Effective Regional Cyber Threat Information Sharing

By Suneel Sundar , Dr. David Mann

This report focuses on challenges to effective sharing in regional sharing organizations. Insights learned may also aid sector-based sharing organizations.

Download Resources

PDF Accessibility

One or more of the PDF files on this page fall under E202.2 Legacy Exceptions and may not be completely accessible. You may request an accessible version of a PDF using the form on the Contact Us page.

Cyber threat information sharing exchanges have traditionally formed within the context of industry sectors, either as direct peer-to-peer exchanges or within sector-based Information Sharing and Analysis Centers (ISACs).1, 2 This has often been effective because organizations from the same sector tend to speak the same business language. They tend to have similar lines of business, hold similar digital assets, face similar cyber threats and have similar organizational practices. However, sector-based sharing organizations can face challenges to effective sharing. The Verizon 2015 Data Breach Investigations Report (DBIR) asserts that “our standard practice of organizing information sharing groups and activities according to broad industries is less than optimal.” It then advocates “for more thoughtful and thorough research into risk profiles across various types of organizations.”3 This report contributes to that proposed body of research. Our assertions are based on two established MITRE research projects, Cyber Prep and Bilateral Analysis of Information Sharing Exchanges (BLAISE), and on empirical evidence of threat analysis and information sharing.

Our approach is to analyze the challenges to effective sharing in regional sharing organizations. Regional information sharing organizations, which are examples of Information Sharing and Analysis Organizations (ISAOs), offer the opportunity for face-to-face collaboration and the potential benefit of addressing threats that span sectors. 4 However, compared to sector-based, regional groups face additional challenges to effective sharing due to the diversity of the member organizations. Organizations from different sectors often have very different operating modes, hold very different digital assets, face different types of cyber threats, and have different organizational practices.

This report focuses on challenges to effective sharing in regional sharing organizations. Insights learned may also aid sector-based sharing organizations. In this way, this report seeks to provide managers and members of cyber threat information sharing organizations of both kinds with tools to manage the diversity among their membership in ways that maximize the benefits of diversity while minimizing the information sharing problems caused by that same diversity. To achieve this, we apply two MITRE-developed frameworks. The Cyber Prep Framework provides a way to describe how organizations differ from each other, both in terms of the threats they face and the defensive posture they employ, including operational practices, tools, priorities, and maturity.5 The BLAISE methodology characterizes successful sharing strategies and matches strategies to exchanges, based on the operational diversity among the participants.6 In particular, BLAISE provides a structured approach to avoid two common mistakes in information sharing: first, to downplay the impact of social barriers such as non-aligned goals and lack of trust; and second, to rely on automation to overcome these barriers.

Applying Cyber Prep, we define and describe three categories of member organizations, which we refer to as preparedness groups, that are typically represented in regional sharing organizations:

  • Vandalism: Members with a valuable Internet presence and who have capabilities to defend against adversaries who seek to embarrass or disrupt the organization or present the adversary’s message publicly using simple attack tools.
  • Theft: Members with monetizable digital assets and who have capabilities to defend against cyber criminals who seek to steal assets using known attacks with competent command and control capabilities.
  • APT (Advanced Persistent Threat): Members with significant intellectual property or a specific mission. These members have capabilities to defend against advanced persistent attackers. Such attackers are motivated for the purpose of state-sponsored or industrial espionage, and have the ability to develop and use new attacks.

Applying BLAISE, we recommend three approaches for managing the diversity within regional sharing organizations:

  1. Intentionally limit the diversity among its members by specializing membership to a single preparedness group (Vandalism, Theft, or APT). This approach has the potential of facilitating meaningful sharing of structured intelligence reports to increase situational awareness among the members who are “birds of a feather” and may be matured to support automated sharing.
  2. Intentionally limit the detail to be shared. Refrain from attempts to facilitate automated sharing or the sharing of structured intelligence reports. Instead, facilitate effective collaboration among the diverse membership—provide human-to- human communication channels, build readiness and trust among the membership through mediated face-to-face meetings and tabletop exercises.
  3. The third and most ambitious approach is to combine the two approaches above. Organize the membership into sub-groups, each organized according to threat. Then, facilitate the regular, high-detail sharing of threat intelligence among each of the groups separately. The sharing organization can also facilitate effective ad hoc collaboration across preparedness group lines by providing communication channels and through readiness and trust building activities which include face-to-face meetings and tabletop exercises.

We conclude by describing potentially feasible sharing activities for each of the three preparedness groups.