Sharing cyber threat information among organizations broadly using common terminology and automation benefits everyone. By sharing, partners get threat information and tools they otherwise might not have access to. They also enhance their network defense by leveraging the cyber experiences and investments of their partners. Sharing can be particularly beneficial in cyber defense because threat groups attack sectors differently, using different tactics and techniques.
A Partnership Model for Sharing Cyber Threat Information
MITRE's approach for sharing cyber threat information among partners is based on analyzing a cyber attack "campaign." A cyber campaign consists of two parts: intrusion attempts and TTPs, or tactics, techniques, and procedures. Together, they reveal the adversary's method of attack. TTPs are the methods that a cyber attacker uses repeatedly over a series of related intrusion attempts. TTPs include target lists and how they are compiled; tools, nodes, and accounts; and how they are used at each stage of the "kill chain.”
An intrusion attempt consists of the distilled parts and telltale signs of a cyber attack. This can include what domains are used to launch attacks and host command and control channels, what email sources are discernible, and what intelligence can be obtained from malware samples used in the attack.
TTPs consist of the tools, the targeted entities and infrastructure elements, and the cyber attack lifecycle phase the cyber attacker is using to conduct a series of related intrusion attempts.
Because information about attempted intrusions doesn't reveal an organization's vulnerabilities, it can generally be shared with partners to provide them with defensive value at a modest level of risk and effort.
Sharing TTP information provides far greater defensive value to members. But it puts the contributing partner at greater risk if it reveals the organization's threat-based defensive capabilities. In addition, TTP information requires greater effort to produce because large volumes of data must be collected over time, followed by sophisticated analyses.
To accomplish effective sharing of cyber threat information among organizations, common terminology, automation, and security are needed. Central to this are robust cyber standards, including the taxonomy, hierarchy, and structures defined by the Structured Threat Information eXpression, STIX™, and the secure, real-time, automated transmission of information defined by the Trusted Automated eXchange of Indicator Information, TAXII™ protocol.
A number of groups have formed or are forming to share cyber threat information. While some of these groups restrict membership by sector (such as defense industrial base or financial services), others have broad-based memberships.
Groups MITRE belongs to include:
- The Advanced Cyber Security Center, a cross-sector collaborative initiative in New England. The ACSC brings together industry, university, and government organizations.
- The Defense Industrial Base Collaborative Information Sharing Environment, or DCISE. This organization is the Department of Defense's central organization within the DoD Cyber Crime Center for sharing cyber threat information among defense industrial base partners.
- The Federally Funded Research and Development Center Information Security Collaborative. The collaborative is an informal consortium of information security representatives from FFRDCs and similar not-for-profit institutions operating in the national interest. The group shares information about cyber threats and security practices.
MITRE is also helping to incubate several cyber threat information exchanges and is tracking others as they emerge, including: Western Cyber Exchange, The Greater San Antonio Chamber of Commerce, and The Bay Area Council.
Additionally, we work closely with the Department of Homeland Security to build a more secure national cyber ecosystem by involving private firms, non-profits, governments, and individuals in countering cyber attacks.