A New Vision for Cyber Threat Intelligence at the MS-ISAC
By: The Cyber Threat Intelligence (CTI) team at the Multi-State Information Sharing and Analysis Center
The transforming work environment and uncertainty of 2020 led the cyber threat intelligence (CTI) team at the Multi-State and Elections Infrastructure Information Sharing and Analysis Centers (MS- and EI-ISACs) to rethink how we operated and what was most important. We spent a lot of time thinking about proactive threat intelligence sharing. We recognize that intelligence analysis, especially when applied to cyberspace, is a niche skill. Most U.S. State, Local, Tribal, and Territorial (SLTT) organizations don’t conduct their own intelligence collection, analysis, and dissemination. So, we created a plan, crafted a new vision, and set off in a new direction. That vision is to be the premier CTI source for all SLTTs and elections infrastructure, one which is driven solely by mission and powered by critical thinking.
Real-Time Indicator Feeds
One result of this work is the real-time threat indicator feeds from the Center for Internet Security (CIS). They are easy to implement and available at no cost to SLTTs and election offices. The feeds use easy-to-ingest, industry-standard formatting to work with the most modern security and analysis tools. The data shared help SLTTs automate defensive actions, correlate events, conduct analysis, and make better, faster, and more proactive defensive decisions.
Today, we’re well on our way to fulfilling our vision, and we're reaching out to bring you with us.
Cyber Threat Intelligence (CTI) Defined
CTI is evidence-based knowledge about an existing or emerging menace or a hazard to information and infrastructure assets. CTI comes in many forms, including context that connects pieces of information together into a more complete picture. In the case of CTI, it can include things like:
- Specific malware or malware families
- How the malware gets delivered
- Technical evidence of a threat’s existence, often called “indicators” or “Indicators of Compromise” (IOCs)
- Specific weaknesses or configurations targeted
- Tools and techniques adversaries use
CTI context can also include potential risks or implications, strategic associations, attribution or alignment with a particular threat group, and even actions that a victim can take to protect against or respond to a given threat.
CTI is the output of rigorous analysis and is intended to inform decision makers regarding both proactive defenses and reactive response actions. Therefore, the real value in CTI is timely, actionable, and relevant information sharing.
The Intelligence Process Begins with Planning
Intelligence is a process, and its application to cyberspace is not much different than any other field. It begins with planning, that is, developing the key questions you need answered and the information requirements to get you there. The CTI team has a long list of priority intelligence requirements (PIRs) and key intelligence questions (KIQs) that evolve with the threat environment, our security capabilities, and the wants and needs of our members.
An example of a PIR is indications of active threats against SLTTs and critical infrastructure. Assuming we have knowledge of an impending attack, some KIQs associated with that PIR would include:
- What are the key indicators associated with this attack?
- How does the target sector compare to other sectors (e.g., private business, financial, healthcare, education, federal government, international, etc.)?
- How does this attack compare to historic threats against this sector (i.e., what trends and changes over time are observed)?
PIRs and KIQs help guide information collection and analytic focus. They help set the stage for production and sharing as well as predicting what is likely to come. Ultimately, the best intelligence doesn’t simply identify threats; it helps predict what is likely to happen next, empowering decision makers to reduce their risk posture and take proactive defensive measures.
The MS- and EI-ISAC collect information from more than 200 sources, which can be categorized as follows:
- Internal sources (e.g., Albert, Endpoint Detection and Response (EDR), Malicious Domain Blocking and Reporting (MDBR), CTI analysis of dark web resources, reverse engineering of malware via the Cyber Incident Response Team (CIRT) and CTI team)
- Federal government sources (e.g., AIS)*
- Open sources (e.g., Spamhaus, Alienvault OTX, social media)
- Commercial sources (e.g., Flashpoint, Mandiant, The DFIR Report)
- Members (e.g., Malicious Code Analysis Platform (MCAP))
- Other (e.g., reports shared by international and other partners)
The collected information is stored in a single database, the MS- and EI-ISAC’s Threat Intelligence Platform (TIP). Here, key elements are extracted, databased, cleaned, vetted, verified, enriched, and prioritized for hunting or defensive action. Intelligence information that meets specific criteria is immediately shared to the MS- and EI-ISAC’s indicator sharing program and available to all members who subscribe to that service. This information is shared in the form of indicators, which is first confirmed as malicious, active, and relevant to stakeholders. We determine relevance by assessing the likelihood of impact to organizations in the SLTT and elections domain. These same indicators are pushed to MS- and EI-ISAC security tools, such as MDBR.
Analysis and Output
In addition to indicator sharing, the CTI team reviews all evidence coming in for threat trends, helping us provide more context to members. The outputs of this process are finished intelligence products, such as Cyber Alerts, Short- and Long-Form Analytic Reports, white papers, blogs, and advisories. These are disseminated to members through the CIS 24x7x365 Security Operations Center (SOC) or posted on our website.
This entire process can be captured as a cycle of overlapping elements, where feedback is provided at each of the following stages.
STIX/TAXII: Real-time Indicator Feed
Speed is a critical component of proactive defense. We recognize that SLTTs and election offices must have access to reliable and timely threat intelligence. This feeds their own defense-in-depth strategy and reduces their risk posture. Yet every organizational environment is unique, and the ability to ingest and use our data is likely to vary widely. For this reason, we focused our efforts on the Structured Threat Information eXpression (STIX) format. We currently make a STIX feed available for SLTTs to subscribe to via a second standard. This is the Trusted Automated eXchange of Intelligence Information (TAXII).
Members are not required to maintain their own STIX/TAXII infrastructure. Instead, members simply need to have security devices that can accept and ingest a STIX/TAXII feed. The good news is that most modern security tools can! This includes firewalls, intrusion detection and prevention systems (IDS/IPS), and endpoint detection and response (EDR) tools. It can also include analytical tools, such as security incident and event management (SIEM) platforms and TIPs.
Technically savvy members who wish to pull the files over without directly ingesting into a security tool can use simple curl requests to query the collections and download the indicators. STIX version 1 is shared as an XML file, while STIX version 2 is shared as a JSON file. These can be imported into just about anything that can read data.
Real World Applications
How might an MS-ISAC or EI-ISAC member use the new feeds? There are a number of ways:
- Connect an edge security device to the feed to block malicious domains as they’re published
- Ingest the feed to an internal database and compare the indicators against logs to see if malicious activity is present in the local network
- Collect the data for sharing with associated organizations that have more limited capabilities
These are just a few examples. We’re here to help you along the way! Connect today to receive curated, timely, and relevant threat intelligence. The service is designed to provide a high-value, low-risk collection of active, verified malicious indicators of threat activities in the SLTT and elections infrastructure community.
About the Author: The Cyber Threat Intelligence (CTI) team at the Multi-State and Elections Infrastructure Information Sharing and Analysis Centers (MS-ISAC and EI-ISAC), functions as the premier CTI source for all U.S. State, Local, Tribal, and Territorial (SLTT) entities and election offices. With decades of combined experience in all types of industries, the CTI team pushes out curated SLTT-centric threat intelligence reporting as well as malicious indicators via near real-time threat feeds. This information helps SLTTs anticipate and proactively defend against emerging cyber threats and shifts in adversarial tactics, techniques, and procedures. Additional information: team tradecraft and indicator feeds.
* A note on AIS: Any SLTT can get these feeds directly from DHS. However, the barrier for entry is high and may not be practical for many organizations. We simplify the process for members, and we remove indicators that are not relevant or are likely to cause false-positive alerts in SLTT environments