The US Government recently announced that state-sponsored Chinese cyber group Volt Typhoon has compromised multiple critical infrastructure organisations’ IT networks in the US and is preparing “disruptive or destructive cyber attacks” against communications, energy, transport, water and waste water systems. The announcement, which was supported by national cybersecurity agencies in Australia, Canada, UK, and New Zealand, is a sobering reminder that modern life relies on digital networks. From healthcare, banking, and socialising, to energy, water, local and national government – everything has a digital aspect. But while digitisation has delivered great leaps forward in convenience, speed, and efficiency, it has also introduced risk. Malicious forces wanting to disrupt economies, governments, and people, know that targeting digital networks is the quickest route to maximum cross-border disruption.

As a result, the collective improvement of cybersecurity is a high international priority. There’s a wealth of EU legislation in the pipeline designed to tackle cybersecurity risk in critical sectors. The Digital Operational Resilience Act (DORA) focuses on cybersecurity in the finance sector and the Cyber Resilience Act (CRA) concentrates on reducing risk within hardware and software products. The NIS2 Directive, which comes into force in October 2024, seeks to raise cybersecurity standards and incident response capabilities in a wide range of critical industries such as energy, communications, water, banking, health, and transport. Crucially, the directive applies to their supply chains, too. We believe threat intelligence will play a central role in organisations’ efforts to comply with these regulations, particularly the NIS2 Directive, which has risk visibility, information-sharing, and collaboration at its heart.

The role of threat intelligence

As every CISO knows, cybersecurity is a multi-aspect, multidisciplinary activity and you’ll never succeed in entirely preventing attacks and breaches. What you can do — and what the regulations require — is to implement programmes to manage and minimise risk and demonstrate that they are effective. Failure to do this has direct implications for senior leaders as, under NIS2, members of management bodies may now be found personally liable for failing to establish and oversee effective cybersecurity risk management programmes.

Getting the assurance required to sign off on the effectiveness of programmes requires a solid understanding of where that risk is coming from, which is where threat intelligence comes into its own.

Threat intelligence can be collected from a diverse range of sources including official bulletins from government agencies – like the recent US announcement – private sector threat feeds, intelligence-sharing communities and open source information, as well as from monitoring and analysis of dark web communications. There is a huge amount of data available and, as with all large datasets, the key is analysing it effectively in the context of your organisation so you can gain a picture of the threats in your environment.

Just knowing about the threats isn’t enough, because there’s a difference between the existence of a threat, the risk of it happening, and the severity of the consequences for your organisation and its stakeholders. Here a threat intelligence platform helps organisations correlate threat data within the context of the business, prioritising the threats with the high likelihood and severity. This allows you to show that you understand risk, and you can establish a prioritised remediation programme to minimise the risk of threats becoming reality.

Accelerating incident response

NIS2 is not just about controlling attack risk, it’s also focused on improving the quality of response to incidents when they occur. Previously, EU authorities noted a lack of consistency in the speed and detail of major incident reporting, so the new directive tightens up both the time frame and level of information that organisations must provide.

Significant incidents must be reported to authorities within 24 hours with an early warning including a description of the incident, whether the organisation believes it was caused by unlawful or malicious activity, and whether it could cause cross-border impact. Within 72 hours the organisation must provide an update providing information about its severity and impact, plus relevant indicators of compromise. One month after the initial notification a full report must be provided.

Threat Intelligence Platforms and/or Security Orchestration Automation and Response Platforms can provide the foundations of effective reporting by gathering real-time intelligence when an incident occurs, initiating an automated incident response plan including notifying the relevant authorities, and powering investigation and evidence collection so the reports contain all the documentation needed.

Collaboration and cooperation across nations and supply chains

Another issue that NIS2 seeks to address is the lack of cybersecurity information-sharing that has obstructed efforts at cross-border risk management and incident response in the past. The directive will establish an international cooperation group, a network of national CSIRTs, and the EU-CyCLONe cross-border incident management and response network. It also creates a system of coordinated vulnerability disclosures and a European vulnerability database that will be managed by ENISA.

Threat intelligence sharing will form a key aspect of the success of these initiatives. A threat intelligence platform and participation in industry-specific threat intelligence communities can help organisations stay informed, share best practices, and embrace the ethos of the directive, while also contributing proactively to the rising tide of cybersecurity performance that it seeks to deliver.

Proactive information-sharing will also be crucial to gaining visibility over threats in the organisation’s supply chain. This is a central tenet of NIS2, with in-scope companies required to take a risk management approach to monitoring cybersecurity standards in supplier organisations. By fostering a collaborative approach to cyber risk and sharing threat intelligence with suppliers, companies can build a culture of cybersecurity collaboration that will benefit all parties.

Compliance with regulations such as NIS2 will rest on the ability to demonstrate clear understanding of risk and a robust incident response and reporting framework. Collecting, analysing, and sharing threat intelligence should be a priority for in-scope organisations as they build their compliance capabilities.