8 Tips on Cyberthreat Information SharingNIST Drafts Guidance on Managing the Data
The debate over cyberthreat information sharing has centered on privacy and liability concerns. But there's been relatively little discussion of the steps government agencies and businesses must take to be able to share the data.
Matters such as developing safe and effective information sharing practices, examining the value of standard data formats and transport protocols to foster greater interoperability as well as planning, implementing and maintaining information sharing programs present big challenges.
"There's going to be potentially an avalanche of threat information to deal with, and you've got to have people who know how to sift through that, make it contextual and make it relevant to your environment," says Bruce Brody, former CISO at the departments of Energy and Veterans Affairs.
Legislation to encourage cyberthreat information sharing has stalled in the Senate as lawmakers consider more pressing legislation in their limited days left before Congress adjourns at year's end (see What's Behind Delay of Info-Sharing Vote?). Another hold up preventing passage is a disagreement between the White House and some lawmakers over privacy and liability protections information sharing legislation should offer (see Why White House Hasn't Backed CISA).
Bruce Brody discusses evolving cyberchallenges.
Regardless of the politics, the National Institute of Standards and Technology is developing guidance to help organizations participating in cyberthreat information sharing programs to manage the ever-increasing amount of information shared.
NIST last week issued a draft of its Special Publication 800-150, Guide to Cyber-Threat Information Sharing, which it says will enable organizations to make more efficient and effective use of information sharing and collaboration capabilities.
"Allowing one organization's detection to become another's prevention is a powerful paradigm that can advance the overall security of organizations that actively share and coordinate," NIST says in the draft guidance.
NIST identifies a number of challenges organizations face when implementing cyberthreat sharing programs, including grasping legal restrictions, risking disclosure of cyberdefenses, preserving privacy, promoting interoperability, classifying information and establishing trust.
Danny Miller, systems CISO at Texas A&M University, says determining what data can be shared can be problematic. "Some information just can't be released; there're certain regulatory restrictions," he says. "One of the challenges is setting expectations - letting the user base out there know what information can and cannot be shared."
In presenting its recommendations, NIST identifies eight approaches enterprises in and out of government should take to more effectively share cyberthreat information. Organizations should:
- Perform an inventory that catalogs the information an organization possesses and the information that it is capable of producing. The inventory also should document the circumstances in which the information could be shared.
- Exchange threat intelligence, tools and techniques with sharing partners. When sharing threat intelligence, organizations learn from each other; gain a more complete understanding of an adversary's tactics, technique and procedures; craft effective strategies to protect systems; and take action, either independently or collectively, to address known threats.
- Employ open, standard data formats and transport protocols to ease the efficient and effective exchange of cyber-threat information. This fosters interoperability and allows different products, data repositories and tools to rapidly exchange data.
- Enhance their cybersecurity posture and maturity by augmenting local data collection, analysis and management processes using information from outside sources. This can help organizations develop a deeper understanding about activities on their networks, identify cyber-attack campaigns and better detect blended threats that use multiple methods of attack.
Information Sharing ProcessSOURCE: NIST
- Define an approach to cybersecurity that adapts to the lifecycle of an attack by developing defensive measures that detect, limit or prevent reconnaissance and delivery of malicious payloads. This adaptive approach also should mitigate the execution of exploits that allow an adversary to establish or maintain a persistent presence on an organization's network.
- Ensure that the resources required for continuing participation in a sharing community are available. Participation might require an organization, for example, to commit personnel; deliver training; and provide hardware, software, services and other infrastructure needed to support continuing data collection, storage, analysis and dissemination.
- Protect sensitive information by maintaining a continuing awareness of information security, vulnerabilities and threats. Organizations should implement the security controls necessary to protect its sensitive information, enforce its information sharing rules and ensure that information received from external sources is protected in accordance with applicable data sharing agreements.
- Establish the foundational infrastructure necessary to maintain its cybersecurity posture and clearly identify the roles and responsibilities for installing, operating and maintaining these capabilities. Organizations should have basic asset, vulnerability and configuration management capabilities in place to ensure that they can monitor and manage the hardware and software on their networks and ensure that vulnerabilities are patched in a timely way.
"When information is shared, threatened organizations have access to threat intelligence provided by peer organizations and are able to rapidly deploy effective countermeasures and detect intrusion attempts," the draft report says. "As a result, the impact of a successful cyber-attack can be reduced."