When Cartier found out that hackers had breached their systems and made off with customer data, they unwittingly joined a growing list of companies harmed in a similar way. Take Marks & Spencer, which recently suffered a staggering £300 million loss from a single, sophisticated attack. Then there’s Victoria’s Secret, which had to shut down its website entirely. Meanwhile, The North Face and Harrods are busy dealing with credential stuffing attacks or fending off system intrusions, respectively. These examples are, in essence, battle reports from a war we’re losing because we’re fighting blind.
The reason for this is that, despite decades of tracking cyber threat actors and accumulating vast intelligence databases, the cybersecurity community operates like a collection of isolated fortresses, each defending against the same enemies while speaking different languages. The result? A $10.5 trillion cybercrime economy that grows stronger while our defences remain a shambles.
What’s in a Name?
When one security vendor tracks a threat group called “COZY BEAR,” another refers to it as “APT29,” and a third discusses something called “UNC2452” or “Midnight Blizzard.” Ultimately, the issue here is strategic, rather than semantic. We’re not quibbling over naming conventions, but witnessing a fundamental intelligence failure that directly benefits our adversaries.
Due to this lack of clarity, organizations are forced to waste time and resources on correlating threats across vendor reports. Time and resources that could instead be used for improving defense.
The recent CrowdStrike-Microsoft alliance showcases the incredible potential that arises when big names decide to work together. Their combined efforts have already resolved the identities of more than 80 adversaries through direct collaboration among analysts, effectively creating a Rosetta Stone for cyber threat attribution.
Transparency Now, More Than Ever
While industry leaders debate voluntary cooperation, regulators are forcing the issue through an unprecedented wave of mandatory requirements pertaining to incident reporting. The numbers tell a story of a big shift in how cybersecurity will likely be governed in the near term.
In the United States alone, 2024 witnessed the implementation of multiple overlapping disclosure mandates:
- Securities and Exchange Commission’s rules requiring public companies to report material incidents within four business days
- Federal Trade Commission’s regulations mandating financial services notifications within 30 days
- Federal Communications Commission’s requirements for telecommunications providers to report within seven business days
- Department of Housing and Urban Development’s aggressive 12-hour reporting window for mortgage-related breaches
The European Union has matched this spate of regulatory activism with its NIS2 Directive, which it called on all member states to implement by October 2024. This was followed by the Cyber Resilience Act and Cyber Solidarity Act. Combined, these regulations affect hundreds of thousands of entities across both essential and important service sectors.
What makes this regulatory surge truly significant is that, unlike previous compliance frameworks primarily focused on post-incident disclosure, these new rules emphasize rapid information sharing to enable proactive defense. Cybersecurity and Infrastructure Security Agency’s proposed CIRCIA regulations exemplify this shift, requiring critical infrastructure entities to report incidents within 72 hours and ransom payments within 24 hours – timelines that prioritize collective defense over individual damage control.
Harnessing Public Data for Private Intelligence
Open Source Intelligence (OSINT) may be termed the great equalizer when it comes to handling cyber threats. By scouring publicly available sources – from surface internet forums to the dicey underworld of dark web marketplaces – modern OSINT capabilities are being honed to quickly identify stolen credentials, leaked source code, and emerging attack vectors in real-time.
Thinking about the size of the dark web can make one dizzy. As of 2024, the internet consisted of roughly 1.1 billion websites, while the dark web was anywhere between 400-550 times larger. And yet, OSINT platforms like Google Dorks or Mitaka are quite capable of keeping a watchful eye on this vast ocean of data, which enables companies to detect breaches much more swiftly than those that rely solely on internal monitoring.
A problem some companies have encountered with regard to OSINT, however, is the lack of capacity for developing and maintaining resilient proxy networks, adaptive scraping tools, and other technologies necessary for dealing with the increasingly robust anti-scraping efforts of modern criminal operations. These range from honeypots to IP blocking systems. As criminals advance their countermeasures, so must we improve our scraping tools and proxy infrastructures to continue gathering crucial intelligence.
The Dark Origin of Many Threats
The dark web is a double-edged sword, serving as both a marketplace and a testing ground for cybercriminals. While this is not to say that it doesn’t have its share of legitimate users (it certainly does, e.g., investigative journalists and human rights defenders), it is also largely dominated by criminal groups seeking to refine their attack techniques and profit from data breaches.
Speaking of data breaches, most stolen corporate data ends up on dark web marketplaces, often within days of a successful operation. Continuous surveillance, therefore, appears to be the obvious solution. Unfortunately, it sometimes leaves organizations prey to malware infections and even legal trouble arising from accidental engagement with illegal content.
The solution lies in collaborative intelligence frameworks that collect insights from the dark web while shielding companies from direct risks. For instance, expert OSINT platforms can take on the burden of compliant data collection on behalf of their clients and only provide them with sanitized data that does not contain malicious code, illegal content, or personal data.
Why Information Sharing Creates a Force Multiplier Effect
Effective threat intelligence sharing creates exponential defensive improvements that extend far beyond individual organizational benefits. It not only raises the cost and complexity for attackers but also lowers their chances of success.
Information Sharing and Analysis Centers (ISACs) demonstrate this multiplier effect in practice. ISACs are, essentially, non-profit organizations that provide companies with timely intelligence and real-world insights, helping them boost their security. The success of existing ISACs has also driven expansion efforts, with 26 U.S. states adopting the NAIC Model Law to encourage information sharing in the insurance sector.
The European Union has systematized this approach through ENISA, its cybersecurity agency, which plays a key role in coordinating the sharing of threat intelligence among member states. ENISA’s framework supports cross-border collaboration while safeguarding confidentiality – a model that other regions are starting to adopt.
Moving from Concept to Reality
Although the benefits of information sharing are clear, actually implementing them is a different story. Common obstacles include legal issues regarding data disclosure, worries over revealing vulnerabilities to competitors, and the technical challenge itself – evidently, devising standardized threat intelligence formats is no walk in the park. And yet it can certainly be done.
Case in point: the above-mentioned partnership between CrowdStrike and Microsoft. Its success hinges on its well-thought-out governance system, which allows these two business rivals to collaborate on threat attribution while protecting their proprietary techniques and competitive advantages.
Meanwhile, for smaller organizations, moving forward means making the most of what’s already available instead of building new systems from scratch.
By getting involved in sector-specific ISACs, signing up for professional OSINT services, and adopting standardized threat intelligence platforms, these organizations can unlock enterprise-level intelligence capabilities without stretching their limited resources too thin.
Collaboration as the Path Forward
To sum up, the cybersecurity field is at a significant crossroads. We can either continue with our scattershot approach to threat intelligence, rival vendor taxonomies, and isolated responses to incidents, or we can adopt collaborative frameworks that allow for a collective defense on a scale we’ve never seen before.
The choice we face is both urgent and obvious. Threat actors are already functioning as synchronized networks, trading tools, techniques, and intelligence about their targets within the criminal world. They’ve clearly learned that working together enhances their individual abilities while reducing risks. It’s essential for the defense community to rise to the occasion and surpass the level of coordination these groups have achieved.
