Cyber-threat intelligence information sharing guide
Published 8 March 2021
1. Purpose of this document
This paper documents sharing cybercrime, cybersecurity, and cyber threat intelligence information in the financial sector by providing an overview of core principles, objectives, benefits, and best-practices.
The paper accompanies and supports Citi’s planned engagement with key stakeholders–in the public and private sectors–in selected Commonwealth countries, aimed at stimulating activities to improve cyber threat intelligence sharing activities in those countries and their regions. This is one pillar of Citi’s official partnership in the UK Government’s Commonwealth Cyber Declaration Project.
The intended audience includes relevant leaders and practitioners in financial institutions, banking associations, national computer emergency response teams, government agencies, law enforcement, regulators, and other relevant private and public-sector organisations.
This document especially is addressed to:
- CEO (Chief Executive Officer) Level
- CISO (Chief Information Security Office) or delegate
- Government (e.g. an agency if and/or applicable)
- Incident Response Team / Incident analyst
- Data Sharing Groups
- Legal/compliance
Case examples, footnotes, and an appendix of links to further detailed and authoritative reports are provided. However, this document should represent far more than static reference materials and should be used to stimulate, inform, and facilitate detailed and determined discussions. The larger objective of this document is the creation of clear, effective action plans specifically tailored to the particular circumstances in selected Commonwealth countries.
2. Executive summary
Cyber threat information sharing is the exchange of knowledge about threats, incidents, vulnerabilities, mitigations, leading practices, or tools relevant to a technology-based/technology-leveraged risk set. Such sharing is important; it encourages more connection and collaboration between entities (internally and externally), helping organisations to prevent cyberattacks. If a threat actor possessed the means and motivation, a cyber threat to one organisation logically may be considered a threat to another.
An opening word about nomenclature: while the words “information” and “intelligence” are often used interchangeably, they are not the same thing. Information is any kind of data; numbers, reports, narratives, and so on. Intelligence is the result of information that has been subjected to vetting and analysis in order to answer specific questions.
Sharing information (and/or intelligence) can contribute to an organisation’s cyber threat awareness, insights into the activity directly affecting a peer organisation’s network, ability to understand what is affecting a given sector or geography, how a threat manifests/operates, and what can be done to defend against it.[footnote 1]
By exchanging cyber threat information, organisations can improve:
- awareness of current cyber threats affecting various sectors
- understanding of attackers’ tactics, techniques, and procedures
- acquisition of information that would otherwise be unavailable/inefficiently available through public sources or security vendor reporting
- decision-making regarding technology, controls, and resources allocation and escalation
- detection capabilities on networks
- mitigation and responses prior to an actual event
While the scope of cyber threat intelligence information sharing is broad, there exists an agreed-upon set of principles and guidelines. These guidelines have been tested by professionals for a number of years. Adhering to them will assist stakeholders to create, participate in, and derive value from cyber threat intelligence sharing arrangements.
Broadly speaking, these principles fall into the following categories:
- guidelines for information sharing groups
- actions for organisations
- sharing Information regarding time vs accuracy
- information shared too soon might not be accurate
- information shared too late might lose its value
As mentioned above, numerous sectors, public and private bodies, law enforcement, and not-for-profit organisations participate in a variety of local and global, cyber threat information and intelligence sharing agreements.[footnote 2] Examples include:
- the Financial Services Information Sharing and Analysis Center (FS-ISAC)[footnote 3]
- the National Cyber-Forensics and Training Alliance (NCFTA), and
- various country-specific Computer Emergency Response Teams (CERTs)
We view this discussion paper as the prelude to a necessary conversation. As such, it does not explore the responsibilities of organisations regarding sharing information with their clients or outside of those clients participating in the same cyber threat information sharing groups.
3. Why should an organisation share information?
Collective defence is a fundamental reason for sharing information. Regular and committed cyber threat information sharing significantly assists organisations mutually to pre-empt, prevent, detect, and respond to serious cyber incidents and threats, while improving the preparedness and resilience of the wider ecosystem.
Awareness of the various threats that affect other organisations allows better use of internal resources and capabilities. For example, if threat actors are using similar penetration techniques, a participant can review their own systems to make sure appropriate safeguards are in place.
Additionally, data, services, or resources held by one company are sometimes ubiquitous. A threat actor targeting sensitive financial data with the goal of selling the information would find similar information in more than one bank. For example, threat actors may attempt to abuse the Payment Messaging Systems in any connected bank, assuming the threat actors had the capability to move within the network and operate the payment interface.
Cyber intelligence pertinent to the sharing organisation—either following an incident or a detected cyber-attack—has the highest value if it is shared immediately. Before this data ages, recipient organisations can leverage it to augment defensive postures to better prevent or detect, respond to, and recover from the same cyber threat with lower impact. The value of the information varies depending on:
- the type of data
- how recent it is
- its context and background
- the application to the receiver
- the nature of the receiver
- the objectives of the receiver
Objectives for information sharing may vary across organisations. Some common objectives include:
- improving threat awareness by learning from the perspectives of other organisations
- building contacts in case of an incident or crisis requiring collaboration with other organisations
- lessons learned and best practices, such as controls and successful mitigation measures in response to allow colleagues to collaborate on defensive measures
- tactics, techniques, and procedures, such as methods of reconnaissance and techniques used to compromise an endpoint, as well as types of malware used and other features of an attacker’s operations and objectives
- indicators of compromise: contextualised indicators of threat activity (e.g., IP addresses, domain names, URLs, email addresses, file hashes, traffic signatures, and email addresses), as well as the timing, context, and additional information relating to these indicators of compromise (IoCs)
- assessment, analysis, and commentary regarding adversary capabilities, capacity, maturity, motivation, objectives, and intent
- ensure compliance with regulatory obligations
4. Principles of cyber-threat intelligence sharing
The following foundational principles are derived from the experiences of security professionals and practitioners engaged in the routine sharing of cyber threat information. Publications like the National Institute of Standards and Technology (NIST), the European Union Agency for Network and Information Security, and cyber threat intelligence sharing arrangements capture and update these principles over time. The following is a brief summary of the core principles:
- in order for information to be useful, partners need to have good inventory management and documentation. Stakeholders need to meet requests for information sharing with a sense of urgency. However, if there are issues with inventory management on an organisation’s Business to Business (B2B) connections, third parties are anecdotally resistant to sharing or unresponsive when organisations inquire about alleged breaches
- the cybersecurity, risk, and security teams need to establish best practices for how to communicate information regularly on threats and vulnerabilities (outside of incidents) to management/business. These best practices must also determine which medium is most effective (e.g., email, briefing, report) and how the information is best conveyed
- senior leadership plays a crucial role in setting the tone and championing information sharing. Middle-managers and practitioners in various cybersecurity roles should actively consider information sharing and collaboration, and (with the necessary training, oversight coordination and governance) be empowered to engage, share and collaborate with their trusted external counterparts when dealing with threats and incidents
Using industry standards
Parties working to develop an intelligence sharing program can benefit from specifications already in use throughout the industry. The U.S. Department of Homeland Security (DHS) has developed the following standards to automate and structure operational cybersecurity information sharing techniques across the globe:
- TAXII, the Trusted Automated eXchange of Indicator Information
- STIX, the Structured Threat Information eXpression; and
- CybOX, the Cyber Observable eXpression
These technical specifications are community-driven and free for public use. More information about these standards is available from the DHS Cybersecurity Infrastructure and Security Agency website, located at, https://us-cert.cisa.gov/Information-Sharing-Specifications-Cybersecurity
5. Commitment from the organisation
An important step in enabling cyber threat intelligence information sharing efforts is commitment from leadership; this includes the Chief Executive Officer (CEO), Board of Directors, and the Chief Information Security Officer (CISO). Commitment starting from the top of the organisation ensures that all leadership is aware of their responsibilities, and encourages engagement from relevant partners. Effective cyber threat information sharing is dependent on the participating organisations having both approval and encouragement from their respective senior level management teams, legal departments, or other stakeholders. The CISO, the board, and legal teams should be aware of the activity, allowing and encouraging it as long as it is executed in a controlled manner.
Actions for organisations
A senior leader, often the CISO or equivalent, must communicate the benefits of cyber threat information sharing to key stakeholders, including the product heads, the board, and the legal department.
To help frame this communication, briefings should answer at least these questions on how the cyber threat information sharing program is defined, giving stakeholders an idea of intended benefits:
- what information is going to be shared?
- what does the organisation stand to gain by engaging in this activity?
- what are the risks and the mitigation for those risks?
- who will be sharing the information?
- Security Operations Centre (SOC)
- Cyber threat intelligence analysts
- Second or third line risk teams
- who will be receiving the information?
- security teams
- senior management
Other considerations for an effective information sharing program:
- ensure C-Suite / CISO-level support so that security personnel feel empowered to share appropriate information
- make cyber threat intelligence sharing an objective for appropriate teams
- educate participants in cyber threat information sharing on how it is done, why it is required, and the attendant risks
- create cyber threat intelligence sharing Policy and Standards documents to ensure internal compliance and clearly defined channels for sharing cyber threat intelligence
Organisations should build a trusted network of peers and partners. A mapping process should be undertaken to develop a list of existing groups that the organisation can join or, at the very least, to identify potential bilateral sharing partners.
The willingness, competence, visibility, and reliability of the information sharing collaborators within an organisation’s trusted network are key to the success and sustainability of any information sharing program. Some considerations about how to design an information sharing program include:
- sharing groups with regional or global focus
- composing groups of public and private sectors and may include clients, customers, suppliers, and other parties
- sharing data bilaterally or multilaterally
- sharing information beyond financial services to other sectors
- requiring different resources’ information inputs and/or approvals (e.g., budgets, staffing, technology, etc.)
- human resource and technology requirements may be relevant in servicing a chosen cyber threat intelligence sharing organisation
Choosing the right people
Sharing arrangements are more effective when membership is made up of relevant practitioners who are trusted, competent, willing to contribute, are known to other members of the group, and are regular committed participants.
A representative with knowledge of threat information, authority, and willingness to share will be the most valuable contributor. Participants ideally bring different skillsets, capabilities, insights, and opinions to the group so as to promote effective analysis.
Other key skill and experience areas of value can include:
- a background in the collection, analysis, and application of intelligence
- deep technical knowledge. This is not essential, but can help with the interpretation of shared indicators
- familiarity with business operations, processes, and technology relevant to the sector
- understanding of the consumers of intelligence within the sponsoring organisation
- a network of contacts to facilitate information exchanges outside of the immediate group
Building trust and fostering accountability
Trust is a critical component of any cybersecurity effort. Information sharing participants need to know that their counterparts are competent, acting with the very best of intentions, and can be trusted to abide by information-handling principles. For example, information receivers should trust that any information received from partners is accurate, timely as possible and will be handled appropriately.
Trust encompasses leveraging co-workers’ strengths and particular expertise. Face-to-face meetings (when possible), workshops (in-person and virtual), and collaborative working groups (virtual) on specific threats or vulnerabilities are effective ways to promote this dynamic. Trust established before, rather than during, a time of crisis can prompt a freer and more efficient flow of information. Accountability demands that every participant in a cyber threat intelligence sharing agreement be responsible for the way information is handled, where it is shared, and how it is actioned. It requires that every participant knows and adheres to policy, legal, and regulatory requirements, such as the General Data Protection Regulation (GDPR).
Organisations should incorporate regulatory or legal considerations into the terms of reference for the group to enable better compliance and to prevent inappropriate cyber threat intelligence sharing.
Internal trust also depends on employing an agreed-upon set of protocols for handling sensitive information in a responsible manner, particularly when that information passes outside its accustomed boundaries. Use an accepted information handling protocol, such as the traffic light protocol (TLP), which allows participants to specify handling codes for the information they are sharing.
Any intelligence sharing program must respect the rights of intelligence vendors. Intelligence obtained from vendors carries restrictions, such as seeking permission from the vendor before sharing the information beyond the usual recipients. Failure to do so can lead to legal issues and contractual penalties.
The cyber threat landscape is now such that companies must work closely with third-parties: vendors, public sector organisations, regulators, law enforcement, etc. However, this can complicate the picture as it raises questions as to who is included and to what extent. At a minimum, the core sharing organisation must develop nominal working relationships with third parties who could play a role in responding to a cyber event.
When developing a sharing organisation, selecting partners will need to consider the following factors:
- will the group be sector specific or include multiple sectors?
- will the group be restricted to the region or beyond?
- will the sharing group include a mixture of public and private sector organisations?
- public sector presence can be positive, provided such information sharing complies with legal restrictions
- use an information handling protocol, such as the traffic light protocol (TLP), or signed Non-Disclosure Agreements which will allow participants to specify recognise handling codes for the information they are sharing
Legal and regulatory compliance
Organisations should share information while abiding by any legal and regulatory compliance requirements. Organisations should carefully review applicable laws and regulations for the following areas:
- data retention
- attribution
- personally identifiable information
- cross border prohibitions
- delivery mechanisms
Organisations should be able to demonstrate compliance to requirements with appropriate documentation on the incoming and outgoing information shared (i.e., who shared it and when). Disclosure or misuse of shared information, intentional or otherwise, should be acknowledged, assessed, weighed against the benefits, and eliminated or reduced to an acceptable level by using all available control measures.
Actions for cyber-threat intelligence sharing organisations
- set group objectives in a public-facing document and include what participant organisations should expect to gain from it. Prospective organisations should be able to evaluate what information they can share, what information they can get, and why it matters. You may want to include:
- the type of information an organisation is capable of producing and willing to contribute
- agreement ahead of time on what information can / will be shared, and show that the types of outgoing information are controlled through relevant policy and process documents
- assign legal teams to review information sharing proposals to ensure policy, legal, and regulatory compliance
- weigh these risks of sharing the organisation’s information against the expected benefits to the organisation to be derived from sharing information
- confer with the information owners, and confirm that they are aware of your plans to share their information externally and obtain their approval prior to release
- confirm and documenting the intended use of the shared information with identified recipients before sharing the information
- act on a scheduled review cycle with identified recipients regarding how the organisation’s shared information was/was not used as well as how it was destroyed, as relevant
- understand what each member wants to achieve by being part of the arrangement
- one group may focus on different adversaries. Participants would be relied upon to share strategic assessments related to adversaries’ capabilities as well as TTPs to help shape detective capabilities
- further actions may focus on sharing best practices in mitigating certain types of attacks
- before creating a new network, consider whether a group exists with a similar mission, a new one is needed, or whether an existing group should be changed
- understand whether your members are:
- large or small
- international or domestic
- produce similar or different products
- regulated or unregulated sector, include law enforcement, public sector bodies, or private companies
- single or multiple sectors
- decide whether to join larger or smaller cyber threat information sharing organisations
- a larger, sharing organisation tends to have a higher volume of information shared but often at the cost of immediate relevance to some members given their different sizes and internal capability sets. Conversely, a smaller, sharing organisation is likely to have more relevant information shared but with a smaller reach in terms of constituency and with less breadth of coverage
- larger member organisations with more resources generally can take greater advantage of larger cyber threat intelligence sharing organisations than smaller organisations with fewer resources
- additional considerations for joining information sharing organisations include the diversity of information available, or access to specific sources
Members must agree on what type of information is considered to be valuable and actionable (e.g., information on threats, vulnerabilities, mitigations, situational awareness, strategic analysis, etc.).
Responsibilities for governing bodies
- be aware of and advocate responsible cyber threat intelligence information sharing, and encourage other organisations to participate
- understand the benefits of cyber threat intelligence information sharing laid out in this document
- recommend cyber threat information sharing as a basic security practice
- make the legal and regulatory requirements clear to cyber threat intelligence information sharing organisations to ensure compliance
- harmonise regulatory requirements with other jurisdictions to facilitate the sharing of information, and make adhering to regulation easier across borders
6. Communicating actionable intelligence and information
Participants will be more willing to contribute if they receive valuable insight and if other participants have shared useful information previously. To achieve this, shared cyber threat intelligence must be relevant, timely, and accurate.
A secure means of transferring information to and from outside entities is also essential. Transfer will need an agreed-upon structure and, in most cases, a framework for information handling. There are many factors to take into account when making these decisions: how accessible the group needs to be, how much information is going to be shared, the sensitivity of shared information, and the group’s requirements. A portal, for example, is less accessible than a mailing list but generally can be more secure.
The following methods and facilities may be used, subject to the nature of the information/data being shared, the receiving individual(s), network, or organisation(s), or other sensitivities:
- communication via sharing-groups internet portals
- communication via trusted email listservs
- sharing (in person or by phone)
- appropriate encryption should be used depending on the sensitivity of the information shared
- communication of passwords and keys via separate out-of-band channels
A consistent method of structuring information ensures that all the necessary data is safely passed between parties within the sharing group including for certain types of cyber threat intelligence sharing, such as data relating to phishing campaigns or distributed denial of service (DDoS) attempts.
Incoming
Established processes and protocols for incoming information ensures that all received information has a clearly-specified recipient, a secure communication channel, and a means of tracking actions taken based on that information. Because different organisations have their own document classification system, sharing protocols should specify how to classify received information in a way that offers the appropriate level of protection. In addition, some organisations may need to have an ability to track where/how external information moved through the organisation for recall and/or deletion, as relevant. Incoming information processes should include some form of accountability to accompany tracking and monitoring.
Sharing sensitive information outside the usual channels requires mitigating risk of exposure or compromise. Make sure to adhere to the proper information handling requirements set by the sharer. If they wish not to be identified, devise a way to relay information anonymously to internal recipients.
Outgoing
The decision process for selecting information to be shared must comply with internal processes and policies, and the requirements set by the sharing group. This process must include necessary approvals. Where appropriate, it should also consider the purpose for which the information is used (i.e., management or legal requirements). Processes to sanitize or anonymize sensitive intelligence prior to sharing may be required. An audit trail to track what was shared with whom, when, by what means, and for what purpose may also be required.
Actions for organisations
Participants should ensure the information shared is accurate, up to date, and reliable.
- include caveats of uncertain credibility and reliability where appropriate. Information that has not been independently corroborated should be marked accordingly
- provide time stamps to signal when information was discovered
- understand who the customers of any received intelligence will be
- develop a list of recipients for the types of information being received. For instance, indicators of compromise, tactics, techniques, and procedures might go to network defenders responsible for checks and controls, while strategic assessments might go to management
- have a process of ingesting, storing, and internally sharing information that adheres to handling codes set by the sharer, while allowing the organisation to act on the information
- respect any handling restrictions set by the sharer
- create a repository for received information and record any action taken. This will help evaluate the value of being part of a group
- there should be an agreement and strict standards as to how information is to be transmitted
- ensure that all participants are using the methods of communication agreed upon by the group
Actions for cyber-threat intelligence sharing organisations
Decide how the information is going to be shared:
- communication via sharing-group portals such as the UK National Cyber Security Centre’s Cyber Security Cyber Threat Intelligence Sharing Partnership (CISP) platform
- use of trusted email listservs, with encryption of emails or shared attachments
- communicate passwords via separate out-of-band channels
- share information verbally, in face-to-face meetings, or by telephone
- provide a clear description of the activity, objectives and methods so that prospective organisations are able to evaluate what information they can share with the group. Agree on standards as to how information is going to be transmitted and ensure all participants are using the approved method to communicate
7. Review lessons learned and measuring effectiveness
When it comes to prioritising information sharing requests, a critical issue for many boards, senior management, and audit teams is how members reacted following a cyber incident or exercise and what short, medium, and long-term financial and reputation losses occurred.
Organisations should consider whether a prospective cyber threat intelligence sharing organisation, or one they are part of, is providing value based on a clearly-defined set of measurable collection and sharing criteria. These criteria may differ across organisations or sharing organisations. Consider what the information received is doing for the organisation, whether it is addressing gaps, or prompting positive changes to preparation, prevention, detection, and response.
Depending on leadership’s sponsorship of pursuing lessons learned, this information may be harder to access than Tactics, Techniques, and Procedures (TTPs), which many companies improve through well documented, third party vendor support. Exploring and testing an organisation’s culture and talent through this effort may prove challenging as well, especially when seeking approval to externally share such details.
Effective sharing and review of lessons learned demands cyber and information security teams avoid presenting an “all is well” face/misleading picture and treating the containment of the incident as “job done.” In fact, the lessons learned review should be the toughest part of a cyber incident. However, many organisations—including information sharing groups—do not do it at least to a degree that maximises the opportunity. Of particular importance are the actions taken to augment or to enhance an organisation’s cyber and information security program thereafter.
Actions for organisations
The organisation should perform an evaluation of its information requirements to inform its effectiveness assessment of what a cyber threat intelligence information sharing organisation can provide. Conduct this evaluation periodically as an organisation’s requirements change. Evaluations should include the following criteria:
- a periodic review of the organisation’s collection/sharing objectives
- a gap analysis of where the organisation receives data from and where it does not
- a peer comparison of the organisation’s sources of intelligence against where its peers obtain intelligence
- validation solicited from peer organisations about utility of information sharing organisations
Evaluate whether the cost of being part of a cyber threat intelligence information sharing organisation, in terms of time and resources, is worth the investment. Such an evaluation must employ pre-determined criteria and a repeatable vetting methodology.
- ask whether the received intelligence satisfies the organisation’s objectives and requirements
- has it helped to prevent, detect, recover, and respond to incidents or threats?
- was the intelligence referenced in any After Action Review (AAR):
- what intelligence sources were used during the event? Any from a sharing organisation?
- are there sources that would have been useful that weren’t used or identified during the event?
- what actions were taken based on the intelligence?
- in hindsight, what actions could have been taken?
- how can the workflow be improved to for next time?
- can intelligence be sourced elsewhere at a lower cost, such as from a vendor?
- how much value does the intelligence add?
Quantitatively measure the impact to the organisation based on the information being received from cyber threat intelligence sharing organisations:
- what is the overall usefulness of the received information?
- how much received information prompted a response by the organisation?
- infrastructure changes
- incident response
8. Commitment to Public & Private Partnership (PPP)
No single institution or sector has the knowledge, resources, and other capabilities to tackle established and emerging cyber-crime and cyber-security threats and incidents. Deliberate, close, and focused cyber threat intelligence sharing and collaboration between financial sector organisations and public bodies/authorities — often labelled “Public & Private Partnerships (PPP)” — are important and very beneficial activities.
Existing examples of formalised and effective cyber-crime and cyber-security partnerships and collaborations between the financial sector and the public sector in various countries and regions include:
- close and direct intelligence-development and evidence-building cooperation between law enforcement agencies and financial institutions (e.g., the UK Virtual Task Force)
- cyber threat intelligence and incident-intelligence sharing, major-incident response and other collaboration between financial institutions and national-level Computer-Emergency Response Teams (CERTS), Computer Security Incident Response Teams (CSIRTS), and National Cybersecurity Centres (NCSCs) (e.g., UK NCSC Industry 100)
- both free and pay-to-join, cyber-crime and cyber-security collaboration through forums and groups administered by banking and payment associations (e.g., the Banking and Payments Federation Ireland, High Tech Crime Forum and the South African Banking Risk Information Centre (SABRIC))
- pay-to-join but not-for-profit membership groups (e.g., the National Cyber Forensics and Training Alliance (NCFTA) in the United States and the Cyber Defence Alliance in the UK)
- clear objectives, parameters, terms of reference, and protections regarding what information is being shared and with whom
The remit and scope of these partnerships can be extended beyond purely cyber threat intelligence sharing into other areas and disciplines, including:
- improved prevention, containment, speed, and effectiveness of recovery practices
- exercising and training
- resilience programming
- ages of operations and quick incident-recovery processes
- common standards and protocols in various cybersecurity disciplines
Financial sector-specific considerations
Financial sector participants have particularly stringent considerations regarding legal and regulatory obligations and risks.
Strategic questions, possible barriers, and limiting factors might include:
- how do governments and regulators plan on developing coordinated protection and detection approaches to ensure resilience (e.g., fully integrated response and recovery plans involving multiple institutions in the financial and/or other Critical National Infrastructure sectors)?
- to what extent is the private sector expected to defend itself, regardless of adversary or scale of attack (e.g., nation state or very large-scale attacks)?
- the 2010 US Government Accountability Office report, “Critical Infrastructure Protection: Key Private and Public Cyber Expectations Need to Be Consistently Addressed”[footnote 4], found issues (widely in existence today) severely limiting any PPP due to public sector expectations.
9. Appendix: cyber-threat intelligence sharing case studies
The following are fictional scenarios informed by past industry events which aim to illustrate the process and benefits of cyber threat intelligence sharing.
9.1 Case study: ransomware attack spread via compromised software supplier
Introduction
In this scenario, Organisation A benefits from intelligence shared by peer financial institutions, using it to pre-emptively defend itself from the effects of a serious, ongoing ransomware attack, which is impacting multiple organisations worldwide.
It demonstrates the added-value of cyber threat intelligence-sharing group membership in multiple jurisdictions, and of near real-time peer-to-peer information-sharing, by providing an additional and critical extension to an organisation’s cybersecurity defences.
Information security teams, leaders, and personnel who are featured in this scenario include those in various cybersecurity and information security roles and disciplines, including cyber threat intelligence collection, analysis and dissemination, Security Operation Centre (SOC) incident and event monitoring and management, cyber and forensic investigations, vulnerability management, incident response control and coordination, and third-party risk-management.
The scenario also highlights the coordination of these stakeholders, and the development and agreement of strategies relating to the media and engagement with regulators, and other public authorities.
The scenario
A commercial provider of business-to-business software with a large global market-share was targeted and compromised by threat actors who modified and infected its routine software updates with sophisticated ransomware.
When routine updates were subsequently downloaded by customers, machines were infected with the ransomware, which then spread rapidly through many private and public-sector networks, beyond the business sector and country targeted by the perpetrators, causing considerable disruption and damage to many organisations in multiple countries.
The scenario is similar to the real-world May 2017 NotPetya ransomware attack, which impacted over 200,000 victims and over 300,000 computers in multiple public and private sector organisations worldwide.
How the organisation became aware of the threat
- online and broadcast media outlets in some countries reported IT outages and the disruption of services to private and public sector organisations in several sectors and across several continents. Some reports cited the spread of a new ransomware variant as the cause, but none have stated how the ransomware was delivered, how it operated, and who may be responsible or their motivation and objective
The initial cybersecurity response
- cyber threat intelligence, incident response, investigations and hunt teams within financial institutions are working urgently to establish the veracity of media reporting and to establish the cause of the reported infections and disruptions, how to detect and prevent them and whether their own organisations were at risk
Initial response at organisation A
-
cyber threat intelligence staff at Organisation A use open sources, commercial intelligence offerings and information shared by peer financial institutions to obtain as much information as possible on the threat and related incidents. Open sources yield speculation and unconfirmed reports, whilst intelligence-vendors are still collecting and processing information, and are not yet in a position to report back to their clients
-
organisation B is infected by the malicious software-update, but they quickly locate and contain the infection before data is impacted. They establish that the ransomware was delivered via a routine update of the business-to-business software application. Their incident-response staff is urgently analysing the ransomware
Initial sharing group activity
- organisation B quickly shares its initial findings with Organisation A and other members of a local cybersecurity cyber threat intelligence sharing group
Further response at organisation A
-
cyber threat intelligence staff at Organisation A receive the information shared by Organisation B. Its intelligence analysts quickly research and enrich the information and disseminate it to relevant internal cybersecurity and information security stakeholders. Organisation A’s third-party information-security risk-management team quickly confirms that Organisation A are users of the compromised software application and are therefore at immediate risk of infection. The threat response activity at Organisation A is escalated accordingly
-
organisation A initiates its high-severity incident response command and coordination procedures. Key decision-makers collaborate and coordinate the response strategies and actions. Strategies are discussed, decided, and documented with respect to multiple considerations, including the degree and the substance of engagement with and reporting to public authorities, such as central-banks, financial-sector regulators, data privacy commissioners, and law enforcement agencies (in multiple geographic jurisdictions), as well as the development of a press/social-media/customer communications plan
Further sharing group activity
- continuing its own incident response and analysis efforts, Organisation B identifies technical indicators of compromise linked to the incident, including file hashes of the malicious software update, internet domains used by the malware operators, and servers used by the threat actors to control the malware. Organisation B shares these technical indicators of compromise with Organisation A and other members of the cyber threat intelligence sharing group
Further actions at organisation A
-
cyber threat intelligence staff at Organisation A takes the indicators of compromise shared by Organisation B, researches and enriches the information and then disseminates it to its SOC, Hunt Team, Cyber Investigations teams, and other relevant internal incident-response stakeholders
-
it initiates urgent checks for linked traffic and other possibly linked activity on its global IT network. Organisation A also immediately adjusts its controls to block all connections to and from the known bad infrastructure, and to and from the compromised software supplier
Further sharing group activity
- analysts at Organisation C runs a sample of the ransomware in a sandbox and finds that as part of its malicious functionality, it is also exploiting a vulnerability in Windows to propagate rapidly through unpatched networks
Further responses at organisation A
- organisation A’s vulnerability management teams determines that Organisation A has already installed patches for the vulnerability, discovered and shared by Organisation C
- the status and outcome of ongoing and completed investigative and containment actions are reviewed, and additional actions are initiated. Several desktop machines within Organisation A’s global IT network are found to have downloaded the compromised software. However, it is also established that the infection has remained at the first stage and that no command-and-control actions or other malicious activity or consequences have yet occurred. Urgent containment and recovery actions are ongoing
- the global development and coordination of strategies and actions regarding engagement with public authorities continues
Outcome
Very specific, accurate, timely and actionable cyber threat intelligence regarding the threat was collected by Organisation A, via the information-sharing group, before it was available through commercial intelligence providers, cyber-security contactors or open-source research.
Through its membership and inclusion within this coalition, cyber threat intelligence sharing groups, and the receipt/use of details shared with them by Organisations B and C, Organisation A quickly confirmed the seriousness and indiscriminate nature of the threat, how the threat was spreading, the immediate risk from the threat to Organisation A, and the extent of Organisation A’s vulnerability. Organisation A established whether the ransomware was already in its network and blocked traffic used to control it, ultimately containing and mitigating the threat and the risk to Organisation A.
Appropriate and effective strategies for engagement with regulators, other public authorities, customers, clients and the media were planned and coordinated.
9.2 Case study: a reported compromise and SWIFT payment heist
Introduction
In this scenario, Europe-based personnel from Organisation A (a global US-based and predominantly wholesale bank) received information shared with them by Organisation B (a global SE Asia-based wholesale bank) via UK-based cybersecurity sharing group, regarding an alleged network compromise and subsequent $80 million SWIFT payment fraud at regional bank in SE Asia.
The information shared by Organisation B comprises local language media-reporting of the alleged incident on local specialist media-outlets, discovered, documented, translated, and shared by Organisation B. This information was shared by Organisation B at the start of the working day in London, and this early warning was circulated internally at Organisation B, enabling a timely and in-depth response and investigation across all relevant security, investigations, operations, and technology stakeholders.
This study demonstrates the value of local, regional, and global intelligence collection, sharing, and collaboration to protect the organisation against serious global threats and of processes. This facilitates efficient internal communication of the product of these external interactions to execute the cycle of collection, analysis, dissemination, and re-investigation across the organisation.
Teams, leaders, and personnel who feature in this scenario include those in various cybersecurity, information security, banking operations, investigations, and AML roles. The scenario also touches upon internal engagement with legal teams and senior decision-makers, as well as the development of external-engagement strategies.
The scenario
Local-language media outlets in South-East Asia (quoting local law-enforcement and bank employees as sources) are reporting the fraudulent transfer of USD $80 million from a named local bank, allegedly perpetrated through the sending of false SWIFT interbank payment instructions, maliciously created by threat actors following their long-term compromise of the victim bank’s IT network. The accuracy of the media reporting (and the credibility of the sources) is unknown.
International wholesale organisations and other global banks are attempting to confirm that the fraud has taken place. They acquire details and indicators of the technical modus operandi and the transactions sequence to review and adjust their technical controls immediately to establish whether its own organisations were used as a correspondent bank or intermediary bank in the sequence of payments, and to take urgent steps to review, delay, and investigate any suspicious transactions passing through its own organisations.
Initial sharing group activity
- Europe-based cyber threat intelligence staff from Organisation A first became aware of an alleged SWIFT-instruction incident in SE Asia when cyber threat intelligence participants at Organisation B share translated details of local-language, online media reports early in their working day within a European English-language financial sector sharing group (of which they are active members).
Initial response at organisation A
- as an early-warning, these initial ‘raw’ details are immediately circulated to relevant stakeholders (cash-operations teams, network defenders, information- security seniors, cyber threat intelligence seniors and analysts, and other relevant colleagues) based in North America and in Europe. It is still outside office-hours in North America, and Organisation A’s Europe-based staff continue their efforts to corroborate incident details and to collect additional information
Further sharing group activity
- organisation B’s sharing-group representative informs Organisation C’s representative that their internal enquiries confirmed that fraudulent SWIFT messages were sent from the targeted bank, and that Organisation C was fraudulently used as an intermediary bank and alternatively as the correspondent bank in several of the SWIFT payment instructions
- cash-operations teams and seniors at Organisations B and C urgently communicate and collaborate to identify and investigate the suspicious payments. Organisations B and C establish that Organisation A was also featured in the sequence of fraudulent transactions, and inform the Organisation A sharing group representative
Further response at organisation A
-
it is now early in the North American working day, and this latest information is submitted to North America-based cyber threat intelligence analysts at Organisation A. The intelligence is assessed, added to what has been gathered and researched regarding the incident so far, enriched, and quickly circulated within a written operational intelligence bulletin to all relevant cash operations, business relationship, information security, network defence, AML, financial crime investigations, and cyber threat intelligence stakeholders globally
-
an internal, global command-and-coordination call is established. Strategies and actions to be taken by cash operations, cyber investigations, threat intelligence, and other relevant stakeholders are discussed, agreed upon, prioritised, and tasked
-
these stakeholders collaborate internally and engage appropriately with relevant and trusted parties externally to establish the full facts. They take steps to urgently investigate and review suspicious transactions, stop and/or help recover fraudulently transferred funds, and to collect, assess, and act upon additional technical details regarding the attack
Outcome
Through membership in the EMEA-based Cybersecurity Cyber Threat Intelligence Sharing Group, Organisation A received early initial details of the SWIFT- instruction attack in south-east Asia, corroboration of local-language media reports, and intelligence that Organisation A featured as a correspondent bank in the attack.
This in turn provided an early warning for Organisation A’s core staff in North America and highlighted the need to escalate and commit resources to technical intelligence collection in other places, both internally at Organisation A and in collaboration with trusted external stakeholders. Suspicious transactions were identified and mitigated, and details of the method of compromise and other technical details subsequently were collected and used to review technical controls, improving the state of readiness and levels of protection at Organisation A.
9.3 Example structures for cyber-threat intelligence information sharing
- Distributed denial of service attacks
- attack date:
- target service:
- attack start:
- attack end:
- attack type:
- attack volume:
- attack impact:
- Phishing or spear phishing campaigns
- campaign description:
- sender address:
- sender IP:
- email subject:
- attachment/ link name/ hash:
- payload details and IOCs:
9.4 Regulatory compliant, frequently shared information
Area | Detail |
---|---|
Tactics, Techniques and Procedures (TTPs) | Methods of reconnaissance, techniques used to compromise an endpoint, types of malware used and other features of an attacker’s movements and objective are all useful for other network defenders to evaluate controls and mitigation options. |
Indicators of Compromise (IoC) | Contextualised indicators of threat activity such as IP addresses, domain names, URLs, email addresses, file hashes, traffic signatures and email addresses. Timing, context and additional information relating to these IoCs is extremely valuable in helping recipients determine an appropriate course of action. |
Assessments and analysis | Judgements and assertions on adversary capabilities, capacity, maturity, motivation, objectives and intent; The attribution of incidents and threats to specific threat actors or actor-groups; Motivation, objectives, capability, and capacity of threat actors. Appropriately caveated based on confidence levels. |
Best practices and controls | Mitigation measures in response to allow organisations to collaborate on defensive measures. |
9.5 TLP protocol as outlined by US-CERT
Color | When should it be used? | How may it be shared? |
---|---|---|
TLP: RED, Not for disclosure, limited to participants only | Sources may use TLP: Red when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party’s privacy, reputation, or operations if misused. | Recipients may not share TLP: RED information with any parties outside of the specific exchange, meeting or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP: RED is limited to those present at the meeting. In most circumstances, TLP: RED should be exchanged verbally or in person. |
TLP: AMBER, Limited disclosure, restricted to participants’ organisations | Sources may use TLP: AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organisations involved. | Recipients may only use TLP: AMBER information with members of their own organisation, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to. |
TLP: GREEN, Limited disclosure, restricted to the community | Sources may use TLP: GREEN when information is useful for the awareness of all participating organisations as well as with peers within the broader community or sector. | Recipients may share TLP: GREEN information with peers and partner organisations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP: GREEN information may not be released out of the community. |
TLP: WHITE, Disclosure is not limited | Sources may use TLP: WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. | Subject to standard copyright rules, TLP: WHITE information may be distributed without restriction. |
10. Resources
-
Information Sharing and Analysis Center (ISACs) - Cooperative models
-
A framework for cybersecurity information sharing and risk reduction
-
NIST Special Publication 800-150: Guide to Cyber Threat Information Sharing: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-150.pdf; The World Economic Forum: Guidance on Public Private Information Against Cyber Crime: http://www3.weforum.org/docs/WEF_Guidance_Cybercrime_report_2017.p ↩
-
Cyber threat intelligence Sharing and Analysis Center (ISACs): https://www.enisa.europa.eu/publications/information-sharing-and- analysis-center-isacs-cooperative-models ↩
-
Cyber Threat Intelligence Sharing Standards: https://www.rsaconference.com/writable/presentations/file_upload/pst-w08- cyber threat intelligence-sharing-standards.pdf ↩
-
Critical Infrastructure Protection: Key Private and Public Cyber Expectations Need to Be Consistently Addressed, https://www.gao.gov/products/GAO-10-628 ↩