The prevalence of cyber activity coming from adversaries with many different intents and capabilities has prompted many efforts to mitigate, or at least wrap our heads around, this problem set. As a result, a new industry has emerged, comprised of commercial security solutions providers, research analysts, and other players engaging with government and industry stakeholders to foster a community around tackling this challenge. Threat intelligence and information sharing is a big part of the effort, and intelligence sharing has prompted thoughtful and necessary dialogue around the best way to distribute information, especially between government and industry
Intelligence is no longer strictly in the purview of the governments or classified environments. Of course, government intelligence sources can offer unparalleled visibility and insight into certain threats. But many independent researchers, non-profits, and commercial security companies are creating, cultivating, and sharing valuable cyber threat intelligence. We believe this phenomenon creates unique benefits and augmentations for government and non-government consumers of commercial threat intelligence:
1) Unclassified Intelligence can be Shared More Freely and Efficiently. In the cyber threat space, the actors often operate in the public space — over the Internet. Commercial monitoring, correlating, and tracking are inherently unclassified. Government consumers can respond to incidents and share unclassified threat intelligence from open sources more freely, and in a more timely manner. Government and military network defenders frequently operate at different classification levels and can’t get easy access to intelligence community indicators and intelligence, or sometimes bureaucratic or organizational issues can hinder mission goals. The communication and sharing of important intelligence gets stymied. Commercial threat intelligence can be shared unimpeded by clearance level, thus increasing the efficiency of stopping attacks or responding to incidents. Mandiant’s report on APT1, which included actionable indicators, is a good example of how commercial (and unclassified) threat intelligence has been shared widely within the government space without the need to take classification and dissemination issues into account.
2) Innovation in Intel Analysis. Commercial companies have greater pressure and incentives to adapt, improve, and innovate to benefit their business. As a result, the private sector can often work faster and expend more resources to create new analytics and technologies to assist in collecting and analyzing threat intelligence. Hiring challenges in the government may also prompt talented analysts to move to the private sector, creating a pool of analysts in the private sector who can tailor their intelligence reporting to a government audience.
3) Collections. Where commercial entities have more flexibility in some respects, there are very real legal, regulatory, and policy challenges that government agencies must abide by. Also, the commercial sector often sees a greater breadth of foreign and domestic threat activity that the government may not. This visibility helps round out the threat picture.
By augmenting existing governmental knowledge with commercial threat intelligence, governmental organizations can improve their network defenses with increased efficiency. By maximizing data sharing, governmental agencies will reduce their threat to exposure of personally identifiable information, espionage, and from financial threat actors.
This article originally appeared on Mandiant’s M-Unition site on May 2nd, 2013.