User:T0b0rx0r/Cyber threat intelligence

Article Draft
The sharing of CTI between trusted groups allows for more effective cyber defense as it provides for the use of "threat information that might otherwise be unavailable". CTI sharing allows for organizations to leverage data acquired in the attacks of others for a better defense of their own networks. CTI Sharing involves the communication of threat information in the form of indicators such as "tactics, techniques and procedures" (TTPs) as well as security alerts among organizations for the purposes of gaining greater situational awareness through the crowdsourcing of data points. CTI Sharing is a well researched area including numerous academic publications, NIST publications , government legislation and U.S. executive branch orders identifying the benefits, challenge's and methodologies for implementation. While an effective tool for better protecting against cyber attack, CTI sharing requires specific strategies to protect against inadvertently sharing confidential information from one organization to another. Organizations must leverage data standards to effectively ingest diverse information from 3rd parties as well as produce digestible information for others. Additionally considerations of trust, privacy and confidentially must be addressed as CTI data points may include confidential information.

In 2015 U.S. government legislation in the form of the "Cybersecurity Information Sharing Act" encouraged the sharing of CTI indicators between government and private organizations. The law had authorized companies to implement defensive cyber counter measures against as well as encouraged companies to share cyber threat indicators. Additionally this law required the U.S. federal government to facilitate and promote 4 broad CTI objectives:


 * 1) Sharing of "classified and declassified cyber threat indicators in possession of the federal government with private entities, nonfederal government agencies, or state, tribal, or local governments";
 * 2) Sharing of "unclassified indicators with the public";
 * 3) Sharing of "information with entities under cybersecurity threats to prevent or mitigate adverse effects";
 * 4) Sharing of "cybersecurity best practices with attention to the challenges faced by small businesses.

After the law went into effect the Department of Homeland Security issued guidance to facilitate the sharing of information with the federal government. This guidance addressed key concerns by organizations associated with potential liability regarding the sharing of confidential information with outside organizations.

Standard's defined in NIST SP 800-150

In 2016, the U.S. government agency National Institute of Standards and Technology (NIST) issued a publication (NIST SP 800-150) which further outlined the necessity for Cyber Threat Information Sharing as well as a framework for implementation. The NIST “Guide to Cyber Threat Information Sharing” is a 43 page document broken up into 3 relevant sections including “Basics of Cyber Threat Information Sharing”, “Establishing Sharing Relationships”, and “Participation in Sharing Relationships. Recognizing the increasing sophistication of cyber-attacks and the complex TTPs used by attackers, SP 800-150 both advocates for and describes a methodology for sharing threat indicators among trusted communities. The stated purpose of the publication is to “help organizations exchange cyber threat information” through identifying the issues of producing, sharing and consuming that information.

Benefits to CTI Sharing

Organizations gain a benefit by communicating CTI by allowing them to build upon the knowledge gained within a community. A variety of stack holders benefit when CTI is shared. NIST SP 800-150 identifies 4 distinct benefits in sharing of CTI

-         Shared Situational Awareness

-         Improved Security Posture

-         Knowledge Maturation

-         Greater Defense Agility

Challenges of Sharing CTI

Several challenges exist in organizations being able to share CTI including standardized methodology, competition and trust. Technical barriers in the form of standards may limit applicable data from being valuable between organizations. Additionally organizational risks are present as concerns of confidentiality, legal obligations and over sharing exist. NIST SP 800-150 guidance suggests that organizations should clearly identify sharing rules and that such rules should be revaluated on a regular basis. NIST SP 80-150 identifies 4 barriers to sharing of CTI


 * Trust
 * Interoperability
 * Safeguarding sensitive information
 * Protecting Classified Information
 * Enabling Information Consumption and Publication

Methodology for Sharing CTI

Platforms such as Threat Intelligence Management Platform (TIMP) exists to facilitate the sharing of CTI through automation. TIMP platforms will generally ingest data from a  variety of sources including purpose built threat intelligence providers, sharing communities and organizational level technical systems to allow for consolidated analysis and response. NIST SP 800-150  identifies 5 informational threat components that could be consumed or and shared among organizations.

-         Indicators in the form of “technical artifacts” or other characteristics of an attack.

-         Tactics, techniques  and procedures (TTP) of the an adversary allowing for observed methodologies used by an adversary.

-         Security alerts from reliable sources that provide information guidance on known threats.