1 Second Draft NIST Special Publication 800-150 2 3 4 5 6 Guide to Cyber Threat Information Sharing 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 Chris Johnson Lee Badger David Waltermire Julie Snyder Clem Skorupka 23 24 25 26 27 28 29 30 31 32 # $ % ' ' 33 Second Draft NIST Special Publication 800-150 34 35 36 37 Guide to Cyber Threat Information Sharing 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 Chris Johnson Lee Badger David Waltermire Computer Security Division Information Technology Laboratory Julie Snyder Clem Skorupka The MITRE Corporation April 2016 U S Department of Commerce Penny Pritzker Secretary National Institute of Standards and Technology ## $% ' % $-% $ -$0'- %12%3144$- $%21-% 0' '- 5%' %6$ 7 1#18 %' Director 74 #$% '# 75 76 77 78 79 80 81 This publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Modernization Act FISMA of 2014 44 U S C § 3541 et seq Public Law P L 113-283 NIST is responsible for developing information security standards and guidelines including minimum requirements for federal information systems but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems This guideline is consistent with the requirements of the Office of Management and Budget OMB Circular A-130 82 83 84 85 86 87 Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce Director of the OMB or any other federal official This publication may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright in the United States Attribution would however be appreciated by NIST - 012 3 24 0 5 6 17 28 984 28 '6 2131 6 0 3 %5 30 012 @AABCDA 88 89 90 - 3E 24 E 28E '6 213E 6 E %5 3E @AABCDAF GH 64 IJ 903 KACLM #N -O - % K 91 92 93 94 95 Certain commercial entities equipment or materials may be identified in this document in order to describe an experimental procedure or concept adequately Such identification is not intended to imply recommendation or endorsement by NIST nor is it intended to imply that the entities materials or equipment are necessarily the best available for the purpose 96 97 98 99 100 101 There may be references in this publication to other publications currently under development by NIST in accordance with its assigned statutory responsibilities The information in this publication including concepts and methodologies may be used by federal agencies even before the completion of such companion publications Thus until each publication is completed current requirements guidelines and procedures where they exist remain operative For planning and transition purposes federal agencies may wish to closely follow the development of these new publications by NIST 102 103 104 Organizations are encouraged to review all draft publications during public comment periods and provide feedback to NIST Many NIST cybersecurity publications other than the ones noted above are available at http csrc nist gov publications 105 106 '- -% 0# 1 '%23 #$% ' ' #$ % 4$ - ' ' 107 J33 1PP62 4 96 45 Q6 1 9636 46 52869 6 R96681P 17 2719P 012 J IR# JME 108 109 110 111 - 012 3 24 0 5 6 17 28 984 28 '6 2131 J 2O 1P 5 69 6 590 N0S04012F 2719P 012 '6 2131 T 19 19 CAA U596 5 N90S6 I$ 03 1 @HGAM V 0 694 59 F $N KA@HHB@HGA P 03O 4 @AABCDA 1PP62 4W204 E 1S i 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 5 1% #6 %0 7% 1 # 8 6# 6 9 -$0% %4 The Information Technology Laboratory ITL at the National Institute of Standards and Technology NIST promotes the U S economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure ITL develops tests test methods reference data proof of concept implementations and technical analyses to advance the development and productive use of information technology ITL’s responsibilities include the development of management administrative technical and physical standards and guidelines for the cost-effective security and privacy of other than national security-related information in federal information systems The Special Publication 800-series reports on ITL’s research guidelines and outreach efforts in information system security and its collaborative activities with industry government and academic organizations 6# -# Cyber threat information is any information that can help an organization identify assess monitor and respond to cyber threats Cyber threat information includes indicators of compromise tactics techniques and procedures used by threat actors suggested actions to detect contain or prevent attacks and the findings from the analyses of incidents Organizations that share cyber threat information can improve their own security postures as well as those of other organizations This publication provides guidelines for establishing and participating in cyber threat information sharing relationships This guidance helps organizations establish information sharing goals identify cyber threat information sources scope information sharing activities develop rules that control the publication and distribution of threat information engage with existing sharing communities and make effective use of threat information in support of their overall cybersecurity practices % 26 cyber threat cyber threat information sharing indicators information security information sharing - 0% 24 0#6 The authors Chris Johnson Lee Badger and David Waltermire of the National Institute of Standards and Technology NIST and Julie Snyder and Clem Skorupka of The MITRE Corporation wish to thank their colleagues who contributed to this publication including Tom Millar of the US-CERT Karen Quigg Richard Murad Carlos Blazquez and Jon Baker of The MITRE Corporation Murugiah Souppaya of NIST Ryan Meeuf of the Software Engineering Institute Carnegie Mellon University George Saylor Greg Witte and Matt Smith of G2 Inc Karen Scarfone of Scarfone Cybersecurity Eric Burger of the Georgetown Center for Secure Communications Georgetown University Joe Drissel of Cyber Engineering Services Inc Tony Sager of the Center for Internet Security Kent Landfield of Intel Security Bruce Potter of KEYW Inc Jeff Carpenter of Dell SecureWorks Ben Miller of the North American Electric Reliability Corporation NERC Anton Chuvakin of Gartner Inc Johannes Ullrich of the SANS Technology Institute Patrick Dempsey Defense Industrial Base Collaborative Information Sharing Environment DCISE Matthew Schuster Mass Insight Garrett Schubert of EMC James Caulfield of the Federal Reserve Bob Guay of Biogen and Chris Sullivan of Courion 9 2 0 % #'%0 All registered trademarks or trademarks belong to their respective organizations ii 159 #$% ' ' % 160 @A - #'B 8 CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC D 161 DC 0# %2 -#'%0 CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC E 162 163 164 CEC %59 146 28 1 6 EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE X CEK J58062 6 EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE X CEG N1 5P62 95 596 EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE X 165 FC G 6'-6 % 7 9$ # 0 % #'%0 8$ '04 CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC H 166 167 168 KEC ' 96 2719P 012 ' 64 EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE D KEK U62670 4 17 2719P 012 902 EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE L KEG 3362 64 1 2719P 012 902 EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE Y 169 IC @6# '6$'04 8$ '04 5 #'%06$'16 CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC J 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 GEC GEK GEG GEX N67026 2719P 012 902 V1 34 28 # Q6 0S64 EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE H 862 07 2 692 3 159 64 17 69 ' 96 2719P 012 EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE H N67026 6 1 6 17 2719P 012 902 J 0S0 064 EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE CK 4 304 2719P 012 902 5364 EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE CG GEXEC 2719P 012 6240 0S0 28 %90S EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE CX GEXEK 902 N640 2 0124 EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE CY GEXEG 69 ' 96 2719P 012 902 28 '9 Z02 %91 685964 EEEEEEEEEEEEEEEEEEEEEEE C@ GED 102 902 1PP520 EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE CH GEL %3 2 1 %91S086 #2 102 5 19 719 2719P 012 902 J 0S0 064 EEEEEEEEEEEEEEEEEEEEEEEEE KC EC #'-'1 #'04 '0 8$ '04 5 #'%06$'16 CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC FF XEC XEK XEG XEX XED 2 6 02 #2 102 1PP520 012 EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE KK 1245P6 28 64 128 1 6 590 J369 4 EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE KG 1245P6 28 46 280 194 EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE KG #9 20 6 28 196 280 194 EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEKD %9185 6 28 %5 304 280 194 EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE KY XEDEC 280 19 290 P62 EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE KY XEDEK 28 98 N R19P 4 EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE KY XEDEG %91 6 012 17 6240 0S6 N EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE K@ 189 - ' 00% 1 2% 190 11 02'A K 7 9$ # 0 % #'%0 8$ '04 8- 0 '%6 CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC FJ 191 11 02'A GK L %66 CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC IF 192 11 02'A 7K - %0 6 CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC II 193 11 02'A MK 5 0- 6 CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC IE 194 195 - ' #$% 196 ' 36 GBCO 636 68 2 692 3 2719P 012 159 64 EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE CA 197 ' 36 GBKO 28302 6 1PP628 0124 719 636 68 ' 64 17 6240 0S6 N EEEEEEEEEEEEEEEEEEEEEEEEE CD 198 ' 36 GBGO '9 770 T0 %91 1 13 EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE C@ iii - ' % @AABCDA IK N JR'M V N '# U ' J' -R# $J' #- J -V -N 199 @A - #'B 8 200 201 202 203 204 205 206 207 Cyber attacks have increased in frequency and sophistication resulting in significant challenges for organizations in defending their data and systems from capable threat actors “actors” These actors range from individual autonomous attackers to well-resourced groups operating in a coordinated manner as part of a criminal enterprise or on behalf of a nation-state These actors can be persistent motivated and agile and they employ a variety of tactics techniques and procedures TTPs to compromise systems disrupt services commit financial fraud and expose or steal intellectual property and other sensitive information Given the risks these threats present it is increasingly important that organizations share cyber threat information and use it to improve their cyber defenses 208 209 210 211 212 213 Cyber threat information is any information that can help an organization identify assess monitor and respond to cyber threats Examples of cyber threat information include indicators system artifacts or observables associated with an attack TTPs security alerts threat intelligence reports and recommended security tool configurations Most organizations already produce multiple types of cyber threat information that are available to share internally as part of their information technology and security operations efforts 214 215 216 217 218 219 220 221 222 223 224 225 226 Through the exchange of cyber threat information with other sharing community participants organizations can leverage the collective knowledge experience and capabilities of a sharing community to gain a more complete understanding of the threats they may face Using this knowledge an organization can make threat-informed decisions regarding defensive capabilities threat detection techniques and mitigation strategies By correlating and analyzing cyber threat information from multiple sources an organization can enrich existing information and make it more actionable This enrichment may be achieved by independently confirming the observations of other community members and by improving the overall quality of the threat information through the reduction of ambiguity and errors Members of a sharing community who receive information and subsequently remediate a threat also confer a degree of protection to other community members even those who may not have received or acted upon the cyber threat information by impeding the threat’s ability to spread Additionally sharing of cyber threat information allows organizations to better detect campaigns that target particular industry sectors business entities or institutions 227 228 229 230 231 232 This publication assists organizations in establishing and participating in cyber threat information sharing relationships The publication describes the benefits and challenges of sharing clarifies the importance of trust and introduces specific data handling considerations The goal of the publication is to provide guidelines that improve cybersecurity operations and risk management activities through safe and effective information sharing practices and that help organizations plan implement and maintain information sharing 233 234 235 236 NIST encourages greater sharing of cyber threat information among organizations both acquiring threat information from other organizations and providing internally-generated threat information to other organizations Implementing the following recommendations enables organizations to make more efficient and effective use of information sharing capabilities 237 238 Establish information sharing goals and objectives that support business processes and security policies 239 240 241 An organization’s information sharing goals and objectives should advance its overall cybersecurity strategy and help an organization more effectively manage cyber-related risk An organization should use the combined knowledge and experience of its own personnel and others such as members of cyber threat 1 - ' % @AABCDA IK N JR'M V N '# U ' J' -R# $J' #- J -V -N 242 243 information sharing organizations to share threat information while operating in accordance with its security privacy regulatory and legal compliance requirements 244 Identify existing internal sources of cyber threat information 245 246 247 248 249 250 Organizations should identify the threat information they currently collect analyze and store As part of the inventory process organizations should determine how the information is used This inventory can help an organization identify opportunities for improving decision-making processes through the use of cyber threat information develop strategies for acquiring threat information from alternative possibly external sources or through the deployment of additional tools or sensors and identify threat information that is available for sharing with outside parties 251 Specify the scope of information sharing activities 252 253 254 255 256 The breadth of an organization’s information sharing activities should be consistent with its resources abilities and objectives Information sharing efforts should be focused on activities that provide the greatest value to an organization and its sharing partners The scoping activity should identify types of information that an organization’s key stakeholders authorize for sharing the circumstances under which sharing of this information is permitted and those with whom the information can and should be shared 257 Establish information sharing rules 258 259 260 261 262 Sharing rules are intended to control the publication and distribution of threat information and consequently help to prevent the dissemination of information that if improperly disclosed may have adverse consequences for an organization its customers or its business partners Information sharing rules should take into consideration the trustworthiness of the recipient the sensitivity of the shared information and the potential impact of sharing or not sharing specific types of information 263 Join and participate in information sharing efforts 264 265 266 267 268 An organization should identify and participate in sharing activities that complement its existing threat information capabilities An organization may need to participate in multiple information sharing forums to meet its operational needs Organizations should consider public and private sharing communities government repositories commercial cyber threat intelligence feeds and open sources such as public websites blogs and data feeds 269 270 Actively seek to enrich indicators by providing additional context corrections or suggested improvements 271 272 273 274 275 276 When possible organizations should produce metadata that provides context for each indicator that is generated describing how it is to be used and interpreted and how it relates to other indicators Additionally sharing processes should include mechanisms for publishing indicators updating indicators and associated metadata and retracting submissions that are incorrect or perhaps inadvertently shared Such feedback plays an important role in the enrichment maturation and quality of the indicators shared within a community 277 278 Use secure automated mechanisms to publish consume analyze and act upon cyber threat information 279 280 281 The use of standardized data formats and transport protocols to share cyber threat information makes it easier to automate threat information processing The use of automation enables cyber threat information to be rapidly shared transformed enriched and analyzed with less need for manual intervention 2 - ' % @AABCDA IK N JR'M V N '# U ' J' -R# $J' #- J -V -N 282 Proactively establish cyber threat sharing agreements 283 284 285 286 Rather than attempting to establish sharing agreements during an active cyber incident organizations should plan ahead and put such agreements in place before incidents occur Such advanced planning helps ensure that participating organizations understand their roles responsibilities and information handling requirements 287 Protect the security and privacy of sensitive cyber threat information 288 289 290 291 292 293 Sensitive information such as personally identifiable information PII intellectual property and trade secrets may be encountered when handling cyber threat information The improper disclosure of such information could cause financial loss violate laws regulations and contracts be cause for legal action or damage an organization’s reputation Accordingly organizations should implement the necessary security and privacy controls and handling procedures to protect this information from unauthorized disclosure or modification 294 Provide ongoing support for information sharing activities 295 296 297 298 299 Each organization should establish an information sharing plan that provides for ongoing infrastructure maintenance and user support The plan should address the collection and analysis of threat information from both internal and external sources and the use of this information in the development and deployment of protective measures A sustainable approach is necessary to ensure that resources are available for the ongoing collection storage analysis and dissemination of cyber threat information 300 3 - ' % @AABCDA IK N JR'M V N '# U ' J' -R# $J' #- J -V -N 301 DC 0# %2 -#'%0 302 DCD 1%6 02 8-%1 303 304 305 306 This publication provides guidance to help organizations exchange cyber threat information The guidance addresses consuming and using cyber threat information received from external sources and producing cyber threat information that can be shared with other organizations The document also presents specific considerations for participation in information sharing communities 307 308 309 This publication expands upon the information sharing concepts introduced in Section 4 Coordination and Information Sharing of NIST Special Publication SP 800-61 Computer Security Incident Handling Guide 1 310 DCF 2' 0- 311 312 313 314 This publication is intended for computer security incident response teams CSIRTs system and network administrators security staff privacy officers technical support staff chief information security officers CISOs chief information officers CIOs computer security program managers and others who are key stakeholders in cyber threat information sharing activities 315 316 Although this guidance is written primarily for Federal agencies it is intended to be applicable to a wide variety of other governmental and non-governmental organizations 317 DCI M%- 0# 8# -# 318 The remainder of this document is organized into the following sections and appendices 319 320 321 • Section 2 introduces basic cyber threat information sharing concepts describes the benefits of sharing information and discusses the challenges faced by organizations as they implement sharing capabilities 322 • Section 3 provides guidelines on establishing sharing relationships with other organizations 323 • Section 4 discusses considerations for participating in sharing relationships 324 325 326 • Appendix A contains scenarios that show how sharing cyber threat information increases the efficiency and effectiveness of the organizations involved and enhances their network defenses by leveraging the cyber experience and capabilities of their partners 327 • Appendix B contains a list of terms used in the document and their associated definitions 328 • Appendix C provides a list of acronyms used in the document 329 • Appendix D identifies resources referenced in the document 330 4 - ' % @AABCDA IK N JR'M V N '# U ' J' -R# $J' #- J -V -N 331 FC 332 333 334 This section introduces basic concepts of cyber threat information sharing It discusses types of cyber threat information and defines common terminology It also examines potential uses for shared cyber threat information and explores benefits and challenges of threat information sharing 335 FCD 9$ # 0 % #'%0 9 1 6 336 337 338 339 340 341 A cyber threat is “any circumstance or event with the potential to adversely impact organizational operations including mission functions image or reputation organizational assets individuals other organizations or the Nation through an information system via unauthorized access destruction disclosure or modification of information and or denial of service ” 2 For brevity this publication uses the term threat instead of “cyber threat” The individuals and groups posing threats are known as “threat actors” or simply actors 342 343 344 Threat information is any information related to a threat that might help an organization protect itself against a threat or detect the activities of an actor Major types of threat information include the following 345 346 347 348 349 • 350 351 352 353 354 • Tactics techniques and procedures TTPs describe the behavior of an actor Tactics are high-level descriptions of behavior techniques are detailed descriptions of behavior in the context of a tactic and procedures are even lower-level highly detailed descriptions in the context of a technique TTPs could describe an actor’s tendency to use a specific malware variant order of operations attack tool delivery mechanism e g phishing or watering hole attack or exploit 355 356 357 358 359 360 • Security alerts also known as advisories bulletins and vulnerability notes are brief usually humanreadable technical notifications regarding current vulnerabilities exploits and other security issues Security alerts originate from sources such as the United States Computer Emergency Readiness Team US-CERT Information Sharing and Analysis Centers ISACs the National Vulnerability Database NVD Product Security Incident Response Teams PSIRTs commercial security service providers and security researchers 361 362 363 364 365 • Threat intelligence reports are generally prose documents that describe TTPs actors types of systems and information being targeted and other threat-related information that provides greater situational awareness to an organization Threat intelligence is threat information that has been aggregated transformed analyzed interpreted or enriched to provide the necessary context for decision-making processes 366 367 368 369 370 • Tool configurations are recommendations for setting up and using tools mechanisms that support the automated collection exchange processing analysis and use of threat information For example tool configuration information could consist of instructions on how to install and use a rootkit detection and removal utility or how to create and customize intrusion detection signatures router access control lists ACLs firewall rules or web filter configuration files 1 G 6'-6 % 7 9$ # 0 % #'%0 8$ '04 Indicators are technical artifacts or observables1 that suggest an attack is imminent or is currently underway or that a compromise may have already occurred Examples of indicators include the Internet Protocol IP address of a suspected command and control server a suspicious Domain Name System DNS domain name a Uniform Resource Locator URL that references malicious content a file hash for a malicious executable or the subject line text of a malicious email message An observable is an event benign or malicious on a network or system 5 - ' % @AABCDA IK N JR'M V N '# U ' J' -R# $J' #- J -V -N 371 372 373 374 375 376 377 378 Many organizations already produce and share threat information internally For example an organization’s security team may identify malicious files on a compromised system when responding to an incident and produce an associated set of indicators e g file names sizes hash values These indicators are then shared with system administrators who configure security tools such as host-based intrusion detection systems to detect the presence of these indicators on other systems Likewise the security team may launch an email security awareness campaign in response to an observed rise in phishing attacks within the organization These practices demonstrate information sharing within an organization 379 380 381 The primary goal of this publication is to foster similar threat information sharing practices across organizational boundaries – both acquiring threat information from other organizations and providing internally-generated threat information to other organizations 382 FCF G 0 '#6 % 0 % #'%0 8$ '04 383 384 385 386 387 Threat information sharing provides access to threat information that might otherwise be unavailable to an organization Using shared resources organizations are able to enhance their security posture by leveraging the knowledge experience and capabilities of their partners in a proactive way Allowing “one organization’s detection to become another’s prevention”2 is a powerful paradigm that can advance the overall security of organizations that actively share 388 389 390 391 392 An organization can use shared threat information in many ways Some uses are operationally oriented such as updating enterprise security controls for continuous monitoring with new indicators and configurations so they can detect the latest attacks and compromises Others are strategically oriented such as using shared threat information as inputs when planning major changes to an organization’s security architecture 393 394 395 396 397 398 Threat information exchanged within communities organized around industrial sector or some other shared characteristic can be particularly beneficial because the member organizations often face actors that use common TTPs that target the same types of systems and information Cyber defense is most effective when organizations collaborate successfully to deter and defend against well-organized capable actors By working together organizations can also build and sustain the trusted relationships that are the foundation of secure responsible and effective information sharing 399 Benefits of information sharing include 400 401 402 403 404 • Shared Situational Awareness Information sharing enables organizations to leverage the collective knowledge experiences and analytic capabilities of their sharing partners within a community of interest thereby enhancing the defensive capabilities of multiple organizations Even a single contribution—a new indicator or observation about a threat actor—can increase the awareness and security of an entire community 405 406 407 408 409 410 • Enhanced Threat Understanding By developing and sharing threat information organizations gain a better understanding of the threat environment and are able to use threat information to inform their cybersecurity and risk management practices Using shared information organizations are able to identify affected platforms or systems implement protective measures enhance detection capabilities and more effectively respond and recover from incidents based on observed changes in the current threat environment 2 This phrase which has been used in numerous presentations and discussions was formulated by Tony Sager Senior VP and Chief Evangelist Center for Internet Security 6 - ' % @AABCDA IK N JR'M V N '# U ' J' -R# $J' #- J -V -N 411 412 413 414 415 • Knowledge Maturation When seemingly unrelated observations are shared and analyzed by organizations they can be correlated with data collected by others This enrichment process increases the value of information by enhancing existing indicators and by developing knowledge of threat actor TTPs that are associated with a specific incident threat or threat campaign Correlation can also impart valuable insights into the relationships that exist between indicators 416 417 418 419 420 421 • Herd Immunity The principle of herd or community immunity comes from biology where it refers to protecting a community from a disease by vaccinating many but not all of its members Similarly organizations that act upon the threat information they receive by remediating threats to themselves afford a degree of protection to those who are yet unprotected i e who have either not received or acted upon the threat information received by reducing the number of viable attack vectors for threat actors thus reducing vulnerability 422 423 424 425 426 • Greater Defensive Agility Actors continually adapt their TTPs to attempt to evade detection circumvent security controls and exploit new vulnerabilities Organizations that share information are often better informed about changing TTPs and can rapidly detect and respond to threats thereby reducing the probability of successful attack Such agility creates economies of scale for network defenders while increasing the costs of actors by forcing them to develop new TTPs 427 FCI 7$ 04 6 #% 0 % #'%0 8$ '04 428 429 While there are clear benefits to sharing threat information there are also a number of challenges to consider Some challenges that apply both to consuming and to producing threat information are 430 431 432 • Establishing Trust Trust relationships form the basis for information sharing but require effort to establish and maintain Ongoing communication through regular in-person meetings phone calls or social media can help accelerate the process of building trust 433 434 435 436 437 • Achieving Interoperability Standardized data formats and transport protocols are important building blocks for interoperability and help enable the secure automated exchange of structured threat information among organizations repositories and tools Adopting specific formats and protocols however can require significant time and resources and the value of these investments can be substantially reduced if sharing partners require different formats or protocols 438 439 440 441 442 443 444 445 446 • Protecting Sensitive but Unclassified Information Disclosure of sensitive information such as personally identifiable information PII intellectual property trade secrets or other proprietary information can result in financial loss violation of sharing agreements legal action and loss of reputation Sharing information could expose the protective or detective capabilities of the organization and result in threat shifting by the actor 3 The unauthorized disclosure of information may impede or disrupt an ongoing investigation jeopardize information needed for future legal proceedings or disrupt response actions such as botnet takedown operations Organizations should apply handling designations to shared information and implement policies procedures and technical controls to actively manage the risks of disclosure of sensitive but unclassified information 3 NIST SP 800-30 Guide for Conducting Risk Assessments 2 defines threat shifting as “the response of adversaries to perceived safeguards and or countermeasures i e security controls in which adversaries change some characteristic of their intent targeting in order to avoid and or overcome those safeguards countermeasures Threat shifting can occur in one or more domains including i the time domain e g a delay in an attack or illegal entry to conduct additional surveillance ii the target domain e g selecting a different target that is not as well protected iii the resource domain e g adding resources to the attack in order to reduce uncertainty or overcome safeguards and or countermeasures or iv the attack planning attack method domain e g changing the attack weapon or attack path ” 7 - ' % @AABCDA IK N JR'M V N '# U ' J' -R# $J' #- J -V -N 447 448 449 450 451 • Protecting Classified Information Information received from government sources may be marked as classified making it difficult for an organization to use It is also expensive and time-consuming for organizations to request and maintain the clearances needed for ongoing access to classified information sources In addition many organizations employ non-U S citizens who are not eligible to hold security clearances and are not permitted access to classified information 3 452 Some challenges to information sharing apply only to consuming others’ threat information 453 454 455 456 • Accessing External Information Organizations need the infrastructure to access external sources and incorporate the information retrieved from external sources into local decision-making processes Information received from external sources has value only to the extent that an organization is equipped to act on the information 457 458 459 460 • Evaluating the Quality of Received Information Before an organization takes security-relevant actions such as reconfiguring protection devices based on information received from an information sharing community an organization needs to validate that the received information addresses an identified need and that the costs or risks of using the information are understood 461 462 Several challenges are only applicable if an organization wants to provide its own information to other organizations 463 464 465 466 467 468 • Complying with Legal and Organizational Requirements An organization’s executive and legal teams may restrict the types of information that the organization can provide to others Such restrictions may include limits on the types of information and the level of technical detail provided These safeguards are appropriate when they address legitimate business legal or privacy concerns but the imposition of unwarranted or arbitrary restrictions may diminish the utility availability quality and timeliness of shared information 469 470 471 472 473 474 475 476 • Limiting Attribution Organizations may openly participate in information sharing communities but still require that their contributions remain anonymous Sharing unattributed information may allow organizations to share more information while controlling risks to an organization’s reputation The lack of attribution may however limit the usefulness of the information because users may have less confidence in information that originates from an unknown source If the original sources of information cannot be identified organizations may be unable to confirm that information has been received from multiple independent sources and thus reduce an organization’s ability to build confidence in received information 477 478 479 480 • Enabling Information Production Organizations seeking to produce information should have the necessary infrastructure tools and training to do so commensurate with the types of information to be produced While basic threat information e g indicators is relatively easy to collect and publish information such as an actor’s motives and TTPs generally requires greater analysis effort 8 - ' % @AABCDA IK N JR'M V N '# U ' J' -R# $J' #- J -V -N 481 IC @6# '6$'04 8$ '04 5 #'%06$'16 482 483 When launching a threat information sharing capability the following planning and preparation activities are recommended 4 484 • Define the goals and objectives of information sharing section 3 1 485 • Identify internal sources of threat information section 3 2 486 • Define the scope of information sharing activities section 3 3 487 • Establish information sharing rules section 3 4 488 • Join a sharing community section 3 5 489 • 490 491 Throughout this process organizations are encouraged to consult with subject matter experts both inside and outside their organization Such sources include 492 • Experienced cybersecurity personnel 493 • Members and operators of established threat information sharing organizations 494 • Trusted business associates supply chain partners and industry peers 495 • Personnel knowledgeable about legal issues internal business processes procedures and systems 496 497 498 499 500 501 An organization should use the knowledge and experience from these experts to help shape a threat information sharing capability that supports its mission and operates in accordance with its security privacy regulatory and legal compliance requirements Due to constantly changing risks requirements priorities technology and or regulations this process will often be iterative Organizations should reassess and adjust their information sharing capabilities as needed based on changing circumstances Such a change may involve repeating some or all of the planning and preparation activities listed above 502 ICD M '0 0 % #'%0 8$ '04 L% 6 02 N O -#'B 6 503 504 505 506 507 508 At the outset an organization should establish goals and objectives that describe the desired outcomes of threat information sharing in terms of the organization’s business processes and security policies These goals and objectives will help guide the organization through the process of scoping its information sharing efforts selecting and joining sharing communities and providing ongoing support for information sharing activities Due to technological and or resource constraints it may be necessary to prioritize goals and objectives to ensure the most critical ones are addressed 509 ICF 2 0#' 0# 0 8% - 6 % 7 9$ # 0 % #'%0 510 511 512 A key step in any information sharing effort is to identify potential sources of threat information within an organization Sources of threat information include sensors tools data feeds and information repositories Specific steps that may be helpful are Plan to provide ongoing support for information sharing activities section 3 6 4 Although an order for these activities is described in practice the sequence of these activities can vary and activities can even be performed concurrently For example when joining an established sharing organization it may make sense to address information sharing rules as part of joining the community 9 - ' % @AABCDA IK N JR'M V N '# U ' J' -R# $J' #- J -V -N 513 514 515 • Identify sensors tools data feeds and repositories that produce threat information and confirm that they produce the information with sufficient frequency precision and accuracy to support cybersecurity decision-making 516 517 • Identify threat information that is collected and analyzed as part of an organization’s continuous monitoring strategy 518 519 • Locate threat information that is collected and stored but not necessarily analyzed or reviewed on an ongoing basis e g operating system default audit log files 520 521 • Identify threat information that is suitable for sharing with outside parties and that could help them more effectively respond to cyber threats 522 523 524 525 526 527 528 529 530 531 532 This inventory process also includes identifying the owners and operators of threat information sources within an organization Ideally personnel would possess an in-depth knowledge of the sensors tools data feeds and repositories that they operate and be able to contribute to the process of developing data export transformation and integration capabilities in support of information sharing initiatives When developing such capabilities it is important to understand how the information is natively stored what formats are available for data export and which query languages protocols and services are available to interact with the information source Some sources may store and publish structured machine-readable data while others may provide unstructured data with no fixed format e g free text or images Structured data based on open machine-readable standard formats can generally be more readily accessed searched and analyzed by a wider range of tools Thus the format of the information plays a significant role in determining the ease and efficiency of information use analysis and exchange 533 534 535 536 537 During the inventory process an organization should also take note of any information gaps that may prevent realization of the organization’s goals and objectives By identifying these gaps an organization will be better able to prioritize investments into new capabilities and identify opportunities to fill gaps by acquiring threat information from alternate possibly external sources or through the deployment of additional tools or sensors 538 539 540 Table 3-1 describes common sources of cybersecurity-related information found within organizations and provides examples of data elements from these sources that may be of interest to security operations personnel 541 9 IPD3 8 -# 2 0# 0 0 % #'%0 8% - 6 159 6 P 364 Q # % M # 8% - 6 15 69F 7096_ 33F 96P1 6 469S0 64 I45 4 96P1 6 31 02 19 96P1 6 1PP 28 6 6 5 012MF 28 N 2 P0 14 1270 59 012 %91 1 13 IN %M 469S69 31 4 '0P64 P 159 6 28 864 02 012 % 889644 ' % N% 19 25P 694 $680 J 644 12 913 I$J M 889644 14 2 P6 J 012 I862 331_M 54 186 # 69 91 1 13 02719P 012 10 - ' % @AABCDA IK N JR'M V N '# U ' J' -R# $J' #- J -V -N 159 6 N0 214 0 28 P120 1902 1134 I26 _19Z 02 954012 86 6 012 28 96S62 012 4 4 6PF Z6 596 a 91 1 13 2 3 404M P 364 '0P64 P % 889644F 19 F 28 1 69 91 1 13 02719P 012 % Z6 31 84 J 30 012B4 6 070 02719P 012 ' 6 17 Z I6E EF bT 02Q6 012F 57769 1S69731_M ' 9 6 68 S53269 030 J Z 4 54 I45 644 7 03 31 Z68M R%6# M # 8% - 6 # 69 02 4 4 6P 28 30 012 1270 59 012 46 02 4F 4 64F 28 31 4 U1528 28 64 304 68 26 _19Z 1226 0124 28 19 4 %91 64464 28 96 84 6 04 9 46 02 4 1270 59 012 7036 62 9064 17 _ 96 S694012 28 36S63 02719P 012 98_ 96 02719P 012 469 28 915 4 R036 90 5 64 I6E EF 2 P6F 4 S 356F 69P0440124F 0P64 P F 40 6M R036 644 4 6P 6S62 4 I6E EF 4 9 5 F 4 5 81_2F 7 035964M 1PP 28 04 19 J2 0S0954 9185 4 14 2 P6 % 889644 $J 889644 $ 3_ 96 2 P6 $ 3_ 96 6 I6E EF S0954F Z02 113F 4 _ 96F 96P1 6 644M R036 2 P6 R036 31 012 I0E6EF M R036 4 J 012 Z62 I6E EF c5 9 2 026F 36 2F 962 P6F 8636 6M d6 91_4694 U91_469 04 19064 28 64 02 35802 O • 0 64 S040 68 • # Q6 4 81_231 868 • # Q6 4 5 31 868 • 6240124 024 3368 19 62 368 • 11Z064 11 - ' % @AABCDA IK N JR'M V N '# U ' J' -R# $J' #- J -V -N 159 6 P 364 N#$ M # 8% - 6 6 590 2719P 012 28 S62 $ 2 6P62 I $M 5PP 9 96 19 4 4 2 640 68 791P S 906 17 8 4159 64 I6E EF 1 69 02 4 4 6PF 30 012F 28 26 _19Z 31 4M P 03 4 4 6P4 P 03 P644 64O P 03 6 869 12 62 • 62869 96 0 062 6P 03 889644 • 5 Q6 3026 • 15 02 02719P 012 J P62 4 T4 P 68868 9 0 4 63 864Z 0 Z6 02 4 4 6P4F 02 0862 P 2 6P62 9 Z02 4 4 6PF 28 61 36 791P _0 02 6 19 20 012 J2 3 404 96 19 4 28 1 469S 0124 96 9802 O • ''%4 • P 0 24 • J77030 0124 • $1 0S64 • 310 186 28 1134 • 64 1246 28 P0 0 012 4 9 6 064 • 6 1PP62868 159464 17 012 469 4 9662 5964 I6E EF 69919 P644 64 19 80 31 1 64M R196240 113Z0 4 28 8 2 P0 28 19 S09 5 3 6 6 5 012 62S0912P62 4 $ 3_ 96 4 P 364 4 6P 9 07 4 I26 _19ZF 7036 4 4 6PF P6P19 M 542 543 544 An organization’s inventory should be updated when new sensors repositories or capabilities are deployed Additionally significant changes to a device’s configuration ownership or administrative point of contact should be documented 545 ICI M '0 #$ 8-%1 % 0 % #'%0 8$ '04 -#'B'#' 6 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 Organizations should specify the scope of their information sharing activities by identifying the types of information available to share the circumstances under which sharing this information is permitted and those with whom the information can and should be shared Organizations should review their information sharing goals and objectives while scoping information sharing activities to ensure that priorities are addressed When defining these activities it is important to ensure that the information sources and capabilities needed to support each activity are available Organizations should also consider pursuing sharing activities that will address known information gaps For example an organization might not have an internal malware analysis capability but it may gain access to malware indicators by participating in a sharing community The breadth of information sharing activities will vary based on an organization’s resources and abilities By choosing a narrow scope an organization with limited resources can focus on a smaller set of activities that provides the greatest value to the organization and its sharing partners An organization may be able to expand the scope as additional capabilities and resources become available Such an incremental approach helps to ensure that information sharing activities support an organization’s information sharing goals and objectives while at the same time fitting within available resources Organizations with greater resources and advanced capabilities may choose a larger initial scope allowing for a broader set of activities in support of their goals and objectives 12 - ' % @AABCDA IK N JR'M V N '# U ' J' -R# $J' #- J -V -N 564 565 566 567 568 569 570 571 572 573 The degree of automation available to support the sharing and receipt of threat information is a factor to consider when establishing the scope of sharing activities Less automated approaches or manual approaches which involve humans directly in the loop may increase human resource costs and limit the breadth and volume of information processed The use of automation can help reduce human resource costs allowing an organization to choose a larger scope of activities Automated threat information sharing concepts are discussed more in section 4 ICE @6# '6$ 0 % #'%0 8$ '04 5 6 Before sharing threat information it is important to 574 • List the types of threat information that may be shared 575 • Describe the conditions and circumstances when sharing is permitted 576 • Identify approved recipients of threat information 577 • Describe any requirements for redacting or sanitizing information to be shared 578 • Specify if source attribution is permitted 579 580 • Apply information handling designations that describe recipient obligations for protecting information 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 These steps express rules that control the publication and distribution of threat information and consequently help to prevent the dissemination of information that if improperly disclosed may have adverse consequences for the organization or its customers or business partners Information sharing rules should take into consideration the trustworthiness of the recipient the sensitivity of the shared information and the potential impact of sharing or not sharing For example an organization may express rules that limit the exchange of highly sensitive information to internal individuals or groups that allow the sharing of moderately sensitive information with specific trusted partners that permit information having a low sensitivity to be published within a closed sharing community and that allow for the free exchange of non-sensitive information within public information sharing forums When establishing and reviewing information sharing rules organizations should solicit input from their legal and privacy officials information owners the management team and other key stakeholders to ensure that the sharing rules align with the organization’s documented policies and procedures An organization may choose to codify sharing rules through Memoranda of Understanding MOUs NonDisclosure Agreements NDAs Framework Agreements5 or other agreements Organizations are encouraged to proactively establish cyber threat information sharing agreements as part of their ongoing cybersecurity operations rather than attempting to put such agreements into place while under duress in the midst of an active cyber incident An organization’s information sharing rules should be reevaluated on a regular basis Some of the events that can trigger reevaluation are 5 An example of such an agreement is the Defense Industrial Base DIB Cyber Security Information Assurance CS IA Program standardized Framework Agreement 4 which implements the requirements set forth in Title 32 Code of Federal Regulations Part 236 Section 236 4 through 236 6 13 - ' % @AABCDA IK N JR'M V N '# U ' J' -R# $J' #- J -V -N 602 • Changes to regulatory or legal requirements 603 • Updates to organizational policy 604 • Introduction of new information sources 605 • Risk tolerance changes 606 • Information ownership changes 607 • 608 • Organizational mergers and acquisitions Changes in the operating threat environment 609 610 ICECD 0 % #'%0 8 06'#'B'# 02 'B - 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 Many organizations handle information that by regulation law or contractual obligation requires protection This includes PII and other sensitive information afforded protection under the SarbanesOxley Act SOX the Payment Card Industry Data Security Standard PCI DSS the Health Information Portability and Accountability Act HIPAA the Federal Information Security Modernization Act of 2014 FISMA and the Gramm-Leach-Bliley Act GLBA It is important for organizations to identify and appropriately protect such information An organization’s legal team privacy officers auditors and experts familiar with the various regulatory frameworks should be consulted when developing procedures for identifying and protecting sensitive information 630 631 632 633 An organization should have information sharing policies and procedures in place that provide guidance for the handling of PII These policies and procedures should include steps for identifying incident data types that are likely to contain PII Policies should describe appropriate safeguards for managing the privacy risks associated with sharing such data A common practice is to focus on the exchange of From a privacy perspective one of the key challenges with threat information sharing is the potential for disclosure of PII6 Education and awareness activities are critical to ensure that individuals responsible for handling threat information understand how to recognize and safeguard PII when it is encountered 7 Internal sharing of information may result in disclosure of PII to people who by virtue of their job functions would not typically have routine access to such information For example a forensic analyst or incident responder may encounter PII while searching a hard drive for malware indicators reviewing emails related to suspected phishing attacks or inspecting packet captures The analyst has a legitimate need to review this information in order to investigate an exploit develop detection strategies or develop defensive measures If the result of such an analysis is shared with others steps should be taken to protect the confidentiality of PII 6 OMB Memorandum 07-16 5 defines PII as “information which can be used to distinguish or trace an individual’s identity such as their name social security number biometric records etc alone or when combined with other personal or identifying information which is linked or linkable to a specific individual such as date and place of birth mother’s maiden name etc ” OMB Memorandum 10-22 6 further states that “the definition of PII is not anchored to any single category of information or technology Rather it demands a case-by-case assessment of the specific risk that an individual can be identified In performing this assessment it is important for an agency to recognize that non-PII can become PII whenever additional information is made publicly available — in any medium and from any source — that when combined with other available information could be used to identify an individual ” NIST SP 800-122 7 includes a slightly different definition of PII that is focused on the security objective of confidentiality and not privacy in the broad sense Definitions of PII established by organizations outside of the federal government may vary based on the consideration of additional regulatory requirements The guidance in this document applies regardless of how organizations define PII 7 For additional guidance and examples of privacy controls see NIST SP 800-53 Rev 4 Appendix J Privacy Control Catalog Privacy Controls Enhancements and Supplemental Guidance 8 14 - ' % @AABCDA IK N JR'M V N '# U ' J' -R# $J' #- J -V -N 634 635 636 637 638 indicators to the maximum extent possible Some indicators such as file hashes network port numbers registry key values and other data elements are largely free of PII Where PII is identified however organizations should redact fields containing PII that are not relevant to investigating or addressing cyber threats before sharing 8 The type and degree of protection applied should be based on the intended use of the information the sensitivity of the information and the intended recipient 639 640 641 642 643 644 645 Where practical organizations are encouraged to use automated methods rather than human-oriented methods to identify and protect PII Manual identification extraction and obfuscation of PII can be a slow error-prone and resource-intensive process Automated methods may include checking the contents of data fields against a list of permitted values searching for PII using pattern matching techniques such as regular expressions and performing operations that de-identify mask and anonymize data containing PII The degree of automation that can be achieved will vary based on factors such as the structure and complexity of the data the sensitivity of the information and the capabilities of the tools being used 646 647 648 649 Organizations should also implement safeguards to protect intellectual property trade secrets and other proprietary information from unauthorized disclosure The disclosure of such information could result in financial loss violate NDAs or other sharing agreements be cause for legal action or damage an organization’s reputation 650 651 652 Table 3-2 introduces selected types of threat information provides examples of sensitive data that may be present in these types of threat information and offers general recommendations for handling such data when it is encountered 653 9 IPF3 R 02 '04 5 -% 02 #'%06 % 8 -# 2 9 1 6 % 8 06'#'B M # 9 1 % 9$ # 0 % #'%0 -6 _19Z 280 194 @A 1 6 % 8 06'#'B M # @ 0#69 5 -% 02 #'%06 J2 402 36 26 _19Z 0280 19 2 6 46240 0S6F 5 26 _19Z 0280 194 02 6 96 6 96 17 62 P196 46240 0S6 6 546 6 2 96S6 3 963 0124 0 4 6 _662 26 _19Z 62 0 064E U 4 58 02 646 963 0124 0 4 0 P 6 1440 36 1 02769 6 0862 0 17 54694F 69 02719P 012 15 6 14 596 17 86S0 64F 69719P 26 _19Z 96 122 044 2 6F 28 9 690 6 6 46 590 4 76 5 984 28 1134 2 19 20 012 6P 31 4E R1 54 12 6 6 2 6 17 26 _19Z 0280 194 45 4 864 02 012 % 88964464 441 0 68 _0 96 19e4 1PP 28 28 12 913 0279 4 95 596F P 30 0154 T4 81P 024F 28 4 02 469S694E 8 U67196 4 902 F 212 P0 6 19 4 20 0 6 26 _19Z 0280 194 12 02 % 19 $J 88964464 17 9 6 4 4 6P4 19 88964464 96 04 6968 1 159 19 20 012E J341 212 P0 6 19 4 20 0 6 0280 194 P 96S6 3 6 4 95 596 17 02 692 3 26 _19Z4F 19 19 4 19 91 1 134 0862 07 9 0 53 9 9185 4E NIST SP 800-122 7 describes a process called “de-identification” which entails the removal or obfuscation of PII such that the remaining information cannot be used to identify an individual 9 The PII confidentiality impact level as discussed in NIST SP 800-122 7 is a useful tool for gauging sensitivity of PII 15 - ' % @AABCDA IK N JR'M V N '# U ' J' -R# $J' #- J -V -N 9 1 % 9$ # 0 % #'%0 % Z6 596 I% J%M @A 1 6 % 8 06'#'B M # @ 0#69 2 880 012 1 6 26 _19Z 0280 194 96S01543 804 54468F 5262 9 68 19 86 9 68 Z6 4 P 12 02 5 62 0 012 96862 0 34 28 46240 0S6 19 20 012 02719P 012F 45 4 % 28 02 6336 5 3 91 69 E 5 -% 02 #'%06 % J% 70364 2 6 3362 02 6 546 26 _19Z 0280 194 P 6 96462 _0 02 1 6 Z6 6 869 28 6 31 8E R19 6 P 36F % J% 70364 P 4 1_ 91 1 134 I6E EF N %F J889644 64135 012 %91 1 13 IJ %MF R036 '9 24769 %91 1 13 IR'%MF N- M 28 30 0124 1 69 02 P53 0 36 3 694 _0 02 6 26 _19Z 4 ZE ' 646 91 1 134 28 30 0124 6269 6 26 _19Z 02719P 012 P 6 5968 _0 02 % J% 70364 28 P 96c5096 4 20 0 012 19 212 P0 012 1 96S62 46240 0S6 02719P 012 36 Z 6E R03 69 % J% 70364 67196 4 902 6 9 02 123 146 Z6 4 96 963 68 1 6 02S64 0 012 17 4 6 070 02 0862 19 692 17 6S62 4O • 63 68 1 9 0 53 9 26 _19Z 12S694 012 I0E6EF 6 2 6 17 02719P 012 6 _662 4 6 070 % 88964464 17 02 6964 M • # 59902 85902 8640 2 68 0P6 69018 • N64 0268 719F 19 190 02 02 791PF 4 6 070 19 • P 31 02 9 0 53 9 26 _19Z 91 1 13 68 31 8 12 62 12 024 % 19 1 69 46240 0S6 02719P 012 19 04 21 9636S 2 719 9 690 02 6 02 0862 19 6S62 17 02 6964 E d 62 212 P0 02 19 968 02 26 _19Z 02719P 012F 0 04 0P 19 2 1 546 4 9 6 96469S64 6215 02719P 012 1 45 19 P6 202 753 2 3 404 17 6 96453 02 % J% 7036 12 62 4E -6 _19Z R31_ N -6 _19Z 731_ 8 12 024 02719P 012 45 4O • 159 6 % 889644 I0E6EF 6 462869M • N64 02 012 % 889644 I0E6EF 6 96 0 062 M • %19 28 91 1 13 02719P 012 • U 6 152 4 • '0P64 P 4 7 21 6776 0S63 212 P0 68F 26 _19Z 731_ 8 P P Z6 0862 070 012 17 4 6 070 54694 1440 36F 91S086 0240 4 02 1 5469 6 S019 I6E EF _6 40 64 S040 68MF 6 146 30 012 28 469S0 6 54 6 6924F 19 96S6 3 26 _19Z 915 02 02719P 012 28 8 S135P64E 16 U67196 4 902 26 _19Z 731_ 8 F 19 20 0124 4 1538 1240869 968 02 19 0124 17 4644012 04 19064 5402 9 1 9 B 468F 9670 B 96469S02 F % 889644 212 P0 012 6 20c564 1 96S62 26 _19Z 0862 070 012 19 1 12 6 3 4 6 070 706384 _0 02 6 4644012 9 6 I6E EF 0P6 4 P 4F 19 4F 91 1 134F 19 6 152 4ME '1 02 6 96 64 S 356 791P 6 02719P 012F 0 04 0P 19 2 1 546 113 9 24719P4 26 _19Z 731_ 8 _0 15 96 Z02 9676962 0 3 02 6 90 E -6 _19Z 731_ 2 3 404 28 19963 012 1 69 0124 17 62 96c5096 % 889644 96 3 6P62 28 9 24719P 012 1 69 0124 96 69719P68 12404 62 3 _0 02 28 41P6 0P64 9144 P53 0 36 70364E J212 P0 012 6 20c564 81 21 6P 31 12404 62 96 3 6P62 4 9 6 P 9685 6 19 630P02 6 6 S 356 17 4 902 04 6 17 02719P 012E - ' % @AABCDA IK N JR'M V N '# U ' J' -R# $J' #- J -V -N 9 1 % 9$ # 0 % #'%0 % 04 02 P 03 P 364 @A 1 6 % 8 06'#'B M # @ 0#69 P 03 6 8694 P 12 02 02719P 012 45 4O • $ 03 62 % 88964464 • 14 19 81P 02 2 P64 • P 03 88964464 5 -% 02 #'%06 #9 20 0124 4 1538 212 P0 6 6P 03 4 P 364 28 96P1S6 2 46240 0S6 02719P 012 04 21 26 644 9 719 864 90 02 2 02 0862 19 6S62 17 02 6964 E J2 6P 03 P644 6 18 P 341 12 02 % 19 1 69 64 17 46240 0S6 02719P 012E 4 6PF -6 _19ZF 28 J 30 012 T1 4 T1 70364 P 12 02 % 19 1 69 64 17 46240 0S6 02719P 012E T1 8 P 96S6 3 % 88964464F 19 4F 91 1 134F 469S0 64F 28 T4F 4 _633 4 1226 012 4 902 4F 31 12 96862 0 34F 19 0124 17 702 2 0 3 9 24 0124F 19 1 69 0S0 064 5968 02 T 9 P6 694E #9 20 0124 4 1538 69719P % 889644F 0P64 P F 19 F 28 91 1 13 212 P0 012 28 96P1S6 2 46240 0S6 02719P 012 04 21 26 644 9 719 864 90 02 2 02 0862 19 6S62 17 02 6964 E U67196 4 902 31 8 F 0 P 341 6 26 644 9 1 4 20 0 6 T4 12 02 0862 07 02 02719P 012 45 4 4644012 19 5469 N4E J 30 012 31 4 P 96c5096 968 012 28 212 P0 02 1 69 0124 96 4 6 070 1 9 0 53 9 30 012 31 719P 4E $ 3_ 96 280 194 28 P 364 J3 15 19 20 0124 96 5230Z63 1 62 152 69 % 02 P 3_ 96 0280 194 19 4 P 364F 0 04 1440 36 % 19 1 69 46240 0S6 02719P 012 P 6 96462 86 62802 12 1_ 9 6 68 6 P 3_ 96 04 28 _ 1336 012 P6 184 _696 5468 1 69 4 P 36E #9 20 0124 4 1538 96P1S6 % 19 1 69 46240 0S6 02719P 012 04 21 26 644 9 719 864 90 02 2 02 0862 19 6S62 17 02 6964 E 654 655 ICECF 8$ '04 M 6'40 #'%06 656 657 658 659 660 661 662 A variety of methods exist to designate handling requirements for shared threat information These designations identify unclassified information that may not be suitable for public release and that may require special handling A designation applied to threat information can communicate specific handling requirements and identify data elements that are considered sensitive and should be redacted prior to sharing Organizations are encouraged to provide clear handling guidance for any shared threat information Likewise recipients of threat information should observe the handling attribution dissemination and storage requirements expressed in the source organization’s handling guidance 663 664 665 The Traffic Light Protocol TLP depicted in Table 3-3 provides a framework for expressing sharing designations 9 17 - ' % @AABCDA IK N JR'M V N '# U ' J' -R# $J' #- J -V -N 666 9 IPI3 9 '- S'4$# %#%-% #$#% 678 GHI76 M677N 1O 7 ' '# $ - 0 1#2 345 - '4% 0 9# % 345 678 2' - #%34 -# 6 -A- 345 # '4% 678 - #%34 -# 4 # -@ $5 4 A# 5 4 - -# 4$ 2- ' 4 5 A4% - # - # ' A - - A4% - B 4 # $ $ 4 # -3A4 # 4 A4% 5C E '4 F B 3 - FB #% # @ % 4 -# - 2'- ' A%-@4 5B % A 4 -# B #% #A %4 -# - 3- D - - #%-F- 4$$5 - $# D 9# % 345 GHI76 2' - #%34 -# 6 -A- 345 # $5 '4% GHI76 % J -% AA#% # -@ $5 4 A# B - #%34 -# 2- ' 3 3 % # ' -% #2 4%%- %- K # A%-@4 5B % A 4 -# B #% #A %4 -# - #%F4 -L4 -# 2'# # K #2B 4 # $5 4 '4% # - # ' #%F4 -L4 -# - @#$@ D 2- $5 4 4%5 # 4 # '4 - #%34 -# D 9# % 345 M677N 2' - #%34 -# - 6 -A- 345 '4% M677N - #%34 -# $ #% ' 424% # 4$$ A4% - -A4 - F 2- ' A % 4 A4% % #%F4 -L4 -# 2- '- #%F4 -L4 -# 4 2 $$ 4 2- ' A % 2- '- ' ' -% #% #% #33 - 5B # @-4 A $- $5 %#4 % #33 - 5 #% #%D 4 - $ '4 $ D 9# % 345 1O 7 2' - #%34 -# 1O 7 - #%34 -# 345 - %- 4%%- 3- -34$ #% # #% 4 $ %- K # 3- B - 2- '# % %- -# B P # #A5%-F' 4 #% 4 2- ' 4AA$- 4 $ % $ 4 A%# % # %#$ D #% A $- % $ 4 D 667 668 669 670 671 672 673 674 675 676 677 The TLP specifies a color-coded set of restrictions that indicate which restrictions apply to a particular record In the TLP red specifies the most restrictive rule with information sharable only in a particular exchange or meeting not even within a participant’s own organization The amber green and white color codes specify successively relaxed restrictions 678 679 680 681 682 683 For some threat information collection methods may be considered confidential or proprietary but the actual indicators observed may be shareable In such cases an organization may want to use tear line reporting an approach where reports are organized such that information of differing sensitivity is not intermingled e g the indicator information is presented in a separate part of the document than the collection methods Organizing a report in this manner allows an organization to readily produce a report containing only information that designated recipients are authorized to receive 684 685 686 687 An organization should carefully choose or formulate an approach for expressing sharing designations Regardless of how an organization expresses sharing designations it should ensure that the procedures for applying designations to threat information are documented and approved and that the personnel responsible for assigning such designations are appropriately trained 688 ICECI 7 9$ # 0 % #'%0 8$ '04 02 9 - '04 %- 2 6 689 690 691 692 693 Over time an organization’s cybersecurity activities can result in the accumulation of large quantities of threat information from various sources both internal and external Though challenging tracking of data sources is important both for protecting information owners and for ensuring that consuming organizations are able to meet their legal or regulatory commitments for data protection Additionally preserving the provenance of data is important for analytic purposes to yield insights into who provided The Anti-Phishing Working Group APWG has also proposed a schema for expressing sharing designations 10 The APWG schema describes an extensible hierarchical tagging system that can be used to express distribution restrictions on shared information The tags can be used to indicate with whom the information may or may not be shared e g recipient only with affected parties only no restrictions and to express other caveats e g that no attribution is permitted 18 - ' % @AABCDA IK N JR'M V N '# U ' J' -R# $J' #- J -V -N 694 695 the information and how the information was collected transformed or processed This kind of information is important for drawing conclusions from shared information 696 697 698 699 An organization should formulate procedures that allow prompt sharing of threat information while at the same satisfying its obligations for protecting potentially sensitive data The procedures should to the extent possible balance the risks of possibly ineffective sharing against the risks of possibly flawed protection An organization’s information sharing and tracking procedures should 700 • Identify threat information that can be readily shared with trusted parties 701 702 • Establish processes for reviewing sanitizing and protecting threat information that is likely to contain sensitive information 703 • Automate the processing and exchange of threat information where possible 704 • Describe how information handling designations are applied monitored and enforced 705 • Accommodate non-attributed information exchange when needed 706 • Track internal and external sources of threat information 707 708 709 710 The procedures should enumerate the roles responsibilities and authorities both scope and duration of all stakeholders The procedures should allow for the effective transfer of authority and flow of shared information to key decision makers and should enable collaboration with approved external communities when needed 711 ICH T%'0 8$ '04 7% 0'# 712 713 714 715 716 When evaluating potential sharing partners an organization should look to sources that complement its existing threat information resources or that offer actionable information that addresses known gaps in an organization’s situational awareness Since sharing communities may focus on the exchange of a specific type of cyber threat information an organization may need to participate in multiple information sharing forums to meet its information sharing objectives 717 718 719 720 721 722 723 724 725 Threat information can be acquired from public and private sharing communities government repositories commercial cyber threat intelligence feeds and open sources Sharing communities often organize around a shared characteristic or interest The composition of a community may be based on geographic region political boundary industrial sector business interest or threat space e g focused on phishing attacks Many of these communities have multinational constituencies and global reach Examples of potential sharing partners are ISACs domestic and foreign Computer Emergency Readiness Teams CERTs or CSIRTs threat and vulnerability repositories law enforcement agencies product vendors managed security service providers internet service providers supply chain partners industry sector peers business partners and customers 726 727 728 729 730 731 732 733 734 Some communities are informal open self-organizing groups that largely operate through voluntary cooperation The membership of these communities is often mutable i e no formal fixed membership sometimes anonymous and the members may maintain full autonomy with minimal central coordination These communities generally operate under basic rules of conduct rather than formal agreements In such communities members publish threat information to the community on a voluntary ad hoc basis and are individually responsible for ensuring that the content that they provide to the community is suitable for sharing Organizations wishing to consume information can subscribe to or access various delivery mechanisms offered by a community such as web services email or text alerts and RSS feeds Such sharing communities generally make no assertions regarding the quality and accuracy of data provided by 19 - ' % @AABCDA IK N JR'M V N '# U ' J' -R# $J' #- J -V -N 735 736 their members and the degree to which the information should be trusted depends on the reputation of submitters if known 737 In contrast formal sharing communities may define specific membership rules such as 738 • Eligibility requirements for institutions e g must operate within a specific industry sector 739 • Eligibility requirements for individuals e g must have enterprise-wide security responsibilities 740 • Nomination or sponsorship requirements i e brokered trust 741 • Probationary membership period requirements 742 • Membership fee structures 743 • Types of threat information the community provides accepts 744 • Standard delivery mechanisms formats and protocols supported by the community 745 • Required organizational cybersecurity capabilities 746 747 748 749 750 751 752 Formal communities may recruit members by invitation or through sponsorship and as such members are vetted Membership rosters in formal communities are generally more stable than those of informal communities The exchange of information in a formal community is often governed through service level agreements SLAs NDAs and other agreements that enumerate the responsibilities of its members and participating organizations Some communities collect an annual membership fee to cover the services and administrative costs of the community These fees vary by community and the fee structure is sometimes tiered providing for different levels of membership and service 753 754 Before entering into information sharing agreements it is important to obtain approval from an organization’s 755 756 • 757 • Legal team or those with the authority to enter into commitments 758 759 • Privacy officers and other key stakeholders that have a role in the collection ingest storage analysis publication or protection of threat information 760 761 762 763 When choosing a sharing community consideration should be given to the types of information that are shared within the community the structure and dynamics of the community and the cost of entry and sustainment of membership When evaluating how information is shared within a community an organization should consider the following questions 764 765 • Is the threat information shared within the community relevant and does it complement existing threat information by providing meaningful insights in the context of an organization’s threat environment 766 • Is the threat information exchanged within the community actionable 767 768 • Does the community have mechanisms in place to accept non-attributed cyber threat submissions and the ability to protect a submitter’s identity 769 • Is the disseminated threat information timely reliable and of known good quality Leadership team that is responsible for oversight over information sharing activities and for controlling the resources necessary to support the organization’s information sharing goals 20 - ' % @AABCDA IK N JR'M V N '# U ' J' -R# $J' #- J -V -N 770 771 • Are the information exchange formats used by the community compatible with the infrastructure and tools used in an organization 772 773 • Given the frequency and volume of data disseminated by a community does an organization have the capacity to ingest analyze store the information 774 775 In addition to the information shared within a community consideration should also be given to the dynamics of the community and its participants including 776 777 • What is the size and composition of the community e g number of participants information producers and information consumers 778 • How active is the community e g number of submissions or requests per day 779 • Are community members recruited and vetted If so how 780 • What are the technical skills and proficiencies of the community members 781 • What is the community’s governance model 782 • 783 • What type of sharing agreement does the community use 784 • Is the sharing agreement well-aligned with an organization’s goals objectives and business rules 785 786 787 788 When researching sharing communities organizations are encouraged to have conversations with current or former members regarding their experiences as a participant in a community Such conversation can provide additional insight and help an organization assess the trustworthiness of a prospective community 789 ICU 0 #% %B'2 N04%'04 8 11% # % 0 % #'%0 8$ '04 -#'B'#' 6 790 791 792 To ensure that information sharing activities have ongoing support organizations should establish a plan that outlines how their information sharing infrastructure will be maintained and how its users will be supported The plan should identify the supporting personnel infrastructure and processes needed to 793 • Collect and analyze the information from both internal and external sources 794 • Acquire and deploy protective measures 795 • Acquire and deploy a monitoring and threat detection infrastructure 796 797 798 799 800 It is important to ensure that sufficient funding exists for the personnel infrastructure and training required for ongoing operational support for data collection storage analysis and dissemination for technology refreshment and for membership or service fees required for community participation Although participation in information sharing activities will require ongoing funding effective use of threat information may avoid the potentially much larger costs of successful attacks What are the initial and sustained costs of membership 21 - ' % @AABCDA IK N JR'M V N '# U ' J' -R# $J' #- J -V -N 801 EC #'-'1 #'04 '0 8$ '04 5 #'%06$'16 802 803 An organization’s participation in an information sharing community will typically include some or all of the following activities 804 • Engage in ongoing communication section 4 1 805 • Consume and respond to security alerts section 4 2 806 • Consume and use indicators section 4 3 807 • Organize and store indicators section 4 4 808 • Produce and publish indicators section 4 5 809 810 811 812 813 The following sections describe these activities in greater detail Organizations just starting their threat information sharing efforts should initially choose one or two activities to focus on and should consider adding additional activities as their information sharing capability matures Regardless of an organization’s information sharing maturity it is important to understand that information sharing should augment but not replace an organization’s fundamental cybersecurity capabilities 814 ECD @04 4 '0 N04%'04 7% 0'- #'%0 815 816 817 818 819 820 821 822 823 824 Information sharing communities use a variety of communications methods to share threat information with their members Most organizations are able to receive threat information via email lists text alerts and web portals without infrastructure investments specific to information sharing although the content received through these delivery channels may need to be manually processed e g “cut and paste” into tools For recipients that have security tools that support standard data formats the use of standardsbased data feeds can enable semi-automated ingest processing and use of threat information Other information sharing methods such as conferences and workshops require dedicated staff and travel Organizations that actively produce and share threat information are likely to incur higher communication costs Communications may be event-driven i e in response to the actions or behavior of an actor or periodic such as bi-weekly reviews teleconferences and annual conferences 825 826 827 828 829 830 831 The level of detail volume and frequency of messages delivered in human-readable formats varies widely across information sharing communities Some communities seek to deliver the most current threat information with minimal latency In contrast some recipients using threat information for trending and analysis may prefer summary data and may have no need for near real-time delivery of detailed information To reduce the number of messages generated sharing communities sometimes provide the option of subscribing to digests i e compilations of messages over time intervals rather than receiving individual messages 832 833 834 835 836 837 838 839 840 841 842 An organization that has recently joined an information sharing community may require time to integrate new threat information sources into its existing cybersecurity practices configure security tools and train decision makers on how to interpret and act upon the threat information During this ramp-up period an organization should consult any best practices guidance offered by a community observe and learn from the interactions of more experienced members and query community support resources e g community knowledgebase FAQs blogs Community-sponsored training events also provide opportunities for less mature organizations and inexperienced employees to gain practical insights from skilled practitioners Organizations should also establish recruitment and retention processes that reduce personnel turnover and foster the formation of trusted professional relationships between sharing communities and organizations Retention of skilled staff mitigates the loss of institutional knowledge and preserves investments in training 22 - ' % @AABCDA IK N JR'M V N '# U ' J' -R# $J' #- J -V -N 843 844 845 846 Ongoing participation in a sharing community is essential for fostering stronger ties to other members and continuously improving practices Organizations that actively participate in community-sponsored conference calls and face-to-face meetings are better able to establish trust with other members and consequently to effectively collaborate over time 847 ECF 7%06 02 5 61%02 #% 8 - '# #6 848 849 850 An information sharing community may publish security alerts notifying community members of emerging vulnerabilities exploits and other security issues Fields that commonly appear in security alerts such as US-CERT alerts NVD vulnerability advisories and vendor security bulletins include10 851 • Brief overview executive summary and detailed description which would include indicators 852 • Platforms affected e g operating system application hardware 853 • Estimated impact Qe g system crash data exfiltration application hijacking 11 854 • Severity rating e g Common Vulnerability Scoring System CVSS 11 855 • Mitigation options including permanent fixes and or temporary workarounds 856 • References for more information 857 • Alert metadata e g alert creation and modification dates acknowledgments 858 859 860 861 862 863 Upon receipt of a security alert an organization should first determine if the alert came from a trusted reliable source When alerts originate from unknown or untrusted sources it may be necessary to subject them to additional scrutiny and or seek independent confirmation before taking action If an alert is deemed credible an organization should determine if it owns or operates any of the affected systems applications or hardware identified in the alert if so the organization should craft an appropriate response 864 865 866 867 868 869 870 871 872 873 874 When crafting a response an organization should characterize the overall impact of an alert by assessing factors such as the severity of the alert the number of affected systems within the organization the effects an attack might have on the organization’s mission-critical functions and the operational impact of deploying mitigating security controls This assessment should inform the prioritization and approach for response actions Response actions include activities such as identifying and extracting indicators from an alert using indicators to develop and deploy detection signatures making configuration changes applying patches notifying personnel of threats and implementing or enhancing security controls The indicator extraction and response actions are largely manual processes today but there are clear incentives for automating these activities Manual processing of indicators can be time-consuming tedious errorprone and slow automation of the activities allows analysts to focus on the interpretation of information rather than routine data manipulations 875 ECI 7%06 02 V6 02'- #% 6 876 877 The consumption and use of indicators from external feeds is often a multi-step process that includes some if not all of the following activities 10 Source United States Computer Emergency Readiness Team US-CERT A more extensive list of potential effects is given in the MITRE Common Weakness Enumeration http cwe mitre org and Common Vulnerabilities and Exposures http cve mitre org listings 11 23 - ' % @AABCDA IK N JR'M V N '# U ' J' -R# $J' #- J -V -N 878 879 • Validation verifying the integrity of indicator content and provenance through the use of digital signatures cryptographic hashes or other means 880 • Decryption transforming encrypted indicator files or data streams back to their original format 881 • Decompression unpacking compressed indicator files archive files e g zip tar or data streams 882 883 884 885 • Prioritization processing indicators based on relative importance the perceived value of a data source the overall confidence in the data any operational requirements that specify that data sources be processed in a particular order the amount of effort required to transform the data into actionable information or other factors 886 887 • Content extraction parsing indicator files and extracting indicator information of interest to an organization 888 889 890 891 • Categorization reviewing indicator metadata to determine its security designation and handling requirements Sensitive information may require encrypted storage more stringent access control or limitations on distribution Content like malware samples may require special handling precautions to prevent inadvertent introduction of malicious code onto production networks 892 893 894 895 896 These activities are typically performed in the order described above but the order may vary based on specific operational or security requirements Where feasible organizations are encouraged to automate these activities to expedite use of indicators and minimize manual effort In cases where indicators are being informally shared such as through email indicator prioritization and categorization are still important and should be performed by the recipient 897 Ideally indicators are 898 899 900 901 902 903 • Timely Indicators that are delivered with minimal latency maximize the time recipients have to prepare suitable responses The time criticality of indicators depends on the characteristics of the threats including their severity speed and ease of propagation the infrastructure being targeted the TTPs being employed and the capabilities of the actor or actors Some decision cycles may require that indicators be delivered within seconds or minutes to counter a fast-moving actor other threats may effectively be addressed using indicators that are hours days or even months old 904 905 906 • Relevant Indicators that are applicable to a recipient’s operating environment and that address threats the organization is likely to face are much more useful to recipients and allow them to more effectively analyze risks associated with particular threats 907 908 909 • 910 911 • Specific Indicators should provide clear descriptions of observable events that recipients can use to detect threats while minimizing false positives negatives 912 913 • Actionable Indicators should provide sufficient information and context to allow recipients to develop a suitable response 914 915 916 In practice an indicator may exhibit some but not all of these characteristics For example indicators might not be actionable because the recipient has no means of detection information is missing or the threat has changed However this does not mean that such indicators are of no value to an organization Accurate Indicators that are correct complete and unambiguous are most useful Inaccurate or incomplete information introduces uncertainty and may prevent critical action stimulate unnecessary action result in ineffective responses or instill a false sense of security 24 - ' % @AABCDA IK N JR'M V N '# U ' J' -R# $J' #- J -V -N 917 918 919 Such indicators can be enriched through aggregation correlation with other threat information and additional analysis As indicators mature it is important for organizations to share any new insights so that an entire community may benefit 920 Organizations may use externally and internally-generated indicators in a variety of ways e g to 921 922 923 • Reconfigure firewalls intrusion detection systems data loss prevention systems and or other security controls to block or alert on activity matching the indicators for example connections involving IP addresses on a blacklist 924 925 • Configure security information and event management solutions or other log management-related systems to help with analysis of security log data 926 927 • Scan security logs systems or other sources of information using indicators as search keys to identify systems that may have already been compromised 928 929 • Find matching records when investigating an incident or potential incident to learn more about a threat and to help expedite incident response and recovery actions 930 • Inform human security analyses 931 • Educate staff on threat characteristics 932 • Identify threat trends that may necessitate long-term changes to security controls 933 934 935 936 937 938 939 940 Typically an organization’s willingness to use indicators from external sources is strongly affected by the level of trust the organization has in the Indicators received from a trusted source might be put to immediate use to detect and respond to a threat In contrast indicators originating from an untrusted source may require independent validation additional research or testing before use Indicator use might also be affected by other factors such as an organization’s tolerance for service disruptions For some organizations security is paramount and occasionally blocking benign activity is considered acceptable For other organizations service availability may be so important that possibly malicious activity might only trigger monitoring 941 942 943 944 An organization should carefully consider the characteristics of indicators that it receives and should take a risk-based approach to determining how indicators can be most effectively used An organization may find that a specific indicator is useful in some situations but not in others Ultimately it is up to each organization to decide how to best use indicators 945 ECE N 4 0'W 02 8#% 02'- #% 6 946 947 948 949 950 Organizations may collect indicators from a variety of sources including open source repositories commercial threat feeds and external partners Depending on how indicators are being used there may be a need to organize them in a knowledgebase Free-form methods such as wikis can be quite flexible and suitable for developing working notes and indicator metadata Structured databases are also useful for storing organizing tracking querying and analyzing collections of indicators 951 Information commonly recorded in a knowledgebase includes the following when known 952 • Source of an indicator 953 • Rules governing the use of or sharing of an indicator 25 - ' % @AABCDA IK N JR'M V N '# U ' J' -R# $J' #- J -V -N 954 • Date or time an indicator was collected 955 • How long an indicator is valid 956 • Whether or not attacks associated with an indicator have targeted specific organizations or sectors 957 958 • Any Common Vulnerability Enumeration CVE Common Configuration Enumeration CCE or Common Weakness Enumeration CWE records associated with an indicator 959 • Groups or actors associated with an indicator 960 • Aliases of any associated actors 961 • TTPs commonly used by an actor 962 • Motives or intent of an associated actor 963 • Employees or types of employees targeted in associated attacks 964 • Systems targeted in attacks 965 966 967 968 969 970 An indicator knowledgebase is an attractive target and may well become a target of attack Therefore measures should be taken to ensure that appropriate security practices are followed for a knowledgebase such as restricting access to authorized personnel only backing up the knowledgebase regularly maintaining the knowledgebase systems’ operating systems and applications with current patches and secure configurations and following software development best practices for the production of any inhouse software used for the knowledgebase 12 971 972 973 974 975 976 977 978 979 Organizations should establish policies and procedures that address the disposition of indicators and threat information in general Policies and procedures should define data retention requirements for short online and long offline term availability of indicator information Information handling and retention requirements may change once threat information is entered into evidence Evidence acquired during any incident investigations for instance should be collected and preserved using best practices for data preservation following chain of custody requirements and other laws pertaining to the submission of evidence A more detailed treatment of forensic techniques related to chain of custody and preserving information integrity is available in NIST SP 800-86 12 and Section 3 3 2 of NIST SP 800-61 Revision 2 1 980 981 982 983 984 985 986 For indicators that are not needed as evidence organizations should determine appropriate retention policies 13 Although retaining threat information has costs detailed information may provide historical value as well as help new sharing community members and partners understand the persistence and evolution of different actors and attack types Other considerations such as financial legal contractual or regulatory issues may limit data retention to a fixed period of months or years Once a retention schedule is identified organizations should either archive or destroy the indicators in accordance with applicable policies 14 987 12 The NIST Software Assurance Metrics and Tool Evaluation SAMATE project seeks to develop standard evaluation measures and methods for software assurance http samate nist gov index php SAMATE_Publications html 13 Federal agencies are subject to the National Archives and Records Administration NARA General Records Schedule as well as agency-specific retention policies 14 NIST SP 800-88 13 provides guidance to assist organizations in making risk-based decisions regarding the sanitization and disposition of media and information 26 - ' % @AABCDA IK N JR'M V N '# U ' J' -R# $J' #- J -V -N 988 ECH %2 - 02 '6$ 02'- #% 6 989 990 991 992 993 994 995 996 997 Many organizations only consume indicators However some organizations often those with more advanced security capabilities choose to produce and publish their own indicators An organization may benefit substantially by producing threat information For example an organization may gain greater expertise help other organizations more effectively respond to threats in their environments and foster trust with other community members These effects are important for building and sustaining the flow of threat information that ultimately benefits a producing organization A producer of shared threat information must decide what if any metadata should accompany shared information what data formats should be used how sensitive data should be handled and how information sharing rules should be maintained over time The following subsections address these issues 998 ECHCD 02'- #% @0 '-$ 0# 999 1000 1001 1002 1003 1004 1005 When producing and publishing indicators it is important to include metadata that provides context for each indicator describing how it is to be used and interpreted and how it relates to other indicators Metadata may also include sensitivity designations and provenance information e g what tool was used to acquire the data how the data was processed who collected the data As indicators are created aggregated or enriched their sensitivity and classification should be reevaluated An aggregation association or enrichment process may enable re-identification e g using data mining techniques or elevate the sensitivity of the information thus necessitating additional data handling restrictions 1006 1007 1008 1009 1010 1011 1012 The indicator production process should provide a mechanism for publishing indicators updating indicators and associated metadata and retracting submissions that are incorrect or perhaps inadvertently shared Any automated mechanisms should be hardened and tested to ensure that they do not become viable attack vectors for threat actors Organizations that share indicators should provide a feedback mechanism that allows sharing partners to submit error reports suggest improvements or request additional information about the indicators Such feedback plays an important role in the enrichment maturation and quality of the indicators shared within a community 1013 1014 1015 1016 1017 1018 1019 Some information shared within a community may be marked as “currently under investigation” and may require that members avoid sharing beyond the collective such markings may also prohibit members from performing active information collection such as retrieving malware samples from a suspect website or performing DNS lookups on suspect hostnames that might tip off a potential actor or otherwise compromise investigative activities At some point such information will probably have its distribution and investigation restrictions downgraded so it is useful to have a mechanism to change the marking or to add a revised marking such as “downgraded to GREEN as of 12 20 2015 ” 1020 ECHCF 8# 02 2 M # X% #6 1021 1022 1023 1024 1025 1026 1027 1028 1029 The use of standard data formats for the exchange of indicators enhances interoperability and allows information to be exchanged with greater speed Unstructured formats e g text documents email are suitable for high-level threat reports and ad hoc exchanges of indicator information and other materials intended to be read by security personnel rather than machines For time-critical exchanges of indicators however such as automatically configuring a firewall to block specified communications the use of standard data formats is encouraged because they minimize the need for human assistance When evaluating standard formats for data exchange choose formats that are widely adopted readily extensible i e new data elements or features can be incorporated with minimal engineering and design effort and scalable and that provide the requisite data security features 27 - ' % @AABCDA IK N JR'M V N '# U ' J' -R# $J' #- J -V -N 1030 ECHCI %# -#'%0 % 8 06'#'B M # 1031 1032 1033 1034 1035 1036 1037 1038 The indicators that an organization publishes may be sensitive so it is important to prevent their unauthorized disclosure or modification Indicator data can be protected using a variety of methods including encrypted network communications authentication and authorization mechanisms and storage in a hardened repository If a repository is used an organization should have a written SLA for the repository that specifies expected availability security posture requirements and acceptable use policies When producing indicators that may contain sensitive information appropriate sharing rules see section 3 4 should be followed and information should be shared only with community members that are trusted to follow sharing rules and that have agreed to do so 28 - ' % @AABCDA IK N JR'M V N '# U ' J' -R# $J' #- J -V -N 1039 11 02'A K7 9$ # 0 % #'%0 8$ '04 8- 0 '%6 1040 1041 1042 1043 This appendix presents a number of scenarios that describe threat information sharing in real-world applications These scenarios seek to show how sharing and coordination can increase the efficiency and effectiveness of an organization’s cybersecurity capabilities These scenarios represent only a small number of the possible applications of information sharing and collaboration 1044 1045 1046 1047 1048 1049 1050 1051 8- 0 '% D3 Q #'%0P8# # ## - 6 4 '06# 81 -' '- 02 6# 8 -#% 1052 1053 1054 1055 1056 1057 Many companies within this industry sector participate in a formal threat information sharing organization in which a central forum is used to post information about observed threats The posts describe details relevant to detecting and defending against the threat such as the sender addresses of phishing emails samples of malware collected from the attacks analysis of exploit code used by the attackers the IPs and URLs associated with the attacker’s command and control servers and other infrastructure involved with attacks 1058 1059 1060 1061 1062 1063 1064 1065 As soon as one company’s security team identifies a new attack the information is shared with its peers within the forum One of the companies A that participates in the forum has advanced malware analysis capabilities and is able to further characterize the threat actor and its command and control infrastructure using a malware sample shared via the forum by another company B Company A then shares back the information gained through its analysis of the malware Through B’s sharing of the malware sample the community benefits from the malware analysis capabilities of company A and is able to quickly and efficiently detect and protect against similar attacks against their organizations In this scenario an attack faced by one company contributes to another’s defense 1066 1067 1068 1069 1070 1071 1072 1073 8- 0 '% F3 7 1 '40 0 6'6 Cybersecurity analysts from companies in a business sector have been sharing indicators and malware samples in an online forum over the past few years Each company performs independent analysis of the attacks and observes consistent patterns over time with groups of events often having a number of commonalities such as the type of malware used the DNS domains of command and control channels and other technical indicators These observations lead the analysts to suspect that the attacks are not fully random but part of a larger coordinated set of actions 1074 1075 1076 1077 1078 The forum members participate in technical exchange meetings to share data insights and analyses of the different attacks Through data aggregation and joint analyses the members are able to identify activities that are likely attributable to a common threat actor or to coordination among threat actors This scenario demonstrates how data fusion and analysis may help reveal collective action and campaigns by a threat actor and identify the TTPs that are used by specific threat actors as part of a campaign 1079 1080 1081 1082 8- 0 '% I3 M'6# ' # 2 M 0' % 8 B'- ## - 4 '06# 0 02 6# 8 -#% A nation-state regularly targets companies in a certain industry sector over several months The attacks come in the form of targeted emails that carry malicious attachments containing a software exploit that upon opening launches malware on a victim’s system Systems that are successfully compromised by the malware are then reconfigured by the malware to contact command and control servers and other infrastructure operated by the threat actor to receive additional instructions to download additional malware and to exfiltrate data A hacktivist group targets a select set of companies for a large-scale distributed denial of service DDoS attack The group employs a distributed botnet that is loosely coordinated and controlled by members of 29 - ' % @AABCDA IK N JR'M V N '# U ' J' -R# $J' #- J -V -N 1083 1084 the group By analyzing traffic generated by the botnet one of the companies targeted in the attack is able to determine that the attackers are using a variant of a popular DDoS tool 1085 1086 1087 1088 The targeted companies are members of an ISAC and use the ISAC’s discussion portal to establish a working group to coordinate their efforts to end the attack The working group contacts the ISAC’s law enforcement liaison who coordinates with federal and international authorities to aid in the investigation and to gain court orders to shut down the attacker systems 1089 1090 1091 1092 1093 1094 The working group contacts various internet service providers ISPs and provides information to aid in identifying abnormal traffic to their network addresses The ISPs assist both the affected companies and law enforcement personnel by helping to identify the upstream and downstream traffic sources implementing routing changes and enforcing data rate limits on these sources Using network traffic collected by the ISPs law enforcement agencies are able to identify the command and control servers seize these assets and identify some members of the hacktivist group 1095 1096 1097 After a technical exchange meeting among the targeted companies several companies decide to enlist the aid of content distribution providers to distribute their web presences and make their business systems more resilient to future DDoS attacks 1098 1099 1100 1101 1102 1103 1104 1105 8- 0 '% E3 X'0 0-' 7%0 0- $'6$'04 ## - A cyber crime group makes use of a publicly available conference attendee list to target specific individuals with a wave of phishing emails The group is able to identify attendees who are members of the target organization’s corporate accounting team i e individuals who may have the authority to authorize payments or funds transfers Through the use of targeted malware distributed through phishing attacks the group attempts to compromise machines and accounts to complete unauthorized electronic payments and funds transfers to overseas businesses 1106 1107 1108 1109 1110 1111 1112 1113 One company is able to identify the phishing attack against personnel within its corporate accounting team and learns during their investigation that all the recipients targeted during the attack had attended the same conference six months earlier The company’s CSIRT contacts the conference organizers as well as representatives from other organizations that attended the conference The affected organizations arrange a conference call to share specific information e g email header content attachments embedded URLs regarding the attacks Using the shared indicators other conference attendees review their mail and network traffic logs to identify potentially compromised hosts These companies agree to ongoing collaboration and information sharing about future attacks via an informal email list 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 8- 0 '% H3 G 6'0 66 #0 7% 1 % '6 “Company A” and “Company B” are business partners that have established network connectivity between their organizations to facilitate the exchange of business information A cyber crime organization compromises a server at Company B and uses that access as a stepping stone to launch attacks against internal servers at Company A Operations personnel at Company A notice the unusual activity and notify their security team The security team identifies the source of the activity as coming from a Company B system As stipulated in their business partner connectivity agreement Company A notifies Company B about the anomalous traffic and the companies initiate a joint response to the incident following established procedures Company A’s incident response team describes the activity it is seeing allowing Company B’s team to isolate the compromised server and perform an investigation to identify the source of the breach and other possible compromises Their investigation reveals that the attackers exploited a software flaw in a web-facing application and used it to gain unauthorized access to the server The application development team at Company B implements and deploys a code change to close the security 30 - ' % @AABCDA IK N JR'M V N '# U ' J' -R# $J' #- J -V -N 1128 1129 hole and the security operations team enables additional logging and intrusion detection signatures to identify any similar future attacks 1130 1131 1132 Because the security teams of the two companies had agreements and processes in place for a joint response had pre-established contacts and existing trust relationships and had already understood each other’s networks and operations they were able to quickly respond and recover from the incident 1133 1134 1135 1136 1137 1138 1139 1140 8- 0 '% U3 V8P7@59 %B'2 6 02'- #% 6Y 5 - 'B 6 X 2 - The US-CERT receives information from a variety of independent sources that a number of servers located in the U S are being used to carry out cyber attacks against other U S companies A specific foreign actor is known to control the compromised servers The US-CERT identifies the targeted companies and notes that they are predominantly from the aviation industry The US-CERT contacts the security teams of these companies and shares initial threat information including URLs malware and vulnerabilities being exploited by the threat actor 1141 1142 1143 1144 1145 Using the indicators a number of affected companies are able to detect attacks against their infrastructures and to take the actions necessary to prevent the attacks from being successful During their investigation the affected companies are also able to identify new indicators or provide additional context regarding the attack to the US-CERT The US-CERT is able to share these new indicators with other firms after anonymizing the sources which leads to a more comprehensive response to the threat 1146 8- 0 '% Z3 5 # ' X ' 6 #% 8$ 1147 1148 1149 1150 1151 A large retailer is subject to a cyber attack by a criminal organization Millions of credit card numbers and account information are stolen during a breach that goes undiscovered for several weeks The retailer does not participate in sharing threat information so the organization relies on its own security and detection capabilities Its internal capabilities prove inadequate in the face of a sophisticated targeted threat that uses custom malware 1152 1153 1154 The breach is discovered by credit card companies investigating a rash of credit card fraud The commonality in the credit card fraud was purchases made from this one retailer The credit card companies notify law enforcement and the retailer which begins an investigation 1155 1156 1157 1158 1159 The damages are extensive The company notifies its customers of the theft of personal information but does not release details of how the attack was carried out Consequently several other retailers are successfully attacked using the same methods in the weeks following the initial breach The financial losses realized by the retailers customers and credit card issuers could have been avoided at least in part had these companies engaged in active sharing of threat information with one another 31 - ' % @AABCDA IK N JR'M V N '# U ' J' -R# $J' #- J -V -N 1160 11 02'A GKL %66 1161 Selected terms used in the publication are defined below Actor See “threat actor” Alert A brief usually human-readable technical notification regarding current vulnerabilities exploits and other security issues Also known as an advisory bulletin or vulnerability note Cyber Threat See “threat” Indicator A technical artifact or observable that suggests an attack is imminent or is currently underway or that a compromise may have already occurred Observable An event benign or malicious on a network or system Tactics Techniques and Procedures TTPs The behavior of an actor A tactic is the highest-level description of this behavior while techniques give a more detailed description of behavior in the context of a tactic and procedures an even lowerlevel highly detailed description in the context of a technique Threat Any circumstance or event with the potential to adversely impact organizational operations including mission functions image or reputation organizational assets individuals other organizations or the Nation through an information system via unauthorized access destruction disclosure or modification of information and or denial of service 2 Threat Actor An individual or a group posing a threat Threat Information Any information related to a threat that might help an organization protect itself against a threat or detect the activities of an actor Major types of threat information include indicators TTPs security alerts threat intelligence reports and tool configurations Threat Intelligence Threat information that has been aggregated transformed analyzed interpreted or enriched to provide the necessary context for decisionmaking processes Threat Intelligence Report A prose document that describes TTPs actors types of systems and information being targeted and other threat-related information Threat Shifting The response of actors to perceived safeguards and or countermeasures i e security controls in which actors change some characteristic of their intent targeting in order to avoid and or overcome those safeguards countermeasures 2 Tool Configuration A recommendation for setting up and using tools that support the automated collection exchange processing analysis and use of threat information 1162 32 - ' % @AABCDA IK N JR'M V N '# U ' J' -R# $J' #- J -V -N 1163 11 02'A 7K - %0 6 1164 Selected acronyms used in the publication are defined below ACL ARP CCE CIO CISO CSIRT CVE CVSS CWE DDoS DHCP DIB DNS FISMA FTP GLBA HIPAA IP IR ISAC ISP IT ITL MAC MOU NDA NIST NVD OMB PCAP PCI DSS PII PSIRT RSS SIEM SLA SOX SP SQL TCP TLP TTP UDP URL US-CERT Access Control List Address Resolution Protocol Common Configuration Enumeration Chief Information Officer Chief Information Security Officer Computer Security Incident Response Team Common Vulnerability Enumeration Common Vulnerability Scoring System Common Weakness Enumeration Distributed Denial of Service Dynamic Host Configuration Protocol Defense Industrial Base Domain Name System Federal Information Security Modernization Act File Transfer Protocol Gramm-Leach-Bliley Act Health Information Portability and Accountability Act Internet Protocol Interagency Report or Internal Report Information Sharing and Analysis Center Internet Service Provider Information Technology Information Technology Laboratory Media Access Control Memorandum of Understanding Non-Disclosure Agreement National Institute of Standards and Technology National Vulnerability Database Office of Management and Budget Packet Capture Payment Card Industry Data Security Standard Personally Identifiable Information Product Security Incident Response Team Rich Site Summary or Really Simple Syndication Security Information and Event Management Service Level Agreement Sarbanes-Oxley Act Special Publication Structured Query Language Transmission Control Protocol Traffic Light Protocol Tactics Techniques and Procedures User Datagram Protocol Uniform Resource Locator United States Computer Emergency Readiness Team 1165 33 - ' % @AABCDA IK N JR'M V N '# U ' J' -R# $J' #- J -V -N 1166 11 02'A MK5 0- 6 1 NIST SP 800-61 Revision 2 Computer Security Incident Handling Guide http nvlpubs nist gov nistpubs SpecialPublications NIST SP800-61r2 pdf 2 NIST SP 800-30 Revision 1 Guide for Conducting Risk Assessments http csrc nist gov publications nistpubs 800-30-rev1 sp800_30_r1 pdf 3 Executive Order 12968 Access to Classified Information http www gpo gov fdsys pkg FR1995-08-07 pdf 95-19654 pdf 4 Defense Industrial Base DIB Cyber Security Information Assurance CS IA Program standardized Framework Agreement Federal Register http www gpo gov fdsys pkg FR-201310-22 pdf 2013-24256 pdf 5 OMB Memorandum 07-16 “Safeguarding Against and Responding to the Breach of Personally Identifiable Information” https www whitehouse gov sites default files omb memoranda fy2007 m07-16 pdf 6 OMB Memorandum 10-22 “Guidance for Online Use of Web Measurement and Customization Technology” https www whitehouse gov sites default files omb assets memoranda_2010 m1022 pdf 7 NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information PII http csrc nist gov publications nistpubs 800-122 sp800-122 pdf 8 NIST SP 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations http nvlpubs nist gov nistpubs SpecialPublications NIST SP800-53r4 pdf 9 Traffic Light Protocol http www us-cert gov tlp 10 Anti-Phishing Working Group GitHub project site https github com patcain ecrisp tree master schemas apwg 11 NIST IR 7435 The Common Vulnerability Scoring System CVSS and Its Applicability to Federal Agency Systems http csrc nist gov publications nistir ir7435 NISTIR-7435 pdf 12 NIST SP 800-86 Guide to Integrating Forensic Techniques into Incident Response http csrc nist gov publications nistpubs 800-86 SP800-86 pdf 13 NIST SP 800-88 Revision 1 Guidelines for Media Sanitization http nvlpubs nist gov nistpubs SpecialPublications NIST SP800-88r1 pdf 1167 34
OCR of the Document
View the Document >>