The US government is working to support common business practices for cyber threat information sharing. In the last year, President Obama signed the Cybersecurity Information Sharing Act into law and the Department of Homeland Security (DHS) rolled out its Automated Indicator Sharing (AIS) program. The AIS program is designed to support machine-to-machine exchange of the technical building blocks of a cyber intrusion, things like IP addresses, domain names, and file hash values. The Office of the Director of National Intelligence (ODNI) Cyber Threat Framework provides “a simple, yet flexible, collaborative data reporting schema for describing the threat environment that supports analysis, senior-level decision making, and cybersecurity.” The Cyber Threat Framework allows analysts to “bin” cyber activity into stages relative to the seriousness of the incident. Those stages, listed below with sub-bullets, provide examples of the activity:
- Preparation of capabilities and targeting
- Plan activity, conduct research & analysis, develop resources and capabilities, conduct reconnaissance, stage operational tools/capabilities, and/or initiate operations,
- Engagement with the targets or temporary non-intrusive disruptions by the adversary
- Deploy capability, interact with target, exploit vulnerabilities, and/or deliver payload
- Presence on target networks
- Establish initial control, hide, expand presence, refine targeting, and/or establish persistence
- Effect/Consequence from theft, manipulation, or disruption.
- Deny access, alter computer/network/system behavior, extract data, destroy hardware/software/data, enable other operations, relocate and store data, disclose data/information, and/or exfiltrate data/information
The first two stages are considered “left” of the intrusion, while the last two occur after an intrusion has taken place. Here is a sample report:
According to a local report, last year over 120 million personnel files were electronically exfiltrated by an identified nation state cyber actor.
This is an example of the Effect/Consequence stage, since it refers to the extraction and exfiltration of data. Here’s another sample:
Recent reporting indicates suspected cyber actors working on behalf of country X are planning a possible spearphishing campaign against the US Government, with the goal of gaining access to personnel records.
This is an example of the Preparation stage, since it refers to the planning of cyber activity.
The Cyber Threat Framework is important because it drives a common understanding of cyber threat activity across cyber analysts in multiple communities. It also sets the stage for the automated sharing of not just technical indicators, but the context under which that event took place. This will provide decision makers across organizations with the much-needed situational awareness they need to develop a sense for how to respond. The Cyber Threat Framework is gaining adoption across the Intelligence Community; the next step will be to expand adoption across the federal government and throughout the state, local, tribal, and territorial, and private sector communities. Coinciding with next week’s National Fusion Center Association (NFCA) Annual Training Event October 25 – 27 in Alexandria, VA, the Office of the Program Manager for the Information Sharing Environment (PM-ISE) will be hosting core documentation for the Cyber Threat Framework on ISE.gov and at the ISE booth at the event. As Fusion Centers grow capacity in cyber, the Cyber Threat Framework will allow their analysts to create relevant cyber reporting that add tremendous value to the broader cyber enterprise.