Speaking at Infosecurity Europe 2019 Chris Doman, security researcher at AT&T Cybersecurity, explored the sharing of threat intelligence data and highlighted how it can be used for the betterment of security and resilience, but also warned that considerations must be made to ensure that the right kind of data is shared.
He said that successful threat intelligence sharing comes down to being able to trust shared data, and it’s about the “quality of the data being shared, and not the quantity.”
For example, he added, on Twitter, there is a lot of “quick Tweeting” of attacks going on, but often a lot of threat information shared on Twitter is wrong – that can be dangerous, Doman explained.
In terms of future trends that will drive threat intel sharing going forward, Doman listed the following:
- Automated pivoting and enrichments of IOCs
- Automated threat sharing
- Encrypted network traffic – JA3(S)
- Sigma and OSQuery Rules
To conclude, Doman stated that the industry should do more to share threat detection intel, but warned that it should be wary of oversharing threat tracking methods. He also highlighted the importance of being able to “trust your sharing partners” and so verification of shared data is key. Finally, he pointed to automation as being a pivotal technology in the evolution of threat intelligence sharing, but admitted that manual verification will always remain important.