At the request of several Federal agencies, the Intelligence and National Security Alliance (INSA) has created and released a framework for organizations to better share indications and warnings (I&W) of cyberattacks and deconstruct that data into indicators that can be monitored.
“The intent of this framework is to give government, academic, and industry professionals a practical analytic process in which an anticipated attack scenario is decomposed into indicators that can be continuously monitored to warn of an actual attack,” the framework states.
INSA found three main challenges to I&W: a lack of personnel with cyber and intelligence skills, a lack of effective contracts and procurement approach, and the lack of a framework.
A survey from INSA also found that organizations were largely relying on cyber threat intelligence to anticipate threats, and sharing information through free-flow text and email lists, although half of respondents replied that they were using some form of automation to share and receive information. Among the biggest obstacles to information sharing is the lack of awareness about where to share information, the slow speed of sharing, and a culture focused on keeping threat info internally, INSA said.
“These responses point to the likely value of a predetermined framework for handling warning information and coordinating a response,” INSA stated.
In the proposed framework, INSA identifies seven steps to develop and implement a cyber I&W program.
- Identify and prioritize assets
- Refine the threat
- Assess threat courses of action
- Break down scenarios into indicators
- Plan and exercise countermeasures
- Align to the intelligence cycle
- Execute proactive measures
“In essence, the cyber I&W framework was meant to be set up, implemented, and monitored with as little effort as possible given the reality of current fiscal and talent constraints. Executed properly, the above I&W framework would enable warning of an impending malicious cyber action against critical assets of an organization in order to proactively implement countermeasures,” INSA said.
Along with adopting the framework, INSA also recommended fostering a talent pipeline, improving personnel retention, improving the understanding of cyber threats, convening a best practices information sharing group, and conducting exercises to test capabilities.