threat that you experience. It can also be about things that you’ve done, that are successful or not successful, and can obviously be very helpful when you’re combating the bad guys” he says.

There are measurable benefits to sharing information. In their latest Data Breach Preparedness study, Experian and Ponemon found that 51 percent of organizations participate or is planning to participate in initiatives for sharing information. The main benefits those organizations report are greater collaboration, an improved security posture and speedier incident response efforts.

The study also found that organizations that participate or plan to participate are less likely to have suffered a data breach within the last 12 months compared to those that do not and have no plans to join any sharing initiatives.

Cost benefit of sharing security intel

The study also lists a lack of resources and the cost of participation as one of the main barriers to participating in intel sharing. A recent report from Accenture & Ponemon, however, suggest there’s monetary value to sharing.

The study, designed to help quantify which security technologies provide the most savings, found that enterprises that invest in threat intelligence and sharing can see cost savings of $2.26 million per organization. This is because it not only helps around discovery and investigation activities, but also understanding and prevention of threats, which aids in allocating resources against anticipated attacks.

“Industries are starting to club together and figure out how they can share some of that intelligence,” says Nick Taylor, managing director, strategy, at Accenture UKI. “We’re finding that retailers, the smaller banks, manufacturing, and some in the pharma industries are actually forming informal networks where they’re sharing data between or sharing threat intelligence between peers just to get an understanding [of threats].

“CSOs are saying that they’re getting a lot of value by actually picking up the phone and talking to each other about threats they’re seeing in their environments,” Taylor continues. “Security professionals are now realizing that to cooperate and to partner is much more beneficial than to go it alone.”

No one is competing on security

Another barrier the Experian study cited to information sharing was concerns around potential liability or anti-competitiveness. “It’s in our interest that other banks are not being hacked because this could also have an impact on ourselves,” says Hopstaken. “We are all fighting against the same threat actors and having certain threat intel is not something that is a competitive advantage.”

However, given that the study found nearly half of companies don’t share intel in any way, there are still many companies that don’t feel comfortable being part of a wider community. “Most companies are not doing enough sharing on info-security best practices, in particular, companies that would be competitors or operating in the same segments,” says Michael Bruemmer, vice president of the Experian Data Breach Resolution group. “That’s hugely unfortunate because there are lots of learnings out there, and everybody wins by that sharing.”

Bruemmer adds that often the only way companies change their stance around sharing information is for CSOs to “stick their neck on the line despite the company’s policy to not share” and reach out to industry peers even when executives are concerned about competition to show the benefits that even one conversation with perceived rivals can have.

“Security professionals know they can’t do it all by themselves, and it’s unfortunate that whoever makes that decision is wildly missing an opportunity,” Bruemmer says. “It’s an overall attitude at the board or the C-level that’s creating that problem. I haven’t seen any CEOs do it on their own. They always have to be convinced from down to the bowels of the organization because there’s a progressive person in that security role that wants to go beyond conventional wisdom.”

Sharing intelligence, especially around attacks, doesn’t have to lead to a company revealing anything sensitive about themselves. An entire incident can usually be boiled down to indicators of compromise, malware samples and some advice on how to break the kill chain, none of which has to reveal anything sensitive.  

“If you want to share intelligence, you don’t really need to open your kimono,” says FS-ISAC’s Irving. “It doesn’t reveal who you are. It doesn’t know anything about your own strengths and weaknesses. It simply shows that there’s another type of attack and that there is some way to stop it.”

“If people are wondering if they should be sharing or not,” adds Irving, “it is actually quite easy to share some basic information which is actually pertinent and useful to peer organization while not exposing yourself as much as you would think.”