Review of NIST SP 800-150 "Guide to Cyber Threat Information Sharing"

Ruslan Rakhmetov, Security Vision

Extensive digitalisation of business processes, many services going online, and an ever more complex and evolving cyber landscape lead to a concomitant growth of cyber threats and increased motivation of attackers. While 15-20 years ago most hackers were hacking to satisfy their own curiosity or vanity, and few thought about the financial gain from an attack, nowadays the vast majority of attackers are financially motivated. Advanced cybercriminals are organised into criminal syndicates with strict hierarchies, clear division of responsibilities and investments in finding new exploits, attack methods and in ensuring their own anonymity and security, while the cyber armies of individual states pose a real threat to entire economic sectors of various states. In this situation, it is crucial for the defending parties - states, companies, IS vendors, academia and research communities - to work together. Interaction implies not only synchronisation of the regulatory and legal framework for effective legal prosecution of cybercriminals, but also exchange of information on the methods of cyberattacks and the ‘handwriting’ of hacker cyber groups in order to improve the efficiency of identifying signs of infrastructure compromise, performing relevant operational actions to respond to cyber incidents, and ensuring correct post-incident analysis. NIST SP 800-150, ‘Guide to Cyber Threat Information Sharing,’ provides guidance on sharing data on indicators of compromise, attacker tactics, techniques, and procedures, and the results of analyses of processed cyber incidents to help identify reliable sources of such data, agree on rules for information sharing, and leverage cyber intelligence to improve cybersecurity.

So, cyber threat data is any information that can help an organisation identify, assess, track and respond to cyber threats. Examples of cyber threat data would be indicators of compromise (IP address, URL, hash sum, phishing email sender address), attack indicators (sequence of IS events that may indicate a cyber attack), indicators of attacker behaviour (port scanning, password mining, attempts to exploit vulnerabilities), artefacts (signs of compromise in the form of specific files, metadata, network activity), attacker tactics, techniques and procedures, threat alerts (e.g. vulnerability and exploit data), reports from cyber forensics and cyber threat researchers, and recommended security settings for effective collection, sharing, processing and analysis of cyber threat data. This information is typically already collected and processed internally, but NIST SP 800-150 focuses on the external sharing of this data to improve the overall security posture of companies by sharing information about ongoing or recent cyber incidents, especially if sector-specific data is shared. This approach will enable a mutually beneficial paradigm of ‘what one organisation has learned from an incident can be used by another organisation to prevent a similar incident’, allowing for the enrichment of cyber threat data from all participants in the exchange, increased situational awareness and knowledge of the current cyber threat landscape, and the application of relevant measures and defences to minimise cyber risks. At the same time, recommendations and best practices for information sharing, as well as possible negative consequences and precautions for information sharing, should be kept in mind: it is necessary to establish trust with the participants in the exchange, automate data transfer and apply standardised solutions, protect confidential information and minimise the risk of its disclosure in cyber threat information sharing, provide resource support for information sharing (infrastructure, tools, co-operators, etc.), and ensure that the exchange of information is carried out in a timely manner.

The following steps, as outlined in NIST Publication SP 800-150, can guide the implementation of a cyber threat information sharing process:

1. Identify the goals and objectives of the cyber threat data sharing process and prioritise actions and steps.

2. Identify internal sources of cyber threat data: identify sensors, tools, and sources of cyber threat data internally; identify cyber threat information that is already being collected and analysed; identify cyber threat information that is collected and stored but not analysed; and identify a category of information that can be shared with external information exchange participants.

3 Define the scope and boundaries of information sharing: agree on the types of information available for sharing, the terms of information sharing, and the recipients of the information. Also, prioritise the types of information required depending on the goals and objectives of the exchange process and, based on the organisation's resource capabilities, give preference to automated methods of processing cyber threat information.

4. Establish rules for information sharing and approve them in the form of policies: define the types of information that can be shared, define the conditions and circumstances under which sharing is possible, agree on a list of recipients of information, establish rules for sanitising or redacting information to remove sensitive information, and define requirements for recipients of information to ensure the protection of the information received. Also should be concerned about compliance with restrictions on the transfer of confidential information (personal data, trade secrets, banking secrets, etc.) and the development of rules for sanitisation of this information in the information exchange. NIST SP 800-150 provides an example of the use of TLP notation (Traffic Light Protocol, ‘traffic light privacy indicator’), which can be applied when exchanging sensitive information to mark it appropriately according to the degree of confidentiality.

5. Join a cyber threat information sharing community: when evaluating information sharing communities and cyber intelligence providers, assess the potential benefit of the intelligence they provide, assess the completeness of their data in closing gaps in the company's situational awareness. It is recommended to maintain membership in multiple information-sharing communities and prioritise the most relevant ones (i.e. those that bring together companies in the same sector, same region, with similar infrastructures and risk profiles).

6. Plan for ongoing follow-up support for configured cyber threat information sharing processes: identify staff, funding, infrastructure, and processes to collect and analyse cyber threat information from internal and external sources, configure defensive measures based on the information received, and deploy infrastructure to monitor and identify threats.

Participation in cyber threat information sharing, according to the authors of NIST Publication SP 800-150, should include the following processes:

1. Engaging in ongoing interactions that, in addition to technically obtaining data in machine-readable format, also include face-to-face interaction among experts, sharing reports and materials, speaking at conferences, and participating in workshops and cyber fairs.

2. Receive and respond to threat alerts, which may include vulnerabilities, exploits, active cyber attacks, identifying affected systems/platforms, negative impact assessment, threat level, mitigation options, links for additional information.

3. Obtaining and using indicators: checking the integrity of the received information, unpacking and bringing it to a common format, parsing indicators, prioritising depending on the importance of the data and the reliability of the source, categorising the received information to determine the rules for its storage and processing. Indicators of qualitative indicators include their timeliness, relevance, accuracy and completeness of description, specificity and applicability to detecting and responding to cyber threats. Indicators can also be tagged to indicate the quality and accuracy of the data provided.

4 Organise the storage of cyber threat information, including the source of the indicator, the antimalware rules that use the indicator, the date and time the data was received, the lifetime of the indicator, relevant CVE/CPE/CWE/CCE identifiers, the cybercrime groups associated with the indicator and their techniques, tactics, procedures, and the systems and companies attacked. Not to be forgotten is the protection of cyber threat information, which itself may be one of the attackers' targets to conceal the cyber attack and increase the time of intrusion detection.

5. Creating and publishing indicators, including enriching indicators with proprietary data, using standard structured data formats, and protecting sensitive information.