Recent cyberattacks on retailers in the UK and the U.S. are now shifting to target the financial sector, with news on breaches reaching headlines almost daily. These stories track how today’s threat actors operate: they are strategic, pivot quickly, exploit weak links and are highly opportunistic. This opportunism means that if threat actors discover an unlocked door in one business within an industry, they will try every door within that industry to find a common weakness. As shrewd businessmen, they are more likely to target industries rich in customer data and personally identifiable information (PII) and with large, complex supply chains, such as retail and finance. Industry-specific weaknesses and single points of failure within a supply chain are cybersecurity soft spots that regulations such as the Digital Operational Resilience Act (DORA) within the financial sector and the NIS2 Directive aim to address directly: Both emphasizing structured information flows, sector-level cooperation and operational resilience. One valuable tool for meeting these requirements and increasing pro-activity is through the tactic of threat intelligence sharing.
Cybersecurity teams are justifiably cautious to share threat intelligence too broadly, as it can lead to indicators being released prematurely or posted into the wrong forum and could alert threat actors to change their tactics.
However, working in isolation against threat actor networks, such as Scattered Spider, leaves cybersecurity teams at a distinct disadvantage. Cyberattacks, increasing in scale and sophistication, are being launched persistently. According to recent research by Everfox, FS&B organizations are facing 114 cyberattacks a week – a staggering number of attacks, and a rich pool of actionable threat intelligence to warn and prepare other organizations, if securely shared.
The good news is that facilitators for secure, structured intelligence sharing already exist. Sector-specific communities like FS-ISAC (for financial services) and RH-ISAC for retail and hospitality provide trusted environments where verified members can share threat data safely. These communities use standardized formats like STIX/TAXII to automate and anonymize data exchange. This allows organizations to contribute and consume intelligence without exposing sensitive internal details.
These communities comprise both large and small organizations. Typically, larger organizations have more mature security operations and can share vast amounts of threat intelligence, which is an invaluable resource for smaller organizations. Smaller organizations, usually distributed at different points within the supply chain, are also able to verify the threat intelligence from the front lines – and alert to novel attacks. This enables organizations to gain visibility over multiple supply chains and apply proactive and predictive reasoning to their own environments.
Threat Intelligence Sharing communities can also be created within advanced threat intelligence sharing platforms, enabling security teams to select organizations and filter through threat intelligence to curate their feed.
Another benefit of joining an FSISAC – or building your threat intelligence community – is that in-person meetups are encouraged. CISOs and security teams can hold lonely positions within a company, with considerable weight on their shoulders, and becoming part of a threat intelligence sharing community can be a good way to alleviate this sense of isolation and feel united with fellow professionals under a common cause.
Meeting peers face-to-face also establishes trust and enables cybersecurity professionals to verify the people they are sharing threat intelligence information with. In the age of AI-enabled deepfakes, professionals can never be too careful.
A challenge with joining threat intelligence sharing communities is that a lot of threat information is generated and needs to be shared daily. For already resource-stretched teams, it can be extra work to pull together, share a threat intelligence report, and filter through the incredible volumes of information. Particularly for smaller organizations, it can be a bit like drinking from a firehose.
In this context, an advanced threat intelligence platform (TIP) can be invaluable. A TIP has the capabilities to collect, filter, and prioritize data, helping security teams to cut through the noise and act on threat intelligence faster. TIPs can also enrich the data with additional contexts, such as threat actor TTPs (tactics, techniques and procedures), indicators of compromise (IOCs), and potential impact, making it easier to understand and respond to threats. Furthermore, an advanced TIP can have the capability to automatically generate threat intelligence reports, ready to be securely shared within the organization’s threat intelligence sharing community
Secure threat intelligence sharing reduces risk, accelerates response and builds resilience across entire ecosystems. If you’re not already part of a trusted intelligence-sharing community, it is time to join. And if you are, do contribute your own valuable threat information. In cybersecurity, we’re only as strong as our weakest link and our most silent partner.
20130 Lakeview Center Plaza
Suite 400
Ashburn, VA 20147
