Cyber threat information sharing is essential to thwarting successful hacks and minimizing consequences should a breach occur. For many years large organizations have had opportunities to work with the Department of Homeland Security (DHS) to share indicators of compromise to ensure the protection of critical infrastructure and major business entities.
https://mikeechols.com/why-share-cyber-threat-information
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Why shaWHY SHARE CYBER THREAT INFORMATIONre cyber threat information
1. Michael Echols
Why Share Cyber Threat Information
mikeechols.com/why-share-cyber-threat-information
Cyber threat information sharing is essential to thwarting successful hacks and minimizing
consequences should a breach occur. For many years large organizations have had
opportunities to work with the Department of Homeland Security (DHS) to share indicators of
compromise to ensure the protection of critical infrastructure and major business entities. There
is an opportunity now for every company to participate and it was institutionalized through
Executive Order 13691 in 2015. Now, any business or organization can create an Information
Sharing and Analysis Organization (ISAO) and access sharing programs established by DHS and
managed by the International Association of Certified ISAO (IACI).
As the lead federal department for the protection of critical infrastructure and the furthering of
cybersecurity, DHS has developed and implemented numerous information sharing programs.
IACI partners with DHS to build and provide guidance for emerging and existing ISAOs. The
National Cybersecurity and Communications Integration Center (NCCIC), within the CISA Office,
serves as a centralized location where operational elements are coordinated and integrated.
NCCIC partners include all federal departments and agencies; state, local, tribal, and territorial
governments; the private sector; and international entities. The NCCIC’s activities include
providing greater understanding of cybersecurity and communications situation awareness
vulnerabilities, intrusions, incidents, mitigation, and recovery actions.
1/3
2. Working With The DHS NCCIC
Neither a formal information-sharing agreement nor a security clearance is a prerequisite to
share information with or receive information from the NCCIC, and entities take advantage of
NCCIC’s resources at a variety of levels. However, ISAO are afforded limited liability protection
for the information they share. The ISAO can’t be regulated based on the information and have
some court protections. ISAOs have the opportunity to sign a Cyber Information Sharing and
Collaboration Agreement (CISCA) with DHS that affords them even more access.
There are four levels of agreements in which partners engage and are integrated with the
NCCIC:
Level 1 – Entities have the ability to share information with the NCCIC, as well as to
collaborate in both ongoing and incident response situations. This can include a physical,
day-to-day, presence of designated representatives in the NCCIC watch floor. These
participants are actively involved in daily NCCIC operations and are closely coordinated
with the NCCIC’s personnel. The agreement for this is the Cooperative Research and
Development Agreement.
Level 2 – Entities engage in bilateral information sharing in the form of indicator exchange
activities only, to include automated indicator sharing. The agreement required for this
type of engagement and information sharing is shorter and more lightweight than a
formal CISCA. It can be a memorandum of understanding or agreed upon terms of
use. One example of such an agreement in use today is the terms of use to access the U.S.
Computer Emergency Readiness Team (US-CERT) portal, a secure, web-based,
collaborative system to share sensitive, cyber-related information and news with
participants in the public and private sector, including the Government Forum of Incident
Response and Security Teams, the Chief Information Security Officer Forum, National
Cyber Response Coordination Group, Information Sharing and Analysis Centers members,
and various other working groups. Stakeholders agree to terms of use to become
authorized users of the portal.
Level 3—Private entities can access our products online, including NCCIC and US-CERT
bulletins, educational and training resources, and best practices. Coordination is virtual
and communication is electronic, through the NCCIC’s information sharing mechanisms, to
include reports, advisories, and bulletins with threat and mitigation information. No
agreement is necessary for this type of sharing, and many entities of various sizes make
use of the NCCIC’s resources.
Level 4- Private entities can engage with each other using a DHS forum to share best
practices, share mitigation techniques and manage risk in a trusted environment.
Start an ISAO
2/3
3. Taking advantage of information sharing program does not require a direct relationship with
DHS. The ISAO offers a barrier between the company and the government. Smart companies
join ISAOs to know if something is happening in networks of their partners. Truth is if it is
happening to them – you are probably next. Go to www.certifiedisao.org for more information.
3/3