State, Local, Tribal & Territorial Cyber Information Sharing Program

CISA established the State, Local, Tribal, and Territorial (SLTT) Cyber Information Sharing Program to foster a more resilient cyber ecosystem. Cooperative agreements were awarded in accordance with congressional direction to meet the pilot objectives set by CISA and to execute the pilot using a standardized process. Each pilot includes the development of deliverables that SLTT governments and the critical infrastructure community can adapt to meet their unique needs and constraints.

SLTT Indicators of Compromise Automation Pilot

In 2019, CISA awarded a cooperative agreement to the Johns Hopkins University Applied Physics Laboratory (JHU/APL) to conduct a pilot with SLTT governments to enhance their cybersecurity defenses and rapidly respond to Indicators of Compromise (IOCs) through the development of Security Orchestration, Automation and Response (SOAR) workflows and guides. JHU/APL successfully conducted the pilot with Arizona, Louisiana, Massachusetts, Texas, Maricopa County, and the Multi-State Information Sharing and Analysis Center. For additional details, click here.

CISA is now providing the 85 workflows that were developed to deploy the SOAR capabilities to SLTT governments and the critical infrastructure community. To access the workflows, click here. In addition, there are also 11 white papers and two videos available that address the following key topics:

Assessing the Potential Value of Cyber Threat Intelligence Feeds

There are two areas of consideration to assess the potential value of a Cyber Threat Intelligence (CTI) feed: relevance and usability. However, most organizations only focus on relevance. While determining if an offering is relevant is important, it is not enough. The organization/customer/consumer also needs to make sure the information is usable and applicable in their environment; that it is actionable and can be used to drive the operational processes and decisions in a timely manner with minimal impact to local resources. This paper provides definitions and operational considerations for assessing the potential value of CTI feeds.

To download a PDF version of this paper, click here.

Operational Value of Indicators of Compromise

Most organizations prioritize processing internal information over processing and acting on external IOC feeds. There is a significant debate in the cybersecurity community as to what operational value some IOCs provide to organizations, since threat actors can and do change IOCs routinely to avoid detection. During the SLTT IOC Automation Pilot, JHU/APL discovered that the right question is not if IOCs are operationally valuable, but when.

To download a PDF version of this paper, click here.

Service Models for Cyber Threat Intelligence

There are many CTI products and services on the market today. While the type of content is similar, the service models being applied are vastly different. From an operational standpoint, the value provided by the different service models varies significantly and is directly associated with the consumer and their intended usage of the CTI. Organizations considering participation in a CTI sharing community or subscribing to CTI feeds need to understand the service model being used by the provider. Different service models provide different types of value, and an organization needs to define the operational use cases for the CTI to determine the operational value of the proposed investment.

To download a PDF version of this paper, click here.

Preserving Cyber Threat Intelligence Content

Operational limitations have resulted in many organizations deploying 3rd party products to ingest standards-based CTI feeds. Unfortunately, many of these products modify the shared content when they receive it from the producer. Often the methods utilized for CTI delivery through 3rd party sharing infrastructure results in limitations regarding the usefulness of new or unique CTI and nullifies the expected value of using community accepted standards.

To download a PDF version of this paper, click here.

Enabling Automation in Security Operations — Assessing Automation Potential of Products and Services

As organizations automate operational security processes, they are discovering that not all products and services support these initiatives. The main issue is that the functionality and information available via the Application Programming Interface (API) may be different than what they have access to via the user interface. It is important to assess products and services, those already deployed as well as those under consideration, to determine if they have limited automation potential. This assessment requires more detail than just making sure there is an API and is not easily discernable from a typical vendor demonstration.

To download a PDF version of this paper, click here.

Enabling Automation in Security Operations — Strategy for Efficient Process Automation

This guide will help an organization develop and deploy automation that is more efficient and effective for their operations. This approach is easily extended to support the inclusion of more advanced analytics into the detection and response process.

To download a PDF version of this paper, click here.

Enabling Automation in Security Operations — Increasing Automation Potential of Processes

Enabling automation is a critical component of every organization that wishes to address the speed and scale of modern cyber attack. Without orchestrated automated response via security tools, it is often not possible to respond to cyber threat intelligence in a timeframe that enables network defense. However, organizations often find themselves struggling to understand which of their security tools can leverage these capabilities. Merely having an API to a product is not enough. The factors identified in this guide will help each organization assess whether or not their tools can leverage the significant benefits of automated responses and identify features that they can request from their vendors to support their operational needs to assure business continuity while under cyber attack.

To download a PDF version of this paper, click here.

Applying Low Regret Methodology for Cyber Threat Intelligence Triage

Through multiple research and pilot efforts, JHU/APL has successfully deployed threat feeds that within minutes of receipt extract, identify, and share actionable IOCs to an information sharing organization such as an Information Sharing and Analysis Center or Organization. In this paper, the methodology and process are provided in more detail to help other organizations leverage these capabilities for their communities' network defense needs.

To download a PDF version of this paper, click here.

Applying Low Regret Methodology for Response to Indicators

Analysis and response to cyber IOCs is so resource consuming that many cybersecurity teams do not even attempt to use them in operations. This paper showcases how to apply a "low-regret" methodology for rapid evaluation and response to these IOCs via SOAR tools. Using this methodology, organizations have been able to add IOC mitigation into security operations in a value-added and sustainable manner.

To download a PDF version of this paper, click here.

Orchestration of Information Technology Automation Frameworks

The SOAR market has matured considerably over the last few years, but many organizations still have a hard time differentiating between SOAR and IT automation frameworks. Those with investments in IT automation often question the need for extending SOAR deployments outside of the Security Operations Center (SOC), while others wonder how to effectively combine the two technologies to mitigate cyber risks. Some organizations may worry about SOC updates changing IT assets, but as explained in this paper, using approved frameworks can ensure any changes align with existing priorities and policies.

To download a PDF version of this paper, click here.

Information-Centric Automation and Orchestration

Many products designed to perform advanced analytics or automate analysis of cyber threat information separate the data normalization and information standardization functions from the automated workflows and analytics engines. This way they are working on information in a specific, defined, and understood context, allowing them to add, modify, and delete sources and analytics without impacting existing core functionality. In essence, they have deployed an Information-Focused Automation Framework for the organization. The intent of deploying this type of framework is to enable information-centric automation. Information-centric automation emphasizes developing workflows and analytics based on standardized pieces of information made accessible by local resources instead of inconsistent data provided by products and services. This framework provides information management functionality that is explicitly designed to enable automation.

To download a PDF version of this paper, click here.

Low-Regret Scoring for Network Defense Videos

Head over to CISA's YouTube channel to learn about low-regret scoring for network defense. These introductory videos provide an overview of low-regret scoring for network defense and how to implement it.

To access the Low-Regret Scoring for Network Defense video, click here.

To access the How to Implement Low-Regret Scoring for Network Defense video, click here.

Internet Security - Information Sharing and Analysis Organization Pilot

The intent of the Internet Security - Information Sharing and Analysis Organization (IS-ISAO) Pilot Project was to establish a fully functional ISAO capable of bi-directional information sharing. Also, the pilot promoted and developed a collaboration with SLTT agencies, higher education, industry, and not for profits and conducted government outreach. For additional details, click here.

A report was developed summarizing the results of the SLTT IS- ISAO pilot project. To download a PDF version of this report, click here.