A New Vision for Cyber Threat Intelligence at the MS-ISAC

The complicated work environment and uncertainty of 2020 led the Cyber Threat Intelligence (CTI) team at the Multi-State Information Sharing and Analysis Center (MS-ISAC) and Elections Infrastructure ISAC (EI-ISAC) to rethink how we operate and what is most important. We spent a lot of time thinking about intelligence sharing. We recognize that intelligence analysis, especially when applied to cyberspace, is a niche skill. Most SLTTs don’t conduct their own intelligence collection, analysis, and dissemination. So, we created a plan, crafted a new vision, and set off in a new direction. That vision is to be the premier CTI source for all U.S. State, Local, Tribal, and Territorial (SLTT) entities and election offices, driven solely by mission and powered by critical thinking.

Real-Time Indicator Feeds

The result of this work is the new real-time threat indicator feeds from CIS. They are easy to implement and available for free to U.S. SLTTs. The feeds use easy to ingest, industry-standard formatting to work with most modern security and analysis tools. The data shared will help SLTTs automate defensive actions, correlate events, conduct analysis, and make better, faster, more impactful decisions.

We haven’t crossed the finish line yet, and in an evolving threat landscape, perhaps we never will. But we’re well on our way and reaching out to bring you with us. The following information describes our processes, what we share, and how you can get connected.

Cyber Threat Intelligence (CTI) Defined

Cyber Threat Intelligence (CTI) is evidence-based knowledge about an existing or emerging menace or hazard to information and infrastructure assets. CTI comes in many forms including context that connects pieces of information together into a more complete picture. In the case of CTI, it can include things like:

  • Specific malware or malware families
  • How the malware gets delivered
  • Technical evidence of a threat’s existence, often called “indicators” or “indicators of compromise” (IOCs)
  • Specific weaknesses or configurations targeted

CTI context can also include potential risks or implications, strategic associations, attribution or alignment with a particular threat group, and even actions that a victim can take to protect against or respond to a given threat.

CTI is the output of rigorous analysis and is intended to inform decision makers regarding both proactive defenses and reactive response actions. Therefore, the real value in CTI is timely information sharing.

The Intelligence Process Begins with Planning

Intelligence is a process, and its application to cyberspace is not much different than any other field. It begins with planning: developing the key questions you need answered and the information requirements to get you there. The MS-ISAC CTI team has a long list of key intelligence questions (KIQs) and priority intelligence requirements (PIRs) that evolve with the threat environment, our security capabilities, and the wants and needs of our members.

An example of a PIR is indications of active threats against SLTTs and critical infrastructure. Assuming we have knowledge of an impending attack, some KIQs associated with that PIR would include:

  • What are the key, unique indicators associated with this attack?
  • How does the target sector compare to other sectors (e.g., private business, financial, healthcare, education, federal government, international, etc.) with regard to this attack?
  • How does this attack compare to historic threats against this sector (i.e., what trends are observed with regard to changes over time)?

PIRs and KIQs help guide intelligence collection and information gathering. They help set the stage for analysis, production, and perhaps most importantly, predicting what is likely to come. Ultimately, the best intelligence doesn’t simply identify threats. It helps predict what is likely to happen next, empowering decision makers to reduce their risk posture.

Intelligence Collection

The MS-ISAC collects CTI from more than 200 sources, which can be categorized as follows:

  • ISAC internal sources (e.g., Albert, Endpoint Detection and Response (EDR), Malicious Domain Blocking and Reporting (MDBR), CTI analysis of dark web resources, reverse engineering of malware by the CTI team and Computer Incident Response Team (CIRT))
  • Federal government sources (e.g., AIS, CISCP)*
  • Open sources (e.g., Spamhaus, Alienvault OTX, social media)
  • Commercial sources (e.g., Flashpoint, FireEye iSight, The DFIR Report)
  • Members (e.g., Malicious Code Analysis Platform (MCAP))
  • Other (e.g., reports shared by international and other partners)

* A note on AIS and CISCP: Any SLTT can get these feeds directly from DHS. However, the barrier for entry is high and may not be practical for many organizations. We simplify the process for members and we remove indicators that are not relevant or are likely to cause false-positive alerts in SLTT environments.

The collected information is stored in a single database, the MS-ISAC’s new Threat Intelligence Platform (TIP). Here, key elements are extracted, cleaned, vetted, verified, enriched, and prioritized for action. Intelligence information that meets specific criteria is immediately shared to the MS-ISAC’s indicator sharing platform and available to all members who subscribe to that platform. This information is shared in the form of indicators, which must first be confirmed as malicious, active, and relevant to stakeholders. We determine relevance by assessing the likelihood of impact to organizations in the SLTT domain. These same indicators are pushed to MS-ISAC security tools, such as MDBR.

Analysis and Output

In addition to indicator sharing, the CTI team reviews all evidence coming in for trends and analysis. This helps us provide more context to SLTTs. The outputs of this process are finished intelligence products, such as Alerts, Reports, and Advisories. These are disseminated to members through the MS-ISAC Security Operations Center (SOC). Recently, the CTI team has incorporated a number of feedback mechanisms. Included are an RFI portal, direct feedback requests, member surveys, and one-on-ones with stakeholders and other MS-ISAC and EI-ISAC teams.

This entire process can be captured as a cycle of overlapping elements, where feedback is provided at each stage:

real-time indicator feeds image

STIX/TAXII: Real-time Indicator Feed

Speed is a critical component of active defense. We recognize that SLTTs must have access to reliable, timely threat intelligence. This feeds their own defense-in-depth strategy and reduces their risk posture. Yet, every SLTT environment is unique and the ability to ingest and use our data is likely to vary widely. For this reason, we focused our efforts on a single standard, the Structured Threat Information eXpression (STIX) format. We currently make a STIX feed available for SLTTs to subscribe to via a second standard. This is the Trusted Automated eXchange of Intelligence Information (TAXII).

Members are not required to maintain their own STIX/TAXII infrastructure. Instead, members simply need to have security devices that can accept and ingest a STIX/TAXII feed. The good news is that most modern security tools can! This includes firewalls, intrusion detection and prevention systems (IDS/IPS), and endpoint detection and response (EDR) tools. It can also include analytical tools such as security incident and event management (SIEM) platforms and TIPs.

Technically savvy members who wish to pull the files over without directly ingesting into a security tool can use simple curl requests to query the collections and download the indicators. STIX version 1 is shared as an XML file, while STIX version 2 is shared as a JSON file. These can be imported into just about anything that can read data.

Real World Applications

How might an MS-ISAC or EI-ISAC member use the new feeds? There are a number of ways:

  • Connect an edge security device to the feed to block malicious domains as they’re published
  • Ingest the feed to an internal database and compare the indicators against logs to see if malicious activity is present in the local network
  • Collect the data for sharing with associated organizations that have more limited capabilities

These are just a few examples – we’re here to help you along the way! Connect today to receive curated, timely, and relevant intelligence. The service is designed to provide a high-value, low-risk collection of active, verified indicators of threat activities.