With cyber attacks growing in scale, complexity, and frequency and in the midst of the U.S. Postal Service and Federal Weather Network breaches, NIST continues to march on with efforts to stem the tide. At the end of October, NIST released the draft Guide to Cyber Threat Information Sharing. The public comment period closes November 28.  The Guide seeks to reduce cyber attacks through increased sharing of cyber threat information and proactive responses.

Proactive response and cyber defense is necessary because reactive defenses alone are not suitable for dealing with the advanced persistent threats that leverage sophisticated tools, zero-day exploits, and advanced malware to compromise systems and networks. Because cyber attackers often use similar strategies, tools and methods against multiple organizations, when one organization identifies and successfully responds to a cyber attack, it acquires information that can be used by other organizations to counter similar threats. The Guide’s goal of sharing threat intelligence will allow organizations to more readily detect intrusion attempts and rapidly deploy effective countermeasures.

Threat Intelligence: Threat intelligence may include any threat-related information that provides greater situational awareness to the network defender and incident responder. Specific threat intelligence commonly of interest to incident handlers and network defenders includes:

  • Network indicators (e.g., URLs and domain names involved with attacks)
  • Packet capture (e.g., network packet headers and payloads)
  • Phishing email samples (e.g., employee emails)
  • Webproxy logs (e.g., logs of organizations web activity)
  • Network traffic/Netflow (e.g., connection history between two IP addresses)
  • Malware samples (e.g., artifacts associated with malware)

Alerts and Incident Reports: The Guide provides examples of ways organizations can share this threat intelligence including with reference to sample alerts and incident reports by US-CERT (United States Computer Emergency Response Readiness Team). US-CERT responds to major cyber incidents, analyzes threats and exchanges critical cyber security information, and maintains a National Cyber Awareness System that already issues cyber alerts, bulletins, tips and technical documents. An exemplary alert (Alert TA14-300A) related to the bank credential theft malware called “Dyre,” includes an overview and description of the threat, a summary of the potential impact and solution.  Similar alerts can be used among organizations for sharing threat intelligence.

Risk of Sharing: While shared threat intelligence can be extremely valuable in countering cyber attacks, organizations will have to weigh the risks of sharing.  Among the potential risks are disclosure of personally identifiable information and company confidential information, and whether the attacker could obtain the shared information and use it to exploit the organization’s systems. Accordingly, some factors to consider when disclosing threat intelligence include:

  • the operational urgency and need for sharing;
  • benefits gained by sharing;
  • sensitivity of the information;
  • trustworthiness of recipients; and
  • methods and ability to safeguard the threat information.

While there will always be some risk in sharing threat intelligence, with increased sharing should come increased security. The question will be whether organizations can overcome the potential risks to achieve greater security.