Imagine this: A company discovers its web server log files show that a particular IP address has sent web traffic that seems to test whether the company's content management system has been updated to patch a recent vulnerability. Useful information to know outside that company?
The federal government thinks so, and cites this example of the type of cyberthreat information that should be shared by businesses with the government, which in turn will share it with other organizations in and outside of government.
The example appears in new guidance issued this week by the Department of Homeland Security to help governmental and private organizations visualize how best to share cyberthreat information.
4 Guideline Documents
DHS has issued four guideline documents that in the words of Secretary Jeh Johnson "provide federal agencies and the private sector with a clear understanding of how to share cyberthreat indicators." The four publications DHS issued are:
Sharing of Cyber Threat Indicators and Defensive Measures by the Federal Government under the Cybersecurity Information Sharing Act of 2015.
Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under the Cybersecurity Information Sharing Act of 2015.
Interim Procedures Related to the Receipt of Cyber Threat Indicators and Defensive Measures by the Federal Government.
Privacy and Civil Liberties Interim Guidelines: Cybersecurity Information Sharing Act of 2015.
"This language is a positive step toward enabling the private sector to identify and share cyberthreat indicators with the federal government, which will help better protect consumers and our nation's security," says Chris Feeney, president of BITS, the technology arm of the Financial Services Roundtable, a trade group.
Step in Implementing New Law
The Cybersecurity Information Sharing Act, enacted late last year, dictates DHS to establish a mechanism through its National Cybersecurity and Communications Integration Center for the government and private sector to share cyberthreat data (see Obama Signs Cybersecurity Information Sharing Bill). The issuance of the guidance is the latest move by the government to implement the new law.
"The guidance provides a useful roadmap for non-federal entities seeking to ensure compliance with CISA and the receipt of its corresponding protections when sharing information related to cyberthreats and defensive measures," Stephen Reynolds, co-chair of the law firm Ice Miller data security and privacy practice, writes in a blog.
One of the guides - targeted to non-federal government organizations - describes how to identify and share cyberthreat indicators and defensive measures.
Examples of Indicators
Among examples of information that contain cyberthreat indicators businesses could submit to DHS:
Security researchers reporting a discovery of a technique that permits unauthorized access to an industrial control system;
Managed security service companies disclosing a pattern of domain name lookups that is believed correspond to malware infection;
Manufacturers reporting unexecuted malware found on its network;
Investigators reporting on the domain names associated with botnet command and control servers;
Engineering companies victimized by computer intrusions describing the types of engineering files that appear to have been exfiltrated, as a way of warning other companies with similar assets; and
News websites suffering distributed denial of service attacks reporting the IP addresses send malicious traffic.
Observable Facts
According to the guidance, much of the information within an indicator centers on observable facts. A cyberthreat indicator offers a number of observable characteristics: a malicious email, IP addresses, file hashes, domain names, URLs, malware files and malware artifacts that describe the attributes about a file. The specificity and nature of the observable facts are designed to reduce the risk that a cyberthreat indicator contains personal content or information inappropriate to share.
The non-federal entity guidance also describes defensive measures that can be shared that detects, prevents or mitigates known or suspected cybersecurity threats or security vulnerabilities. A defensive measure could be as simple as a device that protects or limits access to a company's computer infrastructure or as complex as sophisticated software tools that detect and protect against anomalous and unauthorized activities.
Defensive Measures
Examples of defensive measures: software that identifies patterns of malicious activity in web traffic, signatures loaded into an intrusion detection system to detect spear phishing with particular characteristics, algorithms that search through a cache of network traffic to discover anomalous patterns and automated techniques to quickly match the content of an organization's incoming SMTP traffic against a set of content known to be associated with a specific cybersecurity threat without degrading the speed of email delivery to end users.
In making the announcement of the new guidelines, Johnson also unveiled how DHS's Automated Indicator Sharing initiative would work under the new law to enable for the real-time exchange of cyberthreat indicators, remove unnecessary personally identifiable information and disseminate the indicators to appropriate government and nongovernment organizations.
By design, according to DHS, the Automated Indicator Sharing program removes PII not directly related to a cyberthreat; allows limited human review to remove PII when automated mitigation isn't feasible; anonymizes submitters' identity unless they consent; retains data for a limited time, consistent with the need to address the cyberthreat; and ensures collected data are used only for authorized government purposes.
Protection for Sharing Cyberthreat Data with Federal Entities Source: DHS
CISA provides liability protections only if the organization shares cyberthreat indicators and defensive measures through the DHS hub (see diagram above). The new law provides other protections such as exemptions from antitrust laws, federal and state disclosure laws, certain regulations if the information shared through other government organizations, information sharing and analysis centers, information sharing and analysis organizations, managed security service providers and other private organizations.