NIST drafts cyber threat info sharing guidance

NIST drafts cyber threat info sharing guidance

When an agency identifies and successfully responds to a cyberattack, it gains knowledge that can be used by others facing the same or similar threats.  Because attackers often use similar strategies, tools, and methods against multiple organizations, shared threat intelligence can reduce the impact of future attacks.

That’s the thinking behind the National Institute of Standards and Technology’s Draft Special Publication 800-150, Guide to Cyber Threat Information Sharing, designed to exploit cross-agency collective knowledge and experience by actively sharing threat intelligence and ongoing coordination.

SP 800-150 expands upon the guidance introduced in SP 800-61, Computer Security Incident Handling Guide that explores information sharing, coordination and collaboration as part of the incident response life cycle.

This draft introduces information sharing practices, examines formats and protocols that foster interoperability and provides guidance on improving information sharing programs. It also includes guidelines for coordinated incident handling, including producing and consuming data, participating in information sharing communities and protecting incident-related data.

 This information-sharing ecosystem will be most effective, says NIST, if all participants have a robust and mature cybersecurity program that helps prioritize response operations, enhance detection capabilities and deploy effective courses of action. Elements of a mature system feature:

  • Core cybersecurity capabilities that include a monitoring infrastructure capable of supporting basic event and incident detection, analysis and response efforts.
  • Processes for creating, consuming and sharing basic threat intelligence.
  • Advanced cybersecurity capabilities, including those enabling technical information exchange, a forensics team, defensive capabilities (honeypots) and advanced analytics and visualization.

In all, NIST lists 30 recommendations in its draft. Comments are due by Nov. 28.

About the Author

Connect with the GCN staff on Twitter @GCNtech.

inside gcn

  • When cybersecurity capabilities are paid for, but untapped

Reader Comments

Mon, Nov 3, 2014 Rahil Karedia Mumbi, Maharashtra, India

Sounds interesting about sharing Threat Intelligence reports of recent Cyber Attacks & Data Breaches, but most of the Security Agencies won't share their Threat Intelligence Reports in public and will hide the same to continue their ongoing investigation behind that specific Threat to crack down the Criminal Networks and to reveal out hidden human identities. Detecting and Responding to Cyber Threat is not enough in today's world, sometimes we need to go after them to reveal out more Criminal Networks and hacking tools being used by the Cyber Criminals. NIST's idea of sharing Threat Intelligence report would succeed if Security Agencies would share whole report instead of part of it.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group