Most Threat Analysts Banned from Sharing Intel with Peers
Most threat intelligence analysts aren’t allowed to share artifacts with their peers in professional networks, hindering the global fight against cyber-attacks, according to Kaspersky.
The Russian anti-malware vendor compiled its latest report, Managing Your IT Security Team, from interviews with over 5200 IT business decision-makers across 31 countries in June 2020.
It revealed that two-thirds (66%) of threat intelligence analysts participate in a professional community, in order to gain access to the most up-to-date and actionable information to help them protect their organization.
This includes subscriptions to vulnerability databases (61%), taking part in professional forums and blogs (45%) and receiving threat intelligence from paid (42%) and free (33%) feeds.
However, employers are usually against these same analysts sharing their own intelligence with external communities. Over half (52%) claimed they do not allow such activity.
That means less than half of analysts (44%) have shared potentially critical insights beyond their own organization. In companies where sharing is allowed, 77% do, highlighting the importance of collaboration in the fight against cyber-threats. Even in organizations where it is prohibited, 8% claimed they still try to share information.
This intelligence would typically include indicators of compromise (IoCs) like hashes or C&C servers, as well as information on tactics and techniques, motivations and common penetration vectors, according to Kaspersky.
“Any piece of information – be it new malware or insights on techniques used – is valuable when protecting against advanced threats,” argued Anatoly Simonenko, group manager, technology solutions product management, at Kaspersky.
“That’s why we constantly make our threat research findings available via our information resources and through our TI services. We encourage security analysts to also give a helping hand to others in the same collaborative way.”
Sharing in this way isn’t just good practice, it could help to relieve the workload on stretched analysts. The report found that 41% of those who had asked for help from internal communities had eventually left the business due to high workload.
However, there’s also a balance to be had: the report warned that sharing intelligence about an attack too early on could give the threat actors an advantage, enabling them to adapt their tactics to evade further detection.