Cybersecurity is continuously evolving, and the ability to quickly detect attacks is crucial for security teams to mitigate threats and vulnerabilities before they are exploited. Cybersecurity threat intelligence (CTI) plays a key role in detecting and securing security gaps, as it helps identify cyber threats by accessing data that reveal the existence or details of a breach. But the challenge is that the sources from which such actionable intelligence can be obtained are minimal. Although the Security Operations Center (SOC) and honeypot method offer valuable insights, the information received is limited to the organization implementing it. The need to obtain more threat intelligence has compelled organizations to exchange threat intel, crowdsource, or both.
Crowdsourcing is one of the most powerful processes today, gathering workforce, knowledge, or opinions from a sizable number of people or entities who contribute their information online, on social media, or through mobile apps. This may consist of system artifacts, security alerts, and existing threat intelligence reports. Collective intelligence can be generated from enterprise-owned security intelligence platforms or crowdsourced via mass market applications. Crowdsourcing is a growing trend where companies and organizations leverage the power of the crowd to identify and mitigate security threats. This article explores the need to gather threat intelligence from multiple sources and to create a comprehensive database that can be used to defend against cyberattacks. The article also discusses open threat exchange and security crowdsourcing as ways of leveraging collective intelligence.
What Is Cybersecurity Collective Intelligence?
Collective intelligence involves sharing information about vulnerabilities, threats, and mitigations among different stakeholders for cybersecurity. Businesses, government agencies, security vendors, and individual researchers can all participate in collective intelligence efforts. Cyber threats, currently distributed across various environments and devices, are constantly evolving. Collaborative intelligence can help security teams understand what’s happening to their systems, enabling them to direct efforts toward mending known or suspected weaknesses. Cybercriminals use psychological tricks to manipulate their victims, so it is essential to be aware of cybersecurity issues. According to the most recent small and medium business research, around 34% of businesses never provided their staff with cybersecurity awareness training (Pawar & Palivela, 2022). Collective intelligence can help security teams improve risk management by sharing information about vulnerabilities and threats across different business verticals. This is generally carried out by various intelligence exchange platforms that rely on business organizations of all sizes and security vendors. The different types of threat intelligence based on the source and its nature can be divided into two categories, i.e., threat exchange and vulnerability detection via crowdsourcing. The current article further discusses these two categories in detail below.
Security crowdsourcing is a technique companies and organizations use to gather collective intelligence from various sources, including bug bounty programs. The idea behind these programs is to identify and neutralize cyber threats. A bug bounty program is the best example of a program that leverages crowdsourcing to conduct security investigations; it allows novice and expert contributors to submit vulnerability findings from their perspectives to develop the system or application. Crowdsourced security programs reward people for discovering flaws and vulnerabilities, and their different types could be classified as follows.
Hacktivism and Bug Bounties
Every large business organization or major tech giant has an active bug bounty program. These programs operate by allowing individuals to report any vulnerability or bug. If the reported issue is found to be valid, the individual will be compensated for their efforts. Ethical hackers can earn anywhere from a few hundred dollars to a couple of million dollars by uncovering software vulnerabilities, making it a lucrative full-time income opportunity.
Crowdsourced VAPT (Vulnerability Assessment and Penetration Testing)
Crowdsourcing programs request ethical hackers to find bugs and vulnerabilities in their applications or website, and upon reporting the exposure, the ethical hacker is rewarded with money and recognition for their findings. A vulnerability disclosure or crowdsourced VAPT is a vulnerability assessment and disclosure carried out when the product is available in the market and being used, thus, making the records for reporting available to the public openly (Mujezinovic, 2023). These types of bug bounties could vary in scope, from detecting minor bugs to identifying exploitable vulnerabilities. The more extensive the process and the aim of detecting vulnerabilities could be termed Crowdsourced VAPT.
Assuming your device’s antivirus software has missed the detection, you can check whether a downloaded file is malicious using online scanners. These online scanners and tools aggregate multiple security products to check if the file in question is harmful. While organizations typically collect such data from their endpoint security systems and devices, crowdsourcing can be applied to regular users and the public.
Disseminating Cyber Threat Intelligence
Organizations can improve their security posture and capability to develop countermeasures for security threats by sharing and utilizing shared information via threat exchange platforms. Access to resources that provide information about potential threats enables one to detect existing threats and develop countermeasures for possible advanced versions of a particular threat (Cortés, 2023).
Strategic Cyber Threat Intelligence
Strategic CTI is a type of intelligence that helps business leaders make high-level decisions about cybersecurity threats. This information usually comes from white papers and other sources, such as news reports and governmental or academic institutions’ policy documents. To develop effective strategic CTI, an organization must understand the issues surrounding digital security, sociopolitical and market trends, and business concepts. Security heads then craft a report for nontechnical personnel to understand cyber threats and possible mitigation strategies. The amount of research required in this process makes automation a standard tool for improving the effectiveness and efficiency of operations.
Tactical Cyber Threat Intelligence
Tactical CTI, or Tactics, Techniques, and Procedures (TTPs) for threat intelligence aims to help security teams and SOC managers understand the methods and processes of malicious hackers. Tactical cyber threat intelligence reports include details about the attack vectors, tools, and infrastructure threat actors use to breach IT infrastructures or delay detection. Security research groups and product vendors generally create Tactical CTI. These groups create reports on the effectiveness of existing controls, which are adopted by an organization’s security team.
Operational Cyber Threat Intelligence
Operational CTI reports are more technical than tactical, focusing on cyber attacks, security events, and other technical topics. These insights help security professionals understand cyber threats’ nature, intent, and other specifications and can provide valuable insight into future cyber risks. Various threat intelligence platforms and reported indicators of compromise are sources of data feeds for operational threat intelligence. Researchers can also include vulnerabilities found in any application, device, or operating system submitted under the bug-bounty program under this type of intelligence.
Models for Threat Detection by Enterprises
The enterprise could divide its threat detection and response measures into three categories: endpoints, networks, and open threat exchange platforms (Pankhania, 2023).
Endpoint Detection and Response
Every device connected to a network is a potential attack vector for adversaries. EDR solutions gather data from endpoints, identify potential threats, search hosts, and automate subsequent security reporting.
Network Detection and Response
Network Detection and Response (NDR) is a subset of network traffic analysis that uses artificial intelligence and machine learning to classify unknown and known threats entering or exiting networks. NDR solutions have advanced the state of network security by applying machine learning to scope for lateral movements in networks, centralize network traffic analysis, and ensure complete visibility into networks.
Extended Threat Detection and Response (XDR)
With XDR solutions, you can analyze traffic and security events between devices in a network. XDR solutions leverage two or more vendor logs, such as firewalls, intrusion detection systems, event log servers, and external third-party data sources. These sources are integrated locally with Active Directory log files for enhanced visibility. XDR platforms normalize data from separate sources for analysis with the same goal as NDR solutions—threat detection and remediation.
Benefits of Intelligence Sharing and Crowdsourcing
Crowdsourcing security skills aims to benefit both organizations and bounty hunters by providing incentives for reported critical bugs. Using security crowdsourcing, businesses indirectly employ these ethical hackers as freelance manpower for specific projects and applications. This not only saves the costs for hiring professionals who, after spending a considerable amount of time and resources, may or may not find the vulnerabilities but also help organizations test the product for various bugs through multiple and varied real-world inputs that tend to test the application to its limits. The quantity of testers involved with such a program guarantees rigorous testing at a minimal cost.
While crowdsourcing has an obvious numerical advantage, only some aspects of the security testing could be subjected to such programs where non-authorized testers can access sensitive data and the business architectures. In such cases, the ideal way to stay ahead in the threat intelligence game is to procure intel via threat exchange platforms that allow businesses to access intelligence for a possible vulnerability they might have yet to come across. The exchange of CTI allows for a hardened security posture, including easier identification of affected systems, implementation of protective security measures, and enhanced threat detection. It keeps current with the latest threats and improves detection capability and security controls for better defense agility. It also helps enrich index volumes and further the development of knowledge on specific incidents and threats.
Challenges Associated with Intelligence Sharing and Crowdsourcing
Sharing threat intelligence is highly beneficial, but some concerns deter organizations from freely sharing it, with privacy and liability being the most significant. While crowdsourcing allows for cost-efficient security testing, finding and declaring any vulnerability is equivalent to announcing it to the threat actors even before fixing it. Also, it is difficult for ethical hackers to access certain assets that are internal to the organization’s security architecture. Allowing access to such components is equal to giving the non-authorized personal rights to manage or jeopardize the security of your assets as they see fit.
A bug can be exploited when it goes unnoticed. This is made possible by crowdsourcing. As crowdsourced security is a type of reward upon-discovery program, it becomes difficult to estimate the security budget for the task. Also, it is not known what will be found ahead of time, implying that the number of hours of labor to be invested cannot be quantified. Therefore, if the rewards are poor, the program might fail to garner attention from ethical hackers (Haynes, 2018).
Very few private organizations have cyber threat intelligence collaborative platforms on their websites or social media pages, like SecureClaw. In the case of intelligence procurement via threat exchange format, a lack of a common mechanism or an established policy for preserving the trust model on these platforms may prove to be a setback. Lack of trust and transparency about the source is another challenge in legitimizing any exchange platform. As threat intelligence capabilities aim to automate the process, achieving interoperability and calibrating new formats can be difficult, as not every organization uses a standardized data format.
- Cortés, S.V., (2023, January 16). Disseminating Cyberthreat Intelligence to Enhance Information Security. EC Council. https://www.eccouncil.org/cybersecurity-exchange/whitepaper/cyberthreat-intelligence-dissemination-white-paper/
- Haynes, A., (2018). Crowdsourced Security – An Alternative to Pentesting? United States Cybersecurity Magazine. https://www.uscybersecurity.net/csmag/crowdsourced-security-an-alternative-to-pentesting/
- Mujezinovic, D., (2023, January 04). What Is Crowdsourced Security? MakeUseOf. https://www.makeuseof.com/crowdsourced-security/
- Pankhania, A., (2023, January 30). A Guide to Extended Threat Detection and Response: What It Is and How to Choose the Best Solutions. EC Council. https://www.eccouncil.org/cybersecurity-exchange/whitepaper/a-guide-to-extended-threat-detection-and-response/
- Pawar, S., Palivela, H. (2022, April). LCCI: A framework for least cybersecurity controls to be implemented for small and medium enterprises (SMEs). International Journal of Information Management Data Insights, 2(1), 100080. https://doi.org/10.1016/j.jjimei.2022.100080
Dr. Shekhar Pawar is the CEO of SecureClaw Inc., DE, USA, and has a Ph.D. in cybersecurity from SSBM, Geneva, Switzerland. He has years of proven experience in security audits and has worked on developing software solutions for IT and cybersecurity requirements. Dr. Pawar has proven experience working with capability maturity model integration (CMMI) for qualitative analysis and improvement of the security team’s performance and has authored the book Air Team Theory. He also has experience in software development and management in other technologies, including telecommunications, database administration, blockchain, etc., which allows him to extend his research efforts to find optimal solutions for cybersecurity issues through interdisciplinary means. Dr. Shekhar Pawar’s interest in research and continuous learning can be observed by the numerous certifications he has obtained, some of which include Certified Information Systems Auditor (CISA), Certified Ethical Hacker (C|EH), Computer Hacking Forensic Investigator (C|HFI), ISO 27001 – Lead Auditor, PCI DSS Implementer, Diploma in Cyber Laws, Microsoft Certified Professional (MCP), and Certified Blockchain Developer, amongst others.