WHY SHARE CYBER THREAT INFORMATION

1
Why Share Cyber Threat Information
mikeechols.com/why-share-cyber-threat-information
Michael Echols
Cyber threat information sharing is essential to
thwarting successful hacks and minimizing
consequences should a breach occur. For many
years large organizations have had opportunities
to work with the Department of Homeland Security
(DHS) to share indicators of compromise to
ensure the protection of critical infrastructure
and major business entities. There is an
opportunity now for every company to participate
and it was institutionalized through Executive
Order 13691 in 2015. Now, any business or
organization can create an Information Sharing
and Analysis Organization (ISAO) and access
sharing programs established by DHS and managed
by the International Association of Certified
ISAO (IACI). As the lead federal department for
the protection of critical infrastructure and the
furthering of cybersecurity, DHS has developed
and implemented numerous information sharing
programs. IACI partners with DHS to build and
provide guidance for emerging and existing ISAOs.
The National Cybersecurity and Communications
Integration Center (NCCIC), within the CISA
Office, serves as a centralized location where
operational elements are coordinated and
integrated. NCCIC partners include all federal
departments and agencies state, local, tribal,
and territorial governments the private sector
and international entities. The NCCICs
activities include providing greater
understanding of cybersecurity and communications
situation awareness vulnerabilities, intrusions,
incidents, mitigation, and recovery actions.
2
Working With The DHS NCCIC Neither a formal
information-sharing agreement nor a security
clearance is a prerequisite to share information
with or receive information from the NCCIC, and
entities take advantage of NCCICs resources at
a variety of levels. However, ISAO are afforded
limited liability protection for the information
they share. The ISAO cant be regulated based on
the information and have some court protections.
ISAOs have the opportunity to sign a Cyber
Information Sharing and Collaboration Agreement
(CISCA) with DHS that affords them even more
access. There are four levels of agreements in
which partners engage and are integrated with the
NCCIC Level 1 Entities have the ability to
share information with the NCCIC, as well as to
collaborate in both ongoing and incident response
situations. This can include a physical,
day-to-day, presence of designated
representatives in the NCCIC watch floor. These
participants are actively involved in daily NCCIC
operations and are closely coordinated with the
NCCICs personnel. The agreement for this is the
Cooperative Research and Development
Agreement. Level 2 Entities engage in bilateral
information sharing in the form of indicator
exchange activities only, to include automated
indicator sharing. The agreement required for
this type of engagement and information sharing
is shorter and more lightweight than a formal
CISCA. It can be a memorandum of understanding or
agreed upon terms of use. One example of such an
agreement in use today is the terms of use to
access the U.S. Computer Emergency Readiness
Team (US-CERT) portal, a secure, web-based,
collaborative system to share sensitive,
cyber-related information and news with
participants in the public and private sector,
including the Government Forum of Incident
Response and Security Teams, the Chief
Information Security Officer Forum, National
Cyber Response Coordination Group, Information
Sharing and Analysis Centers members, and
various other working groups. Stakeholders agree
to terms of use to become authorized users of
the portal. Level 3Private entities can access
our products online, including NCCIC and US-CERT
bulletins, educational and training resources,
and best practices. Coordination is virtual and
communication is electronic, through the NCCICs
information sharing mechanisms, to include
reports, advisories, and bulletins with threat
and mitigation information. No agreement is
necessary for this type of sharing, and many
entities of various sizes make use of the
NCCICs resources. Level 4- Private entities can
engage with each other using a DHS forum to share
best practices, share mitigation techniques and
manage risk in a trusted environment. Start an
ISAO
3
Taking advantage of information sharing program
does not require a direct relationship with DHS.
The ISAO offers a barrier between the company and
the government. Smart companies join ISAOs to
know if something is happening in networks of
their partners. Truth is if it is happening to
them you are probably next. Go to
www.certifiedisao.org for more information.