Guide to Cyber Threat Info Sharing

Friday, October 14, 2016 @ 06:10 PM gHale

Cyberattacks keep increasing in frequency and sophistication, which offers huge challenges for organizations that must defend their data and systems.

These bad guys range from individual, autonomous attackers to well-resourced groups operating in a coordinated manner as part of a criminal enterprise or on behalf of a nation-state.

Security’s Small Steps Mean Protection
Age of ‘Security Fatigue’
Learning to Spot Phishing Emails
Code to Detect Online Fraudsters

Threat actors can be persistent, motivated, and agile, and they use a variety of tactics, techniques, and procedures (TTPs) to compromise systems, disrupt services, commit financial fraud, and expose or steal intellectual property and other sensitive information. Given the risks these threats present, it is increasingly important organizations share cyber threat information and use it to improve their security posture.

That is why National Institute of Standards and Technology (NIST) created publication that encourages greater sharing of cyber threat information among organizations, both in acquiring threat information from other organizations and in providing internally-generated threat information to other organizations. Implementing the following recommendations enables organizations to make more efficient and effective use of information sharing capabilities.

Cyber threat information is any information that can help an organization identify, assess, monitor, and respond to cyber threats.

Examples of cyber threat information include indicators (system artifacts or observables associated with an attack), TTPs, security alerts, threat intelligence reports, and recommended security tool configurations. Most organizations already produce multiple types of cyber threat information available to share internally as part of their information technology and security operations efforts.

By exchanging cyber threat information within a sharing community, organizations can leverage the collective knowledge, experience, and capabilities of that sharing community to gain a more complete understanding of the threats the organization may face.

Using this knowledge, an organization can make threat-informed decisions regarding defensive capabilities, threat detection techniques, and mitigation strategies. By correlating and analyzing cyber threat information from multiple sources, an organization can also enrich existing information and make it more actionable. This enrichment may end up achieved by independently confirming the observations of other community members, and by improving the overall quality of the threat information through the reduction of ambiguity and errors. Organizations that receive threat information and subsequently use this information to remediate a threat confer a degree of protection to other organizations by impeding the threat’s ability to spread. Additionally, sharing of cyber threat information allows organizations to better detect campaigns that target particular industry sectors, business entities, or institutions.

The publication assists organizations in establishing and participating in cyber threat information sharing relationships. The publication describes the benefits and challenges of sharing, clarifies the importance of trust, and introduces specific data handling considerations. The goal of the publication is to provide guidelines that improve cybersecurity operations and risk management activities through safe and effective information sharing practices, and that help organizations plan, implement, and maintain information sharing.

Click here to download the publication.