NIST SP 800-150:Guide to Cyber ThreatInformation SharingChris Johnson, NISTAugust 16, 2016

NIST Special Publication 800-1502nd DRAFT8/16/20162016 Federal Computer SecurityManagers' Offsite2

Why Share? Collective defenseImproved security postureKnowledge enrichment through collaborationEnhanced situational awarenessAugment internal collection with external sourcesGreater defensive agilityEnhanced decision-making8/16/20162016 Federal Computer SecurityManagers' Offsite3

What are some of the Challenges? Establishing trustInteroperability and automationProtecting sensitive informationIntegrating threat information into decision-makingprocesses Complying with legal and regulatory requirements Limiting attribution Infrastructure and personnel8/16/20162016 Federal Computer SecurityManagers' Offsite4

Sources of Cyber ThreatInformation (CTI)Internal Sensors (e.g., IDS, AV)Systems (System, Network, and Application logs)Tools (e.g., Forensic toolkits, network diagnostics)Repositories (e.g., SIEM, Ticket Management Systems)PersonnelExternal 8/16/2016Open, public sharing communities and resourcesGovernment sourcesSector peers and business partnersVendor alerts and advisoriesCommercial Services2016 Federal Computer SecurityManagers' Offsite5

Uses of CTI Prioritize the implementation of security controlsDevelop user training and awareness campaignsCapital planning and investmentEnhance detection capabilitiesInform response and recovery operations8/16/20162016 Federal Computer SecurityManagers' Offsite6

Types of CTITypes of cyber threat information include: Indicators Tactics, Techniques, and Procedures Threat Actors Vulnerabilities Cybersecurity Best Practices Courses of Action Tools and Analysis Techniques8/16/20162016 Federal Computer SecurityManagers' Offsite7

Types of CTIIndicators“A technical artifact or observable that suggests an attack is imminentor is currently underway, or that a compromise may have alreadyoccurred.”Examples: IP addresses Domain names File names, sizes Hashes of file contents Service names Altered configuration parameters8/16/20162016 Federal Computer SecurityManagers' Offsite8

Types of CTITactics, Techniques, and ProceduresThe behavior of an actor. A tactic is the highest-level description of thisbehavior, while techniques give a more detailed description of behaviorin the context of a tactic, and procedures an even lower-level, highlydetailed description in the context of a technique.Examples: Spear phishing email Social engineering Website (drive-by attack) Exploit operating system or application vulnerability Removable media Obfuscation techniques8/16/20162016 Federal Computer SecurityManagers' Offsite9

Types of CTIThreat ActorsInformation regarding the individual or a group posing a threat.Examples: Affiliation Identity Motivation Relationships8/16/20162016 Federal Computer SecurityManagers' Offsite10

Types of CTIVulnerabilitiesA vulnerability is a software flaw that can be used by a threat actor togain access to a system or network. Overview Impact Technical Details Affected systems, platforms, and versions References Mitigations8/16/20162016 Federal Computer SecurityManagers' Offsite11

Types of CTICybersecurity Best PracticesCommonly used cybersecurity methods that have demonstratedeffectiveness in addressing classes of cyber threats.Examples: Response actions (e.g., patch, configuration change) Recovery operations Detection strategies Protective measures8/16/20162016 Federal Computer SecurityManagers' Offsite12

Types of CTICourses of ActionRecommended actions that help to reduce the impact of a threat: Detect (e.g., add or modify an IDS signature) Protect (e.g., implement multi-factor authentication) Respond (e.g., block network traffic to C&C server) Recover (e.g., restore base system image)8/16/20162016 Federal Computer SecurityManagers' Offsite13

Types of CTITools and Analysis TechniquesRecommended tools (e.g., log extraction/parsing/analysis, editor)Useful tool configurations (e.g., capture filter for network protocolanalyzer)Signatures (e.g., custom or ”tuned” signatures)Extensions (e.g., connectors or modules)Code (e.g., algorithms, analysis libraries)Visualization techniques8/16/20162016 Federal Computer SecurityManagers' Offsite14

Desirable Characteristics of CTITimely – allow sufficient time for the recipient to actRelevant – applicable to the recipient’s operational environmentAccurate – correct, complete, and unambiguousSpecific – provide sufficient level of detail and contextActionable – provides or suggests an effective course of action8/16/20162016 Federal Computer SecurityManagers' Offsite15

Establishing a CTI Sharing Capability Set Goals and ObjectivesIdentify Internal Sources of CTIDefine ScopeEstablish Sharing RulesJoin a Sharing CommunityPlan for Ongoing Support8/16/20162016 Federal Computer SecurityManagers' Offsite16

Establishing a CTI Sharing Capability:Set Goals and ObjectivesCTI Sharing is not the objectiveNeeds to align with mission, business, and security needsTalk with organizational stakeholdersSecure approval and buy-in from leadership, legal team andprivacy officialsAddress specific problemsReduce riskEnhance cybersecurity practicesRequires prioritizationGoals need to be revisited over time8/16/20162016 Federal Computer SecurityManagers' Offsite17

Establishing a CTI Sharing Capability:Identify Internal Sources of CTIWhere does CTI “live”? Operating system, service, and application logs Router, Wi-Fi, remote services logs System and application configuration settings and states Firewall, IDS, and Antivirus logs and alerts Web browsers history, cookies, and cache Security Information and Event Management (SIEM) Email systems Help desk ticketing systems, incident management/trackingsystem, and people Forensic toolkits and dynamic and/or virtual executionenvironments Diagnostic and monitoring tools (PCAP & protocol analysis)8/16/20162016 Federal Computer SecurityManagers' Offsite18

Establishing a CTI Sharing Capability:Define ScopeEstablish the scope of information sharing based on:Current capabilitiesInformation availabilityInformation needsAvailable resourcesDegree of automation8/16/20162016 Federal Computer SecurityManagers' Offsite19

Establishing a CTI Sharing Capability:Sharing AgreementsSharing agreements should describe the rules regarding: Types of information that can be shared Conditions and circumstances when sharing is permitted Distribution to approved recipients Identification and redaction of PII and other sensitiveinformation Use of automated information exchange mechanisms Non-attributed information exchange Information handling requirements and designations8/16/20162016 Federal Computer SecurityManagers' Offsite20

Establishing a CTI Sharing Capability:Sharing AgreementsSharing rules are expressed in: Memorandums of Understanding Service Level Agreements Nondisclosure Agreements Framework Agreements Informal ArrangementEstablished sharing communities often have templates8/16/20162016 Federal Computer SecurityManagers' Offsite21

Establishing a CTI Sharing Capability:Sharing Agreements Talk with your organization’s legal and privacy officials Have them review the types of information you plan to shareand point out potential risks. Determine appropriate handling designations Reevaluate when:o Regulatory or legal requirements changeo Organizational policy is updatedo New information sources are introducedo Operating/threat environment or risk tolerance changeso Organizational mergers, realignments, and acquisitionsoccur8/16/20162016 Federal Computer SecurityManagers' Offsite22

Establishing a CTI Sharing Capability:Join a Sharing Community:Potential sharing partners and resources: Government (e.g., US-CERT, NVD, CSRC)Industry sector peers (e.g., ISACs)Threat intelligence vendorsSupply chain partners (PSIRTs)Regional/Local Sharing OrgsVendor consortiumsOpen source intelligence repositories8/16/20162016 Federal Computer SecurityManagers' Offsite23

Establishing a CTI Sharing Capability:Join a Sharing Community:Some Considerations: Membership fee structuresEligibility requirementsTypes of CTI that the community exchangesDelivery mechanisms, formats, and protocols usedFrequency and volume of information providedQuality and timeliness of the information providedTerms of use and other restrictionsSecurity and privacy controls provided8/16/20162016 Federal Computer SecurityManagers' Offsite24

Establishing a CTI Sharing Capability:Ongoing SupportImplement a support plan that addresses personnel, funding,infrastructure, training, and processes needed for: Collecting and analyzing CTI from internal and external sources Implementing and maintaining protective measures Supporting monitoring and threat detection capabilities Membership or service fees8/16/20162016 Federal Computer SecurityManagers' Offsite25

NIST CTI Programs and ResourcesStandards,Specifications, andGuidelines NIST SP 800-61NIST SP 800-150NIST IR 8057OthersData Repositoriesand Reference DataSets National VulnerabilityDatabase (NVD)NVD and National SoftwareReference Library IntegrationNational Checklist ProgramUnited States GovernmentConfiguration BaselinesProduct ConformanceTesting and Testing Tools SCAP 1.2 Product Test SuiteContentSCAP Content ValidationTool (SCAPVal)SCAP 1.2 ValidationProgramResearch Multidimensional Cybersecurity AnalyticsAutomated Generation ofIndicators Using OVAL8/16/20162016 Federal Computer SecurityManagers' Offsite26

Other Federal CTI Programsand Resources DHS Enhanced Cybersecurity Services (ECS) Program DoD Defense Industrial Base (DIB) Cybersecurity Program DHS Cyber Information Sharing and Collaboration Program(CISCP) National Cyber Investigative Joint Task Force (NCIJTF) DHS National Cybersecurity and Communications IntegrationCenter (NCCIC) FBI Private Industry Notifications (PINs) and FBI Liaison AlertSystem (FLASH) Reports DoE Cybersecurity Risk Information Sharing Programs (CRISP) DHS Automated Indicator Sharing Initiative (AIS) DoE Cyber Fed Model (CFM) Program Department of the Treasury’s Financial Sector CyberIntelligence Group (CIG)8/16/20162016 Federal Computer SecurityManagers' Offsite27

Other Federal CTI Programsand ResourcesCTI Programs include: DoD Defense Cyber Crime Center (DC3) Department of Commerce, National Institute of Standards andTechnology, Computer Security Resource Center (CSRC) DHS Critical Infrastructure Cyber Community (C3) VoluntaryProgram National Security Agency (NSA) Information Assurance (IA)Guidance Small Business Administration (SBA) cybersecurity bestpractices8/16/20162016 Federal Computer SecurityManagers' Offsite28

Information Sharing and AnalysisCenters (ISACs) AutomotiveAviationCommunicationsDefense Industrial BaseDefense Security Information ExchangeDownstream Natural GasElectricityEmergency Management and ResponseFinancial ServicesHealthcare Ready“an ISAC is a trusted, sector specific entity which Information Technologycollects, analyzes, and disseminates alerts andSource: National Council of t reports to provide analytical support togovernment and other ISACs” *2016 Federal Computer SecurityManagers' Offsite29

Information Sharing and AnalysisCenters (ISACs) MaritimeMulti-StateNational HealthOil and Natural GasReal EstateResearch and EducationRetail Cyber IntelligenceSupply ChainSurface Transportation, PublicTransportation and Over-the-Road Bus WaterSource: National Council of ISACshttps://www.nationalisacs.org8/16/20162016 Federal Computer SecurityManagers' Offsite Public/private sectorsecurity cooperationDaily InformationExchangeWeekly MeetingsThreat Response &Reporting Guidelines30

ISAO Standards OrganizationMission:“To improve the Nation’s cybersecurity posture by identifying standardsand guidelines for robust and effective information sharing and analysisrelated to cybersecurity risks, incidents, and best practices.”Working Groups: ISAO Creation ISAO Capabilities Information Sharing Privacy and Security ISAO Support Government RelationsSource: ISAO Standards Organizationhttps://www.isao.org8/16/20162016 Federal Computer SecurityManagers' Offsite31

Participating in CTI SharingRelationships8/16/20162016 Federal Computer SecurityManagers' Offsite32

Participating in CTI Sharing RelationshipsOngoing CommunicationMeet regularly with trusted sharing partners to: Discuss current threats Share or develop mitigation strategies Provide training and develop skills Mentor new community members Develop key practices and resources Build rapport and foster trust Share technical insights8/16/20162016 Federal Computer SecurityManagers' Offsite33

Participating in CTI Sharing RelationshipsConsume and Respond to AlertsUpon receipt of a security alert, advisory, or bulletin organizationsshould have procedures in place for: Establishing that the alert is from a trusted, reliable source Seeking confirmation from an independent source (ifnecessary) Determining if the alert affects systems, applications, orhardware that the organization owns or operates Characterizing the potential impact of the alert Prioritizing the alert Determining a suitable course of action Taking action (e.g., changing configurations, installing patches,notifying staff of threats)8/16/20162016 Federal Computer SecurityManagers' Offsite34

Participating in CTI Sharing RelationshipsConsume and Use IndicatorsThe ingest and use of indicators from external sources is often amulti-step process that includes, if not all, of the followingactivities: Validation – verifying the content’s quality, integrity, andprovenance Decryption – transforming encrypted files or data streams backto their original format Decompression – unpacking compressed content Extraction – parsing, identifying, and extracting indicators ofinterest Prioritization – processing indicators based on relativeimportance Categorization – reviewing indicator metadata to determinesecurity designations and handling requirements8/16/20162016 Federal Computer SecurityManagers' Offsite35

Participating in CTI Sharing RelationshipsIndicator EnrichmentWhat feedback mechanisms exist for: Correcting errors Making clarifications Providing supplemental information Requesting additional information Suggesting alternate interpretations Exchanging analysis techniques or results8/16/20162016 Federal Computer SecurityManagers' Offsite36

Participating in CTI Sharing RelationshipsCommon Data Formats and Automation Exchange of information at greater speed through automationLess need for human interventionStructural and semantic agreement fosters interoperabilityTalk with your security tool vendors Support the use cases you care about Demonstrate interoperability with the tools and repositoriesyou currently use or plan to use Where are they in the ”adoption curve” Formal validation vs. self-assertion Success stories Actively participate in standards/specification developmentefforts8/16/20162016 Federal Computer SecurityManagers' Offsite37

Status and Next Steps Completed the review and adjudication of public comments receivedon the 2nd DRAFT NIST SP-800-150 Updated the publication based on the comments we received Prepared a Final version of SP 800-150 that is entering the NISTpublication review and approval process Release NIST SP800-150 (Final) and post to the NIST ComputerSecurity Resource Center (CSRC) Federal Computer SecurityManagers' Offsite38

A Few Take-Aways Use CTI to support all cybersecurity and risk managementfunctions (not just incident response) Use automation to increase operational tempo Scope sharing activities according to organizational capabilities Help improve the quality of CTI content, tools and standards Use CTI to better protect what is important to your organization Know and understand the CTI you collect now Augment internal collection with external sources Look for information that is easier to share (e.g. threats vs.incidents) Join a Sharing Community (and get/stay involved)8/16/20162016 Federal Computer SecurityManagers' Offsite39

NIST Computer Security DivisionMailing ListVisit the Computer Security Resource Center online at: JohnsonComputer Security DivisionInformation Technology LaboratoryNational Institute of Standards [email protected]/16/20162016 Federal Computer SecurityManagers' Offsite40