Threat Intelligence Sharing: Democratizing Risk Information

As July 2021 closes, the Executive Order on Improving the Nation’s Cybersecurity (Executive Order) deliverables are starting to be released. For example, the National Institute of Standards and Technology (NIST) released its Definition of Critical Software Under Executive Order (EO) 14028. With the 30-, 45-, and 90-day deadlines creeping up on public and private sector entities, the changes to threat intelligence sharing may help all organizations by democratizing risk information. 

What the Executive Order Says

The Executive Order states that the goal of “Removing Barriers to Sharing Threat Information” is to reduce cybersecurity risk. Under this section, the Executive Order argues that removing contractual barriers will give cloud services providers the ability to share risk information more effectively. 

Organizations will now be able to share threat intelligence with executive departments and agencies like: 

  • Cybersecurity and Infrastructure Agency (CISA)
  • Federal Bureau of Investigation (FBI)
  • Intelligence Community (IC) members

What are the timelines?

As with everything else that the Executive Order contains, the timelines for enhanced threat intelligence sharing are short. 

A quick look at the timelines and requirements gives some insight as to what the Executive Order intends, noting that within:

  • 60 days: Defense Federal Acquisition Regulation Supplement (DFARS) to release proposed changes IT and OT contract language
  • 90 days: Federal Acquisition Regulation (FAR) Council to review proposed contract changes
  • 120 days: Secretary of Homeland Security and Director of the Office of Management and Budget (OMB) to ensure that service providers share as much information as possible with CISA and FBI 

The Executive Order contains several other deadlines that agencies need to meet. However, from an information-sharing perspective, these are the ones that matter most to companies. 

How does this democratize risk information sharing?

Data is a resource that all organizations need as they seek to protect themselves and their customers. Fundamentally, any limitation on threat intelligence sharing - whether by contract or within proprietary systems - creates a burden for organizations. 

Expanding information sharing initiatives across the federal space gives all organizations greater visibility into potential risks. Currently, only members of the Defense Industrial Base (DIB) have access to threat intelligence impacting their supply chain. 

For example, the Department of Defense (DoD) currently operates the DIBNet Portal. This public-private cybersecurity partnership gives contractors a way to securely share cyber incidents. However, this portal highlights two primary issues facing public and private sector companies. 

First, only organizations within the DoD’s DIB Cybersecurity Program have access to this information. Second, the information focuses on security incidents. In other words, companies are reporting incidents after the fact. 

The expanded threat intelligence sharing under the Executive Order includes both threat and incident information, with the language specifying “prevention” and “potential incidents.” In other words, service providers will be reporting any potential vulnerabilities directly to CISA. 

CISA manages the Continuous Diagnostics and Mitigation (CDM) program that services Federal Civilian Executive Branch (FCEB) agencies. By expanding threat intelligence sharing under the Executive Order, CISA now has more information to share with other agencies. 

While this all this information may remain contained to FCEB agencies and CISA detection technologies, it’s a first step toward bringing everyone the same threat information. 

Why democratizing threat intelligence matters

The rise of ransomware attacks places stress on all companies, regardless of size and resources. In fact, according to a November 2020 report by Datto, 60% of Managed Service Providers (MSPs) said their small and mid-sized business (SMB) customers experienced ransomware attacks during the third quarter of 2020. 

Democratizing threat intelligence means giving everyone equal access to cybersecurity risks. More importantly, it means giving companies a way to understand their contextual business risk. For example, the threat actors targeting federal systems and networks may have different motivations than those targeting SMBs. 

Companies need access to risk information so that they can appropriately protect their systems, networks, and software from malicious actors. Without information and transparency, organizations can’t adequately prepare their security teams or test their controls. 

Leveling the Threat Intelligence Field with Attack, Detect, and Respond (ADR)

Sharing threat intelligence matters for organizations that need visibility into risk. However, fundamentally, many organizations continue to struggle as they seek to enhance their security posture. Running emulations and leveraging open-source, community-based data removes many of the barriers organizations face. 

Community Sourced Data

The sheer volume of threat intelligence overwhelms security teams. Security analysts need to share information with each other for enhanced threat detection and response. The more information that the community shares, the better-prepared everyone is. 

For example, SCYTHE’s Threat Thursdays offer security professionals deep, technical dives into current and emerging threats. Sharing this information ensures that all security team members, regardless of organizational budget constraints, have the information they need to successfully protect data. 

Emulation Instead of Simulation

ADR is based on a belief that organizations should have solutions that enable them to build contextual business risk into their security programs. Moreover, it seeks to democratize security risk management by enabling organizations to create attack paths and share the tactics, techniques, and procedures (TTPs) that they design. 

Security teams need a way to engage in continuous technology and process testing. However, organizations can’t simply hire a penetration testing consultant to validate controls for each newly discovered TTP. Unlike simulations that only run a vendor-supplied series of attack steps, ADR gives security teams the ability to create attack paths unique to their organization’s needs. 

Ease of Use

Not every organization has a fully resourced red team. Even if they do, testing and validating controls every time a new TTP is detected can be too time-consuming. 

ADR gives security teams a way to work together, ensuring that both Blue Teams and Red Teams have functionalities that enable them. Blue Teams need solutions that they can use to validate their technologies and processes without requiring them to have Red Team skill sets. Red Teams need solutions that allow less experienced team members to automate testing. This frees up more experienced team members to focus on security activities that require advanced skills. Ultimately, with ADR Blue and Red Teams work together more effectively, leading to collaborative Purple Teams. 

For organizations with smaller teams, ADR ensures that all users - regardless of technical skillset - can work to secure the organization’s data. 

Democratizing Security Through Community Involvement and Information Sharing

As the Executive Order looks to expand threat intelligence sharing, more organizations will have access to information that helps them better secure their information. This belief in open intelligence sharing aligns with SCYTHE’s core principles. Our belief in democratizing security is the reason we created a community with the largest public library of adversary emulations. We welcome and embrace security professionals looking to share their custom TTPs. 

At SCYTHE, our goal is to make validating technologies and processes accessible to all people within the organization. The SCYTHE platform gives companies the technology necessary to use this threat intelligence effectively. Our platform’s easy-to-use, drag-and-drop functionality enables customers to take control over their security. 

Collaboration - both within an organization and across the security community - makes threat intelligence and security more accessible to all organizations for better data protection. 


SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors.