Cyber threat information is any information that can help an organization identify, assess, monitor, and respond to cyber threats. Examples of threat information include indicators (system artifacts or observables associated with an attack), TTPs, security alerts, threat intelligence reports, and recommended security tool configurations. Most organizations already produce multiple types of cyber threat information that are available to share internally as part of their information technology and security operations efforts.
By exchanging threat information within a sharing community, organizations can leverage the collective knowledge, experience, and capabilities of that sharing community to gain a more complete understanding of the threats the organization may face. Using this knowledge, an organization can make threat-informed decisions regarding defensive capabilities, threat detection techniques, and mitigation strategies. By correlating and analyzing cyber threat information from multiple sources, an organization can also enrich existing information and make it more actionable. This enrichment may be achieved by independently confirming the observations of other community members, and by improving the overall quality of the threat information through the reduction of ambiguity and errors. Organizations that receive threat information and subsequently use this information to remediate a threat confer a degree of protection to other organizations by impeding the threat’s ability to spread. Additionally, sharing of threat information allows organizations to better detect campaigns that target particular industry sectors, business entities, or institutions.
Guide to Cyber Threat Information Sharing
The guide assists organizations in establishing and participating in cyber threat information sharing relationships. The publication describes the benefits and challenges of sharing, clarifies the importance of trust, and introduces specific data handling considerations. The goal of the publication is to provide guidelines that improve cybersecurity operations and risk management activities through safe and effective information sharing practices, and that help organizations plan, implement and maintain information sharing.
NIST encourages greater sharing of cyber threat information among organizations, both in acquiring threat information from other organizations and in providing internally-generated threat information to other organizations. Implementing the following recommendations enables organizations to make more efficient and effective use of information sharing capabilities.