United States: DHS and DOJ Release Updated Guidance for Sharing Cyber Threat Indicators and Defensive Measures

Last Updated: June 23 2016
Article by Jonathan G. Cedarbaum and Joseph W. Jerome

On June 15, in response to feedback from non-federal entities on guidance released in February, the Departments of Homeland Security (DHS) and Justice (DOJ) issued updated guidance for companies about sharing cyber threat indicators and defensive measures with the federal government under the Cybersecurity Information Sharing Act (CISA).

The new guidance identifies:

  • the types of information that qualify as a cyber threat indicator that would be unlikely to include information that is not directly related to a cybersecurity threat and is personal information of a specific individual or information that identifies a specific individual; and
  • information protected under otherwise applicable privacy laws that are unlikely to be directly related to a cybersecurity threat.

The guidance explains how companies can share such information with the federal government, both through the principal channel created by DHS and through other routes allowed by CISA. The guidance also explains how to identify and share cyber defensive measures. Finally, it recaps the different kinds of legal authorization and liability protection CISA provides for these activities.

Identifying Cyber Threat Indicators and Defensive Measures

CISA defines a cyber threat indicator as information that is necessary to describe or identify:

  • malicious reconnaissance, including anomalous patterns of communications that appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat or security vulnerability;
  • a method of defeating a security control or exploitation of a security vulnerability;
  • a security vulnerability, including anomalous activity that appears to indicate the existence of a security vulnerability;
  • a method of causing a user with legitimate access to an information system or information that is stored on, processed by or transiting an information system to unwittingly enable the defeat of a security control or exploitation of a security vulnerability;
  • malicious cyber command and control;
  • the actual or potential harm caused by an incident, including a description of the information exfiltrated as a result of a particular cybersecurity threat;
  • any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law; or
  • any combination thereof.

The guidance provides the following example to illustrate how some of the pieces of information in an email may constitute cyber threat indicators and some may not:

Information is not directly related to a cybersecurity threat if it is not necessary to detect, prevent, or mitigate the cybersecurity threat. For example, a cyber threat indicator could be centered on a spear phishing email. For a phishing email, personal information about the sender of email ("From"/"Sender" address), a malicious URL in the e-mail, malware files attached to the e-mail, the content of the e-mail, and additional email information related to the malicious email or potential cybersecurity threat actor, such as Subject Line, Message ID, and X-Mailer, could be considered directly related to a cybersecurity threat. The name and e-mail address of the targets of the email (i.e., the "To" address), however, would be personal information not directly related to a cybersecurity threat and therefore should not typically be included as part of the cyber threat indicator.

The guidance identifies a number of examples of information that would contain cyber threat indicators that a private entity could submit to DHS and other federal entities under CISA:

  • a company could report that its web server log files show that a particular IP address has sent web traffic that appears to be testing whether the company's content management system has not been updated to patch a recent vulnerability;
  • a security researcher could report on her discovery of a technique that permits unauthorized access to an industrial control system;
  • a software publisher could report a vulnerability it has discovered in its software;
  • a managed security service company could report a pattern of domain name lookups that it believes correspond to malware infection;
  • a manufacturer could report unexecuted malware found on its network;
  • a researcher could report on the domain names or IP addresses associated with botnet command and control servers;
  • an engineering company that suffers a computer intrusion could describe the types of engineering files that appear to have been exfiltrated, as a way of warning other companies with similar assets; and
  • a newspaper suffering a distributed denial of service attack to its web site could report the IP addresses that are sending malicious traffic.

To help ensure consistency with CISA's definitions and requirements, the guidance recommends using standard fields of information, such as those developed for the Structured Threat Information eXchange (STIX).

The guidance also provides a number of illustrative examples of defensive measures:

  • a computer program that identifies a pattern of malicious activity in web traffic flowing into an organization;
  • a signature that could be loaded into a company's intrusion detection system in order to detect a spear phishing campaign with particular characteristics;
  • a firewall rule that disallows a type of malicious traffic from entering a network;
  • an algorithm that can search through a cache of network traffic to discover anomalous patterns that may indicate malicious activity; and
  • a technique for quickly matching, in an automated manner, the content of an organization's incoming Simple Mail Transfer Protocol (SMTP, a protocol commonly used for email) traffic against a set of content known to be associated with a specific cybersecurity threat without unacceptably degrading the speed of email delivery to end users.

Categories of Information Unlikely to be Directly Related to a Cybersecurity Threat

CISA requires non-federal entities to remove any information from a cyber threat indicator or defensive measure that the entity knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individual that is not directly related to a cybersecurity threat before sharing that cyber threat indicator or defensive measure with a federal entity. Cyber threat indicators and defensive measures will typically consist of technical information that describes attributes of a cybersecurity threat and thus usually will not include various categories of information that are protected by privacy laws. In order to assist sharing entities discharge their obligation to remove personal information, the guidance describes several categories of information that are unlikely to be directly related to a cybersecurity threat and protected under otherwise applicable privacy law. These include:

  • protected health information;
  • employee personnel files;
  • consumer information relating to an individual's purchases, preferences, complaints, or credit;
  • student education records, including transcripts and professional certifications;
  • financial information;
  • information concerning property ownership; and
  • information identifying children under the age of 13.

Because the contents of communications are particularly likely to include information from these protected categories, the guidance recommends that companies "exercise particular care when reviewing such information before sharing it with a federal entity." Nevertheless, it also admits that some of these categories can be used in connection with threats such as social engineering attacks, and may be shareable as a result.

Information-Sharing Mechanisms

CISA envisions three processes for sharing information:

  1. sharing via a DHS "capability or process";
  2. sharing with federal entities outside this method; and
  3. sharing among industry (or "non-governmental entities").

Each process involves different methods for sharing and provides different legal protections.

The first method takes advantage of mechanisms operated by DHS pursuant to Section 105(c)(1)(B) of CISA. These includes DHS's Automated Indicator Sharing (AIS) initiative, which was certified for deployment and made " open for business" in March 2016. Other sharing methods under Section 105(c)(1)(B) include sending an email to or using a web form provided by DHS's National Cybersecurity and Communications Integration Center (NCCIC). Information shared with NCCIC through other electronic means may also be covered. Information companies share with private Information Sharing and Analysis Centers (ISACs) or Information Sharing and Analysis Organizations (ISAOs) that is then shared with DHS on their behalf is also covered. Section 105(c)(1)(B) sharing receives both liability protection and other statutory protections under CISA.

The second method involves sharing outside this framework with DHS or with other federal entities, such as the FBI, the Treasury Department or the Defense Department. This kind of sharing, authorized under Section 104(c) of CISA, does not receive liability protection, but does get other statutory protections, including:

  • antitrust exemption;
  • exemption from federal and state disclosure laws;
  • exemption from certain federal and state regulatory uses;
  • no waiver of privilege;
  • treatment as commercial, financial, and proprietary information; and
  • ex parte communications waiver.

Finally, while the guidance notes that CISA does not direct the federal government to produce guidance on how companies may share information among themselves under CISA, Section 104(c) also authorizes the sharing of cyber threat indicators and defensive measures among private entities and such sharing receives both liability and antitrust protection. However, sharing between private entities (including ISACs and cybersecurity and managed security services providers) is subject to CISA's requirements that only cyber threat indicators and defensive measures are shared and personal information be removed.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Jonathan G. Cedarbaum
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions