In the series of articles titled “Incident Response Life Cycle in NIST and ISO standards” we reviewed incident response life cycle, as defined and described in NIST Special Publication (SP) 800-61 – Computer Security Incident Handling Guide.
The NIST document contains recommendations on incident information sharing. Besides these recommendations and organization’s internal procedures, there are legal requirements regarding cybersecurity information sharing. Since last year, there is also government-run AIS (Automated Indicator Sharing) system for this purpose.
We are discussing these requirements and this system in this article.
CISA – Cybersecurity Information Sharing Act
CISA – Cybersecurity Information Sharing Act – was signed into law in 2015. As DHS/DOJ guidance for non-federal entities states, the act “authorizes sharing of specific information that is used to protect information systems and information”. What does this mean in practice?
Cyber Threats and Defensive Measures
CISA Cyber Threat Indicator definition
NIST SP 800-61 defines notion of an incident indicator as information or data that might indicate an incident. Indicators are analyzed during detection and analysis phase of URL incident response life cycle.
CISA is based on similar notion – Cyber Threat Indicator. Cyber Threat Indicator is information with which one can identify malicious reconnaissance, method of attack, the incident itself or its impact(s). So this notion is similar, but wider than the indicator notion coming from NIST SP 800-61.
CISA Defensive Measure definition
Another type of information which sharing is regulated under CISA is Defensive Measure. Defensive Measure is a mean to detect, prevent or mitigate a Cyber Threat.
Cyber Threat data and Defensive Measure data must be protected
CISA requires that Cyber Threat data and Defensive Measure data must be protected against unauthorized access and/or disclosure. We all need to remember that such data might be very helpful in mitigating threats and improving security, but they can also become a ticking bomb in inappropriate hands.
Not all Cyber Threat data and Defensive Measure data can be shared
Cybersecurity Information Sharing Act prohibits sharing of any personal information that is “unlikely” to be related to cybersecurity threat or measure. This is realized by a requirement to remove such information before sharing. Please note that in terms of threats such removal concerns only persons not related to the threat. So this does not concern data that might be used to identify the attacker(s). Care should be taken “both sides” – that is not to share any personal information that is not needed to analyze the threat, but at the same time not to remove any personal information that might be useful in threat analysis, mitigation and prevention.
You will find more details on this, including clearly explained examples, in DHS/DOJ “Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities” (referenced in Further Reading section below).
How to share
DHS is an entity responsible for sharing process (that is for receiving cybersecurity information that a non-fedreal entity shares with the Federal Government). Cybersecurity information can be shared with any federal entity, but CISA states that the sharing gets liability protection only when sharing is executed via DHS processes (discussion on such liability protection is out of the scope of this article).
The purpose of sharing under CISA is only cybersecurity. The sharing cannot be a substitute for other obligations (e.g. reporting crimes via other means and communication channels).
CISA directed DHS to develop means for cybersecurity information sharing. DHS accepts cybersecurity information via:
- AIS (Automated Indicator Sharing) system.
We will not discuss email and web-form sharing. These ways of sharing might be old-fashioned but are still very important.
The most interesting initiative arisen from Cybersecurity Information Sharing Act is AIS.
AIS – Automated Indicator Sharing system
Automated Indicator Sharing system is managed by DHS (operated by National Cybersecurity and Communications Integration Center, information available via US-CERT website) and allows for sharing of cyber threat indicators and defensive measures at “light speed” among federal and non-federal entities. It is available free of charge.
The communication and data management in/via AIS is technically standardized with the following format/exchange specifications:
- STIX – Structured Threat Information eXchange and
- TAXII – Trusted Automated eXchange of Indicator Information.
To be able to share information (and benefit from shared information) via AIS, you need to get AIS client (TAXII client) that will communicate with the DHS TAXII server. You can also build your own client that will communicate with AIS based on the above mentioned specifications (this means you can “hook” your automated systems directly to AIS). You will also need a digital certificate (PKI certificate) to sign and encrypt the shared information.
Consider using security automation to automate processes of cybersecurity information sharing at your organization.
As soon as the information you shared is analyzed by US-CERT (and prepared for sharing), it will immediately be shared and available for all AIS participants – federal and non-federal entities.
What is very important, AIS does not reveal the identity of sharing party (unless agreed for). This ensures that all AIS participants can benefit from quick anonymous threat information sharing. When threat or incident information is shared with other entities, there is always a fear from the fact that the sharing entity admits they have a security problem.With AIS, this information does reach and remain with the Federal Government (via US-CERT) but does not reach any other entity (e.g. competition). Also, CISA offers diverse liability protection measures for sharing party (which are out of the scope of this article).
Consult your legal department
As one can see, cybersecurity information sharing is not only the matter of technical communication channels or threat/incident data sets being sent or received. It is also a legal matter. So please consult your legal department before sending any such data out or before accepting such data into your organization.
(In next article in this series, we will discuss European perspective on cybersecurity incident information sharing – EU Network Information Security Directive.)
References and further reading
Cybersecurity Information Sharing Act (CISA)
CISA – Guidance for non-federal entities
CISA – Privacy and Civil Liberties Final Guidelines
Department of Homeland Security – Information Sharing site
US-CERT – AIS site
NIST SP 800-61 – Computer Security Incident Handling Guide
Introduction to Incident Response Life Cycle of NIST SP 800-61