Threat Information Sharing

---

Cyber threat intelligence sharing focuses on finding indicators of compromise, tracking threat actor groups, documenting findings, discussing strategies, and distributing this knowledge.

• many cybersecurity vendors openly share threat information via Cyber Threat Alliance (CTA)
• helps better predict and recognize malicious activities and leverage the knowledge to accelerate the detection and prevention of attacks

Automated Indicator Sharing (AIS) ecosystem enables the exchange of machine-readable cyber threat indicators and defensive measures.

• managed and maintained by the US CISA
• enables participants to share indicators and defensive measures against cyber threats
  • e.g., information on observed adversarial activities, actions, and compromises

Threat Information Platforms

• threat information platform enables the analysis and distribution of:
  • IOCs
  • tactics, techniques, and procedures (TTPs)
  • threat actors
  • courses of action
  • incidents
  • and other types of similar information
• shared in real time using machine-readable formats:
  • Trusted Automated eXchange of Indicator Information (TAXII) message exchange
  • Structured Threat Information eXpression (STIX)

Confidence Levels

• Threat intelligence analysts use threat information to develop confidence levels that help reduce noise and prioritize highly relevant and targeted activities
• Malware Information Sharing Platform (MISP)
  • implement taxonomies like Admiralty-Scale or Estimative-Language
    • helps develop and describe confidence levels