Reference: 800_150_Draft Document
Note: This article summarizes the draft paper, and may contain snippet(s) from it. I love you NIST (National Institute of Standards and Technology). I admire the contribution and knowledge available @NIST and we all have gained a lot from these standards.
Now, when I read the draft on “Cyber Threat Information Sharing” (SP800-150) my first reaction was – Oh good God, finally its here! Its been so long I was waiting for this. I have been evangelizing the need for collaboration, the dire necessity to join hands and the value of being together as one task force in fighting the adversaries. So, well done NIST! Kudos.
I went throught the article, and I do have certain technical suggestions, and could find some errands which I will be sending to them this weekend. But, overall the flow and approach of the document is great. It practically covers the gist of working in tendem rather than bits and pieces.
The document takes the incidence response and threat intelligence as the base, and talks about how can we bring the piece of collaboration to connect the wandered dots. It adheres to the fact that complex and sophisticated attacks – individual or nation state sponsored, take peer to peer oo hub-and-spoke models to execute payloads on the victims, so why can’t we? The document is structured in different sections,
- Why? – benefits of information sharing & different frameworks.
- Who? – all it takes is a mature cybersecurity foundation & how to build one.
- How? – key activities involved in implementing information sharing.
- Here’s what NIST recommends!
- Finally, some case scenarios to understand the whole idea.
Key take aways from these sections are:
- An organization should be able to management the information it receives and shares with other organizations which includes (but not limited to) Creation/ Collection, Processing, Dissemination, Use, Storage and Disposition
- The benefits of information sharing include: Situational awareness, threat understanding and pre-cognition, greater defense agility and response times, improved decision making and rapid notifications.
- Challenges in information sharing can be legal and organizational restrictions, risk of disclosures and leaks via peers or in transit, privacy regulations, classification, information interoperability and above all, trust.
- As per Cyber Kill Chain® (whitepaper), the defender can either be proactive to prevent the exploitation, or reactive in incident management post exploitation. But regardless of the interdiction in the kill chain, the defender must perform complete analysis of the cyber threat lifecycle and TTPs (Tactics, Techniques and Procedures).
- With the information available, an organization can develop threat intelligence capability against the adversaries. It includes information about adversaries – TTPs, tools and the information on the target and cyber environment. This enables peers to understand the holistic picture.
- Important characteristics of Threat Intel include Timeliness, Accuracy, Relevance and Actionable.
- The sharing of information or threat intel can be based on a Hub-and-Spoke model (centralized) or P2P (peer to peer, decentralized). Both of these models have their pros and cons.
- Organizations should attain maturity in the cybersecurity domain by establishing core capabilities – IDS/IPS, Firewall, AV and SIEM. Organizations should be capable to gather information, collect feed and consume the intelligence received from peers. Finally, they should be able to use the information or intelligence to support decision making.
- The key data elements that an organization is expected to evolve are: incident response, vulnerability and risk management, log and alert correlation, search and respond.
- Advance cyber security capabilities need organizations to perform deep dive digital forensics, actively collect and contribute to threat intelligence, profile the TTPs | behavior and motives of an adversary and use knowledge to enhance the data set.
To best user this information, and interoperability, it is important that it should contain valuable elements like,
- IP Address / Domain Names
- URLs or complete web links
- Email details – attachment, email headers, contents etc.
- Malware samples and artifacts
- Exploit code and payloads
- Packet captures
- Response and mitigation strategies
- Netflow data
- Disk images
- Adversary TTPs
The more granular the information, the better for the analysts as well as defenders. This information can be shared as well as consumed in a more easy-to-work fashion. To have a better understanding, some ground rules should be established on what, when, how the information will be shared. The privacy and confidentiality of the data within, should be agreed on, and handled on mutual terms. Some information may not be as confidential or private as other, so there should be a segregation of data sets accordingly.
Another important element in the information sharing flow is tracking and validation. If the information doesn’t fit in your environment, or yours is a partial match only, it should be documented, and added to the repository which might suggest that TTPs are evolving. The interesting parties should maintain trust, communication and validation of the information received and shared. If any information is received from outside the communication channel, it should be shared among it’s individuals.
Make sure the data in transit is well protected, physical or logical mediums are encrypted and strong protocols are followed to maintain the CIA (confidentiality, integrity and availability) of the information and the channel. Also any critical, sensitive or volatile data should be handled carefully under due protocols.
Keeping these ideas, and protocols in mind, the sharing of information should be easy and secure. The architecture can be centralized or P2P, but the important part is contribution. If the members are more, the value of threat intelligence increases exponentially.
I would like to thank NIST once again, to bring this under limelight and hopefully next time we would be fighting the cyber attack together.