Sharing cyber threat information is crucial to building and implementing an effective cyber defense strategy. Sharing provides partners with critical information that they typically would not have access to when working solo. Sharing enhances network defense by leveraging the cyber experiences and investments made by partner organizations. Additionally, sharing enables the blending of diverse subject matter expertise—technology, policy, behavioral science, modeling, economics, legal, and education—to counter the advanced cyber threat.
A number of groups have formed or are forming to share cyber threat information. While some of these groups restrict membership by sector (e.g., defense industrial base or financial services), others have broad-based memberships. For example, MITRE is part of the Advanced Cyber Security Center, a cross-sector collaboration in New England that brings together industry, university, and government organizations.
Other groups MITRE belongs to include:
- Defense Industrial Base Collaborative Information Sharing Environment: The DCISE is the Department of Defense's central organization within the DoD Cyber Crime Center for sharing cyber threat information among defense industrial base partners.
- Federally Funded Research and Development Center Information Security Collaborative: This is an informal consortium of information security representatives from FFRDCs and similar not-for-profit institutions operating in the national interest. The collaborative shares information about cyber threats and security practices.
Emerging Exchanges
MITRE is also helping to incubate several cyber threat information exchanges, and is tracking others as they emerge, including: Western Cyber Exchange, The Greater San Antonio Chamber of Commerce, The Bay Area Council, and The Virginia Center of Cyber Excellence.
Additionally, MITRE and the Department of Homeland Security are working closely together to build a more secure national cyber ecosystem by involving private firms, non-profits, governments, and individuals in countering cyber attacks.
A Partnership Model for Sharing Cyber Threat Information
An example of MITRE’s approach for sharing cyber threat information among partners is illustrated in the figure below. The hierarchy conveyed in this structure represents the type of input to risk management activities that sharing partners would use to prioritize their defensive actions.
Figure: Components of Structured Cyber Threat Information
|
At the highest level, a campaign packages together information about related cyber events. Campaigns consist of intrusion attempts combined with tactics, techniques, and procedures (TTPs)—the modus operandi of adversaries. An intrusion attempt consists of the distilled parts and telltale signs of a cyber-attack: what domains are used to launch attacks and host command and control channels, what email sources are discernible, and what intelligence can be obtained from malware samples used in attack. TTPs consist of the tools, the targeted entities and infrastructure elements, and the kill chain phase being used by the cyber attacker to conduct a series of related intrusion attempts.
Because information about attempted intrusions, rather than actual ones, does not reveal the vulnerabilities of an organization, it can generally be shared with partners to provide them with defensive value at a modest level of risk and effort. Although sharing TTP information provides far greater defensive value to members, it puts the contributing partner at a greater risk if the organization's threat-based defensive capabilities were to be revealed. It also requires a greater level of effort to produce TTP information because large volumes of data need to be collected over time followed by sophisticated analyses.
The ability to effectively share cyber threat information among organizations is crucial; to accomplish that broadly requires common terminology, automation, and security. Central to this are robust cyber standards, including the taxonomy, hierarchy, and structures defined by the Structured Threat Information eXpression, STIX™ (similar to the sample structure described above) and the secure, real-time, automated transmission of information defined by the Trusted Automated eXchange of Indicator Information, TAXII™ protocol.
Featured Items
|
|
