Enabling Effective Collaboration with Shared Threat Information

June 23, 2015
CyberPhysicalHuman: Post by Rob Simmons, Peter Sheingold, and Chris Folk

Our last article discussed the value of cross-sector collaboration as an important enabler of resilience in a CyberPhysicalHuman world. Sharing threat information can be an important element in enabling effective collaboration. In the last several years, government and industry leaders have emphasized the importance of information sharing. However, sharing information is just a means to an end—the goal is to make use of the information. Today's article talks about what organizations can do with shared information. They can:

  • Tailor their defenses based on threat information they receive.
  • Analyze the information they receive and provide new insights to themselves and others.

Let's start with a hypothetical cyber scenario that demonstrates both of these elements.

Company A and Company B have agreed to share cyber threat information. Company A identifies an attacker trying to gain a foothold in its network. It shares this information with Company B, which loads this new information into its sensors to see if it can detect the threat. Company B sees the threat and analyzes it, discovering new information about the attacker. Based on these new insights, Company B again tailors its sensors. Company B also shares the new information with Company A, which tailors its sensors accordingly, and Company B shares this information with other collaborating organizations. In this hypothetical case, Company A and Company B not only tailored their defenses based on shared information, they also gained new insights that enabled them to go beyond what they could have achieved independently.

While hypothetical, this scenario describes sensing, analytical, and information sharing capabilities that exist today. In the converged CyberPhysicalHuman world, these capabilities are even more critical. For example, operators of critical infrastructures (such as the electric grid or petroleum and gas pipelines) can share threat information and tailor their defenses in ways that protect the information systems (cyber), the infrastructures themselves (physical), and the people who rely on them (human).

Information Sharing in Action

No government agency, company, organization, or individual has a monopoly on the supply of information that might be useful to tailor defenses. Nor does any of them have a monopoly on producing the tools that enable the sharing and analysis of information. This is an opportunity for effective collaboration between government, industry, and individuals.

The Department of Homeland Security (DHS) has been leading a collaborative effort with industry to develop a comprehensive language for automated threat information sharing and collaboration. That language, called Structured Threat Information eXpression (STIX), can carry an extensive set of cyber threat information that characterizes the cyber adversary’s motivations, capabilities, and activities. DHS also supported the development of a secure and automated mechanism to transport threat information from one organization to another, called the Trusted Automated Exchange of Indicator Information (TAXII). TAXII is a set of services and message exchanges that enables sharing of actionable cyber threat information across organization and product/service boundaries. This model is one example of how government and industry can work together to enable a more secure and resilient CyberPhysicalHuman world.

Sharing threat information is not the same as using it. To operate more resiliently, organizations need tools to understand shared information so they can use it to adjust their defenses, modify their procedures, and inform their people. They also need tools to extract threat information from their own sensor data to understand it and then share that information with others who have agreed to participate in information sharing.

Some companies and organizations are able to perform analysis, event monitoring, and more detailed reporting as described in the above scenario. Industry and organizations are developing analytical tools to help perform this work. MITRE developed one such analytic tool, called Collaborative Research Into Threats (CRITS), which is available free on GitHub to interested parties. It doesn’t matter which tool is used, as long as organizations are uncovering threat information, sharing it, learning from it, and using the results to tailor and strengthen their cyber defenses.

Information sharing is not a one-size-fits-all issue. Some capable organizations are already adopting sophisticated analysis and sharing capabilities. Not all organizations know what to do with the data they already have (much less share it), and in some cases they cannot justify a business case for sharing information. These organizations could purchase security services from a commercial provider who in turn might have its own information sharing arrangements.

  1. The CyberPhysicalHuman World of Homeland Security
  2. Convergence: A Recent History
  3. Risk: Focus On Your Main Thing(s)
  4. Applying Ancient Wisdom to Help Manage Modern Risks
  5. Resilience Is a Team Sport
  6. Resilience, Moving Beyond Sectors
  7. Enabling Effective Collaboration with Shared Threat Information
  8. Wrapping It Up and Moving Forward
  9. Coming Closer and Closer to You
  10. More Ancient Wisdom for Today's CyberPhysicalHuman World
  11. There is No One-Size Fits All Approach to the CyberPhysicalHuman World