Sharing, Compared Part 3: How Can We Improve?
In part 3, we examine the challenges, organizational context, and issues with methods used for cyber threat intelligence sharing.
BLUF
- Organizational Challenges Persist: Respondents highlighted legal liabilities, sharing restrictions, lack of formalized processes, and measurement gaps hampering efforts. Despite these obstacles, there's a noted increase in visibility with leadership.
- The vast majority of respondents dedicate 1-10 hours a week to sharing efforts, in spite of a perceived lack of time being a key challenge.
- With many competing formats for sharing, the lack of a universally implemented technical standard hampers sharing efficiencies.
Background
This is part 3 in a multi-part series based on the CTI Networking Report 2024, the sequel to my inaugural study from 2022. Check out Part 1 for more context around this research.
Part 3 covers the area of improvement in CTI networking: issues and opportunities. We cover the biggest challenges, how practitioners do (and don't) measure efforts, and structures around sharing.
Higher Visibility, More Restrictions
Respondents voiced numerous organizational challenges like issues of legal liability, a lack of formalized processes, and gaps in measuring effectiveness. In spite of these negative forces, respondents maintained their hours spent in CTI networking efforts while noting improved visibility with leadership.
The Biggest Challenge: "I'm Not Allowed"
Legal liability and sharing restrictions rose to the top of the challenges faced, both jumping up two places since our previous survey. With increasing regulatory involvement, guidance, and enforcement, caution has grown around the confidentiality and consequences of disclosure – consistent with findings from the Office of the Inspector General of the Intelligence Community (US). The ranks of other challenges remained unchanged.
Keeping Up The Hours
The average time spent on CTI networking on a weekly basis remained consistent with the previous survey, with the largest segments dedicating 1-5 (48%) or 5-10 (19%) hours each week.
A “lack of time” remained a top 3 issue, consistent with challenges across both surveys. However, individuals maintained their hours, even though in some cases this meant spending time “off-hours”. Open-ended survey responses demonstrated a desire to dedicate more time to CTI networking efforts, but respondents were limited by too many responsibilities, lack of headcount, and lack of resources to do so. Here are a few open-ended responses:
"My job requires that I do investigations, project planning, software engineering, and security engineering work so I just don’t have enough time.”
"I’m time poor... I make an effort to meet others in this space... but can rarely action or develop collaboratively due to my sporadic time.”
Measuring and Organizing Efforts
76% of respondents did not measure effectiveness of CTI networking efforts at all, while 18% did – a negative shift that could be tied to time and resource limitations.
Using frameworks, processes, and reporting mechanisms that already exist within the CTI program helps to prevent over-complication and unnecessary work, while encouraging continuous feedback loops. See examples in the graphic above for real-world examples of how measurement is implemented within CTI workflows.
The majority of respondents had some processes or rough guidelines in place to manage collection of information from CTI networking. Respondents with 10+ years of CTI experience were much more likely to have standardized collection at 72%, compared to those with less than 10 years, at 44%.
A Mix of Sharing Standards
Respondents disseminated produced intelligence across an average of 4 formats, with the most common being files (e.g. PDF, Word), unstructured text, CSVs, and social/blog posts.
The multiple CTI-specific technical formats, all used at less than 40%, showcase the challenges faced by teams to support automation and integration. 61% of respondents who use STIX 2.x also use MISP; however, those who use MISP are less likely to use STIX 2.x (47%). All respondents who use XML also use CSV.
Organizational Beliefs
Leadership awareness of CTI networking efforts shot up by 18%, the largest percent increase in “agreement” amongst respondents. Another positive shift was the characterization of CTI networking as “well-defined”, with agreement increasing by 9% and disagreement decreasing by 9%. Conversely, the largest negative shift was in the percentage of respondents who believed that CTI networking was a defined part of their time and job responsibilities, with agreement decreasing by 10% and disagreement increasing by 10%.
Conclusion
Part 3 of the series examines the challenges and opportunities within the realm of CTI networking. Despite facing hurdles such as legal liabilities, restrictions, and time constraints, practitioners continue to invest significant hours into networking efforts. However, the lack of formalized processes for measurement and reporting poses a significant obstacle in effectively evaluating the impact of these endeavors. The increasing scrutiny and regulatory involvement necessitates a cautious and informed approach towards information sharing. Nevertheless, there are positive shifts noted, such as increased leadership awareness and a growing perception of CTI networking as a defined endeavor. To effectively navigate these competing factors, teams should build networking collection and dissemination into their current frameworks/measurements, engage and incorporate policy and regulatory updates, and continue to drive towards visibility of time and effort spent as part of their responsibilities.