TLP:WHITE
TLP:WHITE
CISA | Cybersecurity and Infrastructure Security Agency
Atomic indicators can initially be valuable to
detect signs of a known campaign. However,
because adversaries often change their
infrastructure (e.g., watering holes, botnets, C2
servers) between campaigns, the “shelf-life” of
atomic indicators to detect new adversary
activity is limited. In addition, advanced threat
actors might leverage different infrastructure
against different targets or switch to new
infrastructure during a campaign when their
activities are detected. Finally, adversaries often
hide in their targeted environments, using native
operating system utilities and other resources to
achieve their goals. For these reasons, agencies
should use patterns and behaviors, or adversary
TTPs, to identify malicious activity when
possible. Although more difficult to apply
detection methods and verify application, TTPs
provide more useful and sustainable context
about threat actors, their intentions, and their
methods than atomic indicators alone.
The
MITRE ATT&CK
®
framework documents and
explains adversary TTPs in detail making it a
valuable resource for network defenders.
10
Sharing cyber threat intelligence is a critical
element of preparation. FCEB agencies are
strongly encouraged to continuously share cyber
threat intelligence—including adversary
indicators, TTPs, and associated defensive
measures (also known as “countermeasures”)—
with CISA and other partners. The primary
method for sharing cyber threat information,
indicators, and associated defensive measures
with CISA is via the Automated Indicator Sharing
(AIS) program.
11
FCEB agencies should be
enrolled in AIS. If the agency is not enrolled in
AIS, contact CISA for more information.
12
Agencies should use the Cyber Threat Indicator
and Defensive Measures Submission System—
10
See Best Practices for MITRE ATT&CK® Mapping
Framework for guidance on using ATT&CK to analyze and
report on cybersecurity threats.
11
CISA Automated Indicator Sharing
12
CISA Automated Indicator Sharing
a secure, web-enabled method—to share with
CISA cyber threat indicators and defensive
measures that are not applicable or appropriate
to share via AIS.
13
Active Defense
FCEB agencies with advanced defensive
capabilities and staff might establish active
defense capabilities—such as the ability to
redirect an adversary to a sandbox or honeynet
system for additional study, or “dark nets”—to
delay the ability of an adversary to discover the
agency’s legitimate infrastructure. Network
defenders can implement honeytokens (fictitious
data objects) and fake accounts to act as
canaries for malicious activity. These capabilities
enable defenders to study the adversary’s
behavior and TTPs and thereby build a full
picture of adversary capabilities.
Communications and Logistics
Establish local and cross-agency communication
procedures and mechanisms for coordinating
major incidents with CISA and other sharing
partners and determine the information sharing
protocols to use (i.e., agreed-upon standards).
Define methods for handling classified
information and data, if required. Establish
communication channels (chat rooms, phone
bridges) and method for out-of-band
coordination.
14
Operational Security (OPSEC)
Take steps to ensure that IR and defensive
systems and processes will be operational
during an attack, particularly in the event of
pervasive compromises—such as a ransomware
attack or one involving an aggressive attacker
that may attempt to undermine defensive
13
DHS CISA Cyber Threat Indicator and Defensive
Measure Submission System
14
NIST SP 800-47 Rev. 1: Managing the Security of
Information Exchanges