One of the challenges of ramping up an internal threat intelligence team is developing processes for information sharing both between internal groups and potentially externally with sharing organizations. Timely sharing of threat intelligence is a key attribute to effective threat intelligence programs but is often complicated by conflicts in goals, responsibilities, and rules. In Part 1 of this blog post we outlined some of inhibitors to successfully sharing threat intelligence internally and noted that NIST has published a Guide to Cyber Threat Information Sharing (NIST SP 800-150) that is useful for creating a successful foundation for both internal and external data sharing.
NIST recommends that organizations who wish to enable more productive sharing of cyber threat information should:
- Establish information sharing goals and objectives that support business processes and security policies.
- Identify existing internal sources of cyber threat information.
- Specify the scope of information sharing activities.
- Establish information sharing rules.
- Join and participate in information sharing efforts.
- Actively seek to enrich indicators by providing additional context, corrections, or suggested improvements.
- Use secure, automated workflows to publish, consume, analyze, and act upon cyber threat information.
- Proactively establish cyber threat sharing agreements.
- Protect the security and privacy of sensitive information.
- Provide ongoing support for information sharing activities.
No information sharing program will be viewed as a success if it cannot be measured against goals. The objectives of a sharing program and the expected benefits have to be spelled out in detail before there is any chance of achieving the buy in needed for such an initiative to succeed. It should be noted that information sharing outside of an organization is not an altruistic exercise. When successful these programs are symbiotic, with all parties benefiting in the long term.
With goals in mind, organizations need to determine the internal sources of threat information that can be collected. This will allow a gap analysis to be performed and a plan developed for filling these gaps with additional internally deployed tools and sensors or external data sources. Once an organization has determined the need for additional threat intelligence it may well find a premium data feed that meets its needs. As noted, there are benefits to casting a wider net as well.
Choosing External Partners
Finding the right sharing partners can require a lot of shopping around. An external information sharing program needs to be scoped carefully with well understood boundaries on what information will be shared and with whom. There are numerous entities to consider, including the obvious Information Sharing and Analysis Centers (ISACs), Computer Emergency Response Teams (CERTs), and Information Sharing and Analysis Organizations (ISAOs), as well as law enforcement agencies, business partners, and even customers. In the United States, there is also The Department of Homeland Security’s Automated Indicator Sharing (AIS) initiative. The formal membership requirements of these organizations can vary considerably, from completely informal to “invitation only”.
Less formal organization can provide an easier entry ramp, but they may not engender the same level of trust that comes with more formal relationships. Building trust among partners can be the most difficult aspect of information sharing programs. Formal relationships can bring some comfort in that they will have to be vetted by internal leadership, legal, and privacy teams. Sharing processes and protocols will also like be well established.
Building trust is a two-way street and organizations need to continue to engage with partners externally, while finding the best cadence and volume of information sharing. Over time the most productive information sharing operations need to be nurtured. Organizations should start slowly, actively enriching the most interesting indicators and pushing them out to the group through secure and automated workflows.
External information sharing entities are designed to demonstrate Industry leadership, deliver access to unique threat information, to enhanced analysis, and to create a collective defense and a central threat information repository.
This can be a challenging exercise. The difficulties that arise internally in defining common goals, processes, and even vocabulary obviously can get even more difficult when sharing data outside of an organization. Persistent barriers continue to hinder sharing of cyber threat indicators and defensive measures. These include restrictive classifications, a lack of interoperability to enable automated information sharing, and uncertainty about liability protections related to the sharing of some information.
Automated Information Sharing
Automated information sharing between organizations is an important goal but has proved difficult in practice. In the United States, DHS’ Cybersecurity and Infrastructure Security Agency (CISA) took the lead in attempting to improve the sharing of threat intelligence information between the federal government and the private sector with the development of the Automated Information Sharing initiative in 2016. AIS enables the near real-time exchange of cyber threat indicators and defensive measures between the federal government and private sector partners.
The program has been very slow to take off with private sector partners, however. Indicators are not validated by DHS which has decided to put an emphasis on the velocity and volume of indicators delivered. It is up to partners to vet the indicators they receive through AIS, who still don’t seem to have a good sense of how to prioritize the data they get from the program. The Office of the Inspector General of the Intelligence Community put out a report late in 2019 outlining what it sees as some of the continued problems with the program. While DHS’s goal has been to share as many indicators as possible as quickly as possible, partners note that it is too much data, often without adequate context. There are also the inevitable issues of interoperability with government systems.
These concerns highlight the fact that regardless of the program or the partners, organizations need to work hard on establishing trusted relationships, make investments in interoperability and automation, and build protections against the inadvertent sharing of sensitive or potentially classified information. To one degree or another, interoperability determining threat intelligence quality will be a challenge for many information sharing programs.
At King & Union, our mission has always been to make life easier for security teams by enabling them to share information and collaborate on investigations in real-time.
Let us show you how our Avalon Cyber Analysis Platform can help your team: