Why we should care about collective intelligence and defence

Why we should care about collective intelligence and defence

Today, especially in the age of AI, we’re constantly bombarded with new security tools we should be using. But in this bid to have the shiniest toy, many organisations are missing the first crucial step in implementing a holistic cybersecurity approach: collaboration, argues Jason Keirstead, Vice President of Collective Threat Defense at Cyware.

‘Collective defence’ isn’t a term we hear frequently in cybersecurity – but it absolutely should be. Much like the well-worn but useful observation that ‘it takes a village’ to raise a child, collective intelligence and defence are about sharing resources, information and resilience between otherwise unconnected entities.

The origins of collective defence can be traced back to NATO’s fifth article, which states that an attack against one ally is considered an attack against all allies. Thus, the vision is that multiple resources combine in the face of a shared threat. In practice, this means collaboration between companies using threat intelligence sharing and coordinated threat response actions to counter malicious actions. At its core, collective cyberdefence is a collaborative cybersecurity strategy that requires organisations, both internally and externally, to work together across industries to defend against targeted cyberthreats.

Examples of collective defence

Although the public may not be acutely aware of the term collective defence and its impact on the world of cybersecurity, it’s likely that many have heard of some of the larger headlines or reports coming from the world of IT concerning the idea. One example is the collaborative legal action led by Microsoft, Fortra LLC and Health-ISAC, which targeted actors that deployed cracked versions of Cobalt Strike or those that blatantly violated Microsoft’s terms of use, especially when it came to the malicious deployment of its copyrighted APIs. The lawsuit highlights how uniting diverse organisations can detect, challenge and pull apart the infrastructures that underpin cyberthreats.

Another example from Microsoft is its 2023 Digital Defence Report, which focused on building and improving cyber-resilience. It is based on data from 65 trillion signals, 135 million managed devices and 4,000 attacks blocked per second. In it, key themes emerge around critical challenges, including cybercrime, nation-state threats, critical cybersecurity challenges and innovating for security and resilience. What makes it even more interesting is that for the first time, it devotes a whole chapter (the longest chapter in the report, in fact) to collective defence. This substantial and detailed chapter advocates that, faced with sophisticated cyberthreats, collaboration and a united front are vital to building a more secure digital landscape. However, there are several factors we need to consider when implementing this approach.

Bolstering open-source and supply chain security

Microsoft’s report emphasises the importance of strengthening open-source and supply chain security through collective action. All the leading technology vendors, including Google, IBM and Microsoft itself, are already working together to counter cyberthreats, underlining the urgency of community-driven programmes in the security arena.

These open-source communities, based on collaboration, are well placed to encourage broader transformation, making them critical to the struggle against malicious threats. The Open Source Security Foundation (OpenSSF) is a manifestation of this approach, dedicated to addressing new security challenges. It presents frameworks aimed at enhancing comprehension of supply chain threats and formulating efficient strategies for mitigating them. Essentially, the report promotes a collaborative, community-focused approach to strengthen the digital ecosystem against ever-changing cyber-risks.

Partnership between industry and government is key

Faced with a digital ecosystem riddled with constantly evolving cyberthreats, which can adapt to new security procedures and exploit new vulnerabilities, governments globally are working at pace to stay ahead. This explains the recent proliferation of regulatory guidelines for corporations issued by government agencies, such as the SEC’s cyber incident reporting regulations, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) and the EU Cybersecurity Act.

These collective initiatives should be supported because individual, siloed attempts to defend against new threats often prove inadequate. Instead, fostering effective partnerships across a broad range of stakeholders is not only good for all participants but also, in fact, absolutely critical. These collaborations act as the basis for enhanced intelligence sharing, strengthening collective resilience and enabling the creation of more productive mitigation techniques.

How to deploy a collective defence cyber strategy

Collective defence depends on a coordinated cybersecurity strategy where a range of diverse organisations partner to identify, protect from and respond to emerging threats. There is a clear, five-step approach to make your journey to collective defence simple:

  • Highlight key stakeholders: Define the organisations, agencies, or entities involved in the collective defence initiative, encompassing private companies, government agencies, non-profits, ISACs and other pertinent stakeholders.
  • Cultivate trust: Foster trust among participants through the establishment of non-disclosure agreements (where applicable), clarification of roles and responsibilities and the assurance of operational transparency.
  • Establish communication channels: Create secure communication platforms for the real-time collaborative exchange of threat and defence intelligence, best practices and incident reports. Automate these exchanges wherever feasible.
  • Share threat and defence intelligence: Promote the regular sharing – automated if possible – of indicators of compromise (IoCs), tactics, techniques and procedures (TTPs), and other pertinent threat data. Defence intelligence, such as detection rules, threat hunting playbooks and incident response playbooks should also be shared amongst stakeholders.
  • Undertake collaborative analysis: Contribute shared resources to analyse pooled data and identify patterns and potential threats while also developing and maintaining detections and incident response strategies.

Finally, the Cyber Fusion Center is the ideal model for companies to deploy a collective defence strategy in their security operations. It unites all security functions, including threat intelligence, security automation, threat response, security orchestration and incident response, in one cohesive whole, allowing real time collaboration and the easy exchange of knowledge. For example, the vulnerability management team can partner with the incident response team to effectively address a bug exploitation incident.

These steps will enable you to build a culture of collaboration, where diverse organisations can deploy a collective defence strategy, which will improve their ability to protect against – and respond to – cyberthreats of all types.

Ultimately, the world is confronted with ever-shifting, fast-evolving threats of all kinds, and, given our increasing reliance on digital technology to monitor, control and shape all aspects of modern life, cyberthreats are among the most dangerous. This means organisations must begin to connect with other entities and build resilient, trusted and secure response networks that can share vital data, techniques and strategies in real-time. Your journey towards a collective intelligence and defence approach starts today.

Click below to share this article

Browse our latest issue

Intelligent CISO

View Magazine Archive