effective region based network threat information sharing

Posted by tzul at 2020-02-27

executive summary

Traditionally, network threat information sharing and exchange is based on the background of industry departments, whether it is directly peer-to-peer exchange or in the Department based information sharing and Analysis Center (ISAC). This is often effective because organizations in the same industry tend to use the same business language. They often have similar business lines, similar digital assets, similar network threats, and similar organizational practices. However, this sharing mechanism based on departments also faces the challenge of ineffective sharing. The Verizon 2015 data disclosure investigation report (DBIR) proposed that "our standard practices for information sharing organizations and behaviors based on industry organizations are not optimized", and then advocated "cross industry organizations, conduct more thorough analysis and thorough research on various types of risks". For this topic, our proposal is based on two existing MITR research projects, the bilateral analysis of network prep and information sharing exchange (blise), and the empirical evidence of threat analysis and information sharing.

Our approach is to analyze how regional sharing organizations can share effectively. Regional information sharing organizations, as an example of information sharing and analysis organizations (isaos), provide opportunities for face-to-face collaboration and benefit from dealing with cross departmental threats. However, compared with sector based, regional groups face more challenges of effective sharing due to the diversity of member organizations. Organizations from different industries usually have very different operation modes, have very different digital assets, face different types of network threats, and have different organizational practices.

This report focuses on how regional groups (hereinafter referred to as "regional information sharing organizations") can effectively share information. The ideas can also help sector based sharing agencies. In this way, the purpose of this report is to provide the managers and members of two kinds of network threat information sharing organizations with tools to manage the diversity among their members, maximize the benefits of diversity, and minimize the information sharing problems caused by the same diversity. In order to achieve this, we apply two frameworks developed by MITR. The network prep framework provides a way to describe the differences in threats and defensive attitudes that organizations face, including operational practices, tools, priorities, and maturity. Blaise method describes the successful sharing strategy, and applies the exchange strategy to the exchange according to the business diversity of the participants, especially Blaise provides a structured method to avoid two common errors in information sharing: first, it desalinates the impact of social barriers, such as non aligned goals and lack of trust; second, it relies on automation to overcome these barriers.

Through the application of the network prep framework, we define and describe three types of member organizations, which we call prep groups. These organizations usually represent the typical regional sharing organizations:

Vandalism: members of the Internet who have the value of existence and have the ability to resist opponents. Generally speaking, these opponents try to disrupt or destroy the organization, or use simple attack tools to publicly provide information about the opponents.

·Theft: members with quantifiable digital assets and resistance to cybercriminals who have command and control capabilities but can only steal assets with known attacks.

Apt (advanced persistent threat): a member with significant intellectual property rights or specific tasks. These members have the ability to defend against advanced persistent attacks. These attackers are motivated by national or industrial espionage and have the ability to develop and use new attacks.

With blind, we recommend three ways to manage diversity within a regional shared organization:

1. Limit diversity among members by professionalizing them as a single preparation group (sabotage, theft, or APT). This approach is likely to facilitate the sharing of meaningful structural intelligence reports, increase situational awareness among members, and promote organizational maturity to support automatic sharing.

2. Limit the details to be shared. Avoid trying to facilitate automated sharing or sharing of structured intelligence reports. Instead, promote effective collaboration among members - provide people to people communication channels, improve preparation and trust among members through face-to-face meetings and desktop exercises.

3. The third and most ambitious approach is to combine the two methods. Organize the members into groups, and each group is classified according to the threat. Then, we should promote the regular and highly detailed sharing of threat intelligence among each group. Shared organizations can also facilitate effective, specific collaboration between preparation groups by providing channels of communication and through preparation and trust building activities, including face-to-face meetings and desktop exercises.

At last, we summarize three potential sharing activities.

(1) Overview

The sharing of threat and event information has become a key network security practice for organizations. It enables organizations to improve the visibility and perception of network security threats. This creates better situational awareness, which in turn facilitates more informed risk decision-making.

Information sharing of network security threats is often based on department. The information sharing and Analysis Center (ISAC) is one of the information sharing organizations based on departments. For example, aviation ISAC (a-isac) and financial services ISAC (fs-isac). The advantage of this kind of organization by Sector ISAC is to promote information sharing among organizations, which often have similar tasks, needs and threats. However, not all ISAC members face the same threat. In addition, sector based sharing provides insight into domain specific threats, but does not see trends across industry boundaries.

In recent years, a new generation of network security threat information sharing organization has emerged to expand and strengthen sharing in departmental organizations. For example, the Department of Homeland Security (DHS) has been actively promoting the development of the new information sharing and Analysis Organization (Isao). Especially, the methods of region based network security sharing mechanism are quite different. As the name suggests, Regional Sharing organizations are regional in the first place, and conduct face-to-face meetings and collaboration on a regular basis. In addition, Regional Sharing organizations have broken down some institutional barriers to sector sharing because their members are based on geography rather than business sectors. In particular, it can promote face-to-face interaction between members, which can generate trust. This promotes the cross use of ideas and methods and can help overcome sector based "group thinking.". Examples of Regional Sharing agencies include the New England Regional Advanced Network Security Center (ACSC), the Atlantic Midwest Network Center, the Western Rockies network exchange, and the California network security information sharing organization (calciso).

Diversity among participating organizations is an important resource and advantage of Regional Sharing institutions. However, this diversity of industries may undermine information sharing. Organizations from different industries often have different business processes and face different types of threats. Therefore, there are often different network security practices. Therefore, in order to gain the benefits of diversity in Regional Sharing organizations, managers and members need to manage diversity in a way that promotes effective sharing.

The challenge for management and RSOs members is: how to effectively manage diversity among their members by: a) achieving the benefits of industry diversity, rather than B) communication barriers caused by more diversity?

The purpose of this report is to provide tools for managers and members of network threat information sharing organizations, manage the diversity among their members, and realize and maintain more effective network security threat sharing. In addition, although we focus on Regional Sharing organizations, we hope that the methods described can also help departmental sharing organizations manage the diversity among their members. We use the network prep framework, a framework developed by two mitrs, to achieve this goal. The network prep framework provides a method to describe the diversity of members of Regional Sharing organizations, and the Blaise method to optimize information sharing based on the diversity of participants.

The network prep framework has two core viewpoints. First, different organizations face different kinds of network threats. Some mainly need to guard against cyber criminals, who try to steal monetized digital assets, while others must resist the national state attackers who seek to establish long-term digital espionage activities. The second is that an organization's Cyber Defense Strategy should be commensurate with the type of threat it faces. Different types of threats require different types of preparation groups. In the framework of network preparation, a set of network security management procedures for attackers and defenders is discussed.

In Chapter 2, we briefly introduce the network preparation framework, which defines five types of network preparation. Then, we propose a network prep framework based on interviews with stakeholders of Regional Sharing work. We define three prep groups: sabotage group, theft group and advanced persistent threat group.

In Chapter 3, we apply cyber prep directly to threat information sharing. We focus on the most popular representatives of RSOs, the theft group and the apt group, and identify fundamental differences between the relevant defenders and attackers. Based on these differences, we identify several differences in motivation and goal related to network threat information.

In Chapter 4, we briefly introduce the blind method of mitre, which can help designers of information exchange. Blaise defines four kinds of exchanges: automatic machine level information sharing, structured human expert level information sharing, specific organization level collaboration, and indirect intermediary translation. Blaise's core view is that there is a certain relationship between the level of automation and the details that can be shared, which can support information exchange and diversity among participants. We use this to discuss the failure of information sharing and the conditions for successful sharing efforts.

In Chapter 5, we apply the bless information sharing insights to the three preparation groups provided in the network preparation framework to provide suggestions for information exchange in Regional Sharing organizations. We describe three basic ways to build a successful regional sharing effort:

· accept all three members of the preparation team and limit collaborative communication.

·Only accept members from the theft group or apt group and share them structurally to support the group optimally.

·Accept all three team members, provide separate sharing function for theft and apt team, and provide support for collaboration and intermediary translation work for all members.

Finally, we will make specific recommendations for the information dissemination and sharing activities of the three groups with feasibility and sustainability. In Section 6, we provide a brief concluding discussion and discuss possible extensions of this approach to other types of sharing for future work.

Finally, Appendix A describes a set of indicators that organizations can use to determine which readiness group is the best way to describe their work on threat information sharing.

(2) Network preparation and regional sharing organization

The key to establish a feasible and effective information sharing is to determine the type of organization. Organizations with similar operation practices can support information sharing. Although most organizations in the same industry can communicate effectively, organizations in other departments may also have enough network security practices to share information effectively. In order to promote effective cross department sharing, managers and members of Regional Sharing organizations need to have methods to effectively identify potential organizations for effective sharing.

Mitre's network preparation framework provides us with a method to classify organizations. Based on the similarity of network defense strategies, we call it organization's network preparation.

Mitre's network readiness framework states that the organization's processes and readiness can be understood in terms of the level of threat it faces. It describes five levels of threats and five corresponding network defense States, as shown in Figure 1.

Mitre's network readiness framework states that these defense states should match the corresponding threat levels. It is also a kind of business risk that the enterprise's defense status exceeds the threat it is facing. Of course, it's possible (and more common) that the security state is not enough to protect against threats.

Based on a series of interviews and qualitative research, we observed that organizations participating in regional sharing can be divided into three main groups, which can directly correspond to the five categories of network preparation framework. Although these preliminary results need to be continuously interacted and further verified with the organizations participating in the network threat information sharing, we believe that the preliminary results are strong enough to ensure the correctness of classification.

The first group is vandalism group, which directly corresponds to the network destruction organization in the framework. The biggest threat to its members is their assets on the Internet. They face attacks that lead to denial of service, including extortion and website sabotage. This kind of attack requires less attack skills. We believe that this group is still meaningful to Regional Sharing organizations, but we also believe that the defense of such behaviors is shared by the whole society. First, the wider adoption of standard security best practices, also known as the cybersecurity fundamentals, such as the key security controls of the Internet Security Center (CIS), can improve the threat posed by most of these saboteur attackers.

Second, profitable information assets are more common in organizations, so more sophisticated theft attackers threaten more organizations. In other words, the basic network guidelines are not enough for many organizations. Third, the self selection of the members of Regional Sharing organizations. That is to say, the organizations that invest resources usually exceed the basic criteria of network. On the contrary, the organizations that limit the investment of network security to the basic criteria are unlikely to invest a lot of resources to participate in the sharing organizations.

We call the second group theft group, which corresponds to the network intrusion and network attack groups in the network preparation framework. The members of the theft group are attacked by the attacker, whose main attacker is to steal the profitable information assets. Although these attackers have high capabilities, they do not need to lurk in the victim network for a long time to complete the goal of the thief, unlike the more advanced attackers. We believe that a large number of RSOs are members of this category.

The third group was apt group. This is the network disruption, espionage and cyber warfare groups in the network preparation framework. Although we recognize that there are significant differences among these organizations, we believe that the operational practices in these organizations are close enough to support effective sharing. We also believe that it is unrealistic for Regional Sharing organizations to try to promote sharing among five types of organizations.

We emphasize network preparation. These groups (whether they are the five groups in the framework or the three mentioned above) should not be considered as one level. In the framework of network preparation, members of the network intrusion group should not want to become a network attack group. In a similar way, in our simplified model, members of the theft group should not aspire to be apt organizations. Instead, organizations should make the right investments based on the threats they face. Excessive network security investment is also a business risk. However, as long as the attacker can penetrate into the target, it will use less complex attacks. Therefore, the apt defender must be able to prevent the tools, technologies and procedures (TTP) of theft and sabotage, and the defender of theft must be able to prevent the sabotage. This is also an operational risk when an organization increases its limited resources from effectively defending against real threats to more radical ones.

We encourage information sharing organizations to differentiate between the three categories of organizations among their members in order to be expected, appropriate, and even best practices. Information sharing organizations should clearly describe different network preparations, work with their members to determine which preparation group is most meaningful from the perspective of risk management, and then consider building different sharing plans for different organizations.

Based on the basic differences of the three preparation groups described, we will now consider the differences in these groups in more detail.

(3) Network prep analysis of Regional Sharing organizations

Network preparation is informed by the National Institute of standards and Technology (NIST) network security framework, with corresponding threat and defensive control. Given our observation that theft and apt groups tend to be more prominent among regional sharing groups, we emphasize the distinction between the relevant defenders and attackers. Then, we will discuss how these differences inform different sharing practices of theft and apt groups.

3.1 main differences between apt and theft group

The defenders of the apt group have intellectual property (IP) assets, which are the target of espionage. The attackers who steal intellectual property are usually nation-state or large companies, who have the motivation to gain long-term strategic advantages over defenders. Attackers discover and infiltrate the target intellectual property by building long-term persistent capabilities, so named, high-level persistent threats.

In contrast, the defenders of the theft group own profitable digital assets. The attackers of the theft group are criminals who are motivated by money, from loose organization opportunity criminals to powerful organized criminal organizations. Because no matter who holds money, money is money. Attackers related to theft organizations decide how to attack based on the direct cost / benefit, seek the minimum effort and risk, and the maximum return. The attacker's goal is to steal the profitable assets at the lowest cost without being caught.

The attackers associated with apt group are well funded because the countries or companies that support them have a high incentive to acquire targeted intellectual property rights. They have a strategy to conduct long-term attacks, and develop and manage complex, multi-stage collaborative attacks. Their attack methods are complex and can usually be attributed to specific attackers. Apt attackers have the ability to develop or gain "0-day" and often customize attacks for victims. The defenders of apt organizations usually track the movements and strategies used by apt attackers, and will try to adjust their defense capabilities to resist the specific tactical strategies used by specific attackers who attempt to steal their specific IP. However, apt attackers have sufficient complexity and counterintelligence capabilities to try to confirm whether their tactics have been discovered by victims. Therefore, the defenders of apt group have the motivation to closely protect their understanding of the attackers' means, because they are afraid that the attackers will change their tactics, which is more difficult to defend.

In contrast, the level of funding for cyber criminals is related to theft organizations, but far lower than that of espionage attackers funded by the state or large enterprises. They have enough strategic discipline to carry out technically difficult attacks, but they don't expect to remain on the defender's network for long. Instead, they tend to reuse proven attacks against multiple victims. The technical complexity of their attacks requires capabilities, but they usually lack the ability to develop or acquire 0day attacks. Instead, they rely on well-known tactics and open attacks on hackers' websites, and are usually only customized to a minimum for defenders. The strategies of the defenders of the theft group may be described as "commercial grade" because they usually rely on commercially provided defenses, which are used to defend against known attacks. Accordingly, attackers will not commit a lot of anti espionage activities, because it is assumed that their attacks and utilization are known. They mainly rely on the inadequacy of defensive measures of defenders.

3.2 inspiration from sharing

The differences between theft and apt groups lead to different network threat information sharing targets. The defenders of AP group are motivated to reach a consensus agreement, hoping to understand the specific attack techniques and strategies adopted by specific countries and large companies, and the target of attack is specific intellectual property rights. They seek to obtain machine consumable detection signatures and recommended actions (COAs) associated with the new 0day vulnerability, as they cannot be obtained from commercial vendors. They seek to improve situational awareness for their threat analysts and other risk-oriented decision makers by obtaining information about the tactical means attributed to specific attackers. They look for opportunities to work directly with peer organizations to collaborate on attack information and to collaborate on emergency response. As apt attackers know that they have the corresponding anti espionage function, the defenders of apt group require a very high degree of trust with their sharing partners to prevent attackers from knowing that their current tactics are discovered.

On the contrary, the goal of defenders in "theft" organizations is to keep abreast of open loopholes. They strive to obtain trustworthy machine-readable signatures to provide protection against known vulnerabilities. They seek to improve situational awareness by keeping abreast of time sensitive criminal attack trends, including "alerts and identified attack reports.". They seek to work with peer groups to understand trends in cybercrime and response to attacks involving multiple defense organizations. The defenders of theft organizations pay less attention to disclosure, because the attacker's attack and strategy are known. Defenders are motivated to act effectively in a shared relationship. Generating shareable information costs money and labor.

(4) Bless and Regional Sharing organizations

The operators of Regional Sharing agencies have to make three core decisions - who will share information (diversity), what they will share (details), and how they will share (patterns)? These are about who, what, and how closely related, and understanding these relationships is essential for successful sharing. In particular, the most common form of information sharing failure occurs when organizations that are too diverse in their operational practices attempt to share too detailed information. The main success factor of successful information sharing is to achieve the balance between the details shared and the diversity of participants. Once this balance is reached, the question of how to share is obvious.

The question of what to share can be expressed in terms of the number of details captured in the shared information. In detail, we mainly refer to structured databases, semi-structured reports (for example, medical records, police reports), unstructured reports enhanced with shared IDS (for example, directions usually refer to standard street names and route numbers), and completely unstructured exchanges (for example, conversations). The details also include the number of technical terms used. Cyber threat reporting, like any professional literature, cannot be ignored: legal briefs, medical journals, or end-user license agreements (EULA).

The relationship between sharing details and how to share information is direct - the higher the level of information structure, the more automation technology can be used to promote information exchange. We identify three main ways of information sharing:

·Automatic machine to machine information sharing

· information products - machine consumption

· automation level - automatic transfer, ingestion and processing

· examples - actionable attack metrics (IOC), such as machine-readable signatures

·Structured human readable information sharing

· information products - structured but human readable, such as medical records

· automation level - digital capture and transmission

· examples - network threat event alarm, malware threat event alarm, analysis report

· cooperation at the human and organizational level

· information products - multiple written notifications and communications that can be expanded with shared vocabulary

· degree of Automation - use of digital communication channels such as email or chat software

· examples - round tables, joint exercises, event specific response activities

The fourth way of information sharing is called mediated translation, an example: doctors create medical records. Claims are processed by insurers who provide the patient with an explanation of benefit (EOB) report. The job of the insurance claims processor is to record the information generated by the doctor in the medical records. But doctors do not share medical records with insurers. Instead, the doctor's office has a medical accounting room that processes medical records and translates information into a form that can be used by insurance claims processors. We call the medical accounting room "intermediary translation", because their work helps the information sharing between two organizations, and they can't directly share information. In 2013, the white paper "APT1: exposing one of China's cyber espionage institutions" written by mandiant (later acquired by fireeye), a private cyber security company, is an example of intermediary translation. As the author obtained information that only elite cyber analysts can understand and translate into a way that other audiences (such as decision makers) can understand.

The relationship between what to share (details) and how to share (patterns) is straightforward. With more agreed details, more automated technologies can be used to facilitate the exchange of information. Agreement on automation and technology is effective, but it can be achieved if interested parties agree on the details of sharing. What to share (in detail) drives a discussion about how to share (automate).

However, the relationship between "what to share (details)" and "who to share (diversity)" is often more controversial, which is also the most common reason for information sharing failures. Bless is based on a sociological understanding of communication. It defines five related but separate factors about how people work and the ability to trust another group. Factors of diversity include:

· factors related to workplace practice

1. Professional uncertainty: measure the uncertainty of professional work of the organization

2. Internal diversity: measure the same or different degree of work practice of each group

3. Compare diversity: measure the same or different degree of work practice between groups

· entities related to trust and value

4. Cooperative resistance: measure the degree of group support or resistance to cooperate with other groups

5. Process novelty: the degree to which the process of measuring information exchange and supporting it is new, or conversely, has been incorporated into the work practice of the organization..

The relationship between "what to share" and "with whom to share" is that if the organization's operational work practices are similar, then the organization can only achieve high-level sharing details (and highly automated sharing) - that is, if they have: no professional uncertainty in their work, and their work methods are not diverse, they have a firm commitment to share, and can determine the sharing practices. On the contrary, if groups are diverse in their operational practices, or if they do not trust sharing relationships, they cannot agree on high levels of detail and therefore cannot maintain automated sharing.

Understand the Blaise framework of diversity of work practice, and provide us with a way to understand the root cause of sharing participants. First and foremost, these three groups face different threats and have different defensive priorities. For example, members of the apt organization track attacks that threaten attackers, and members of the theft group do not (and should not, because doing so diverts resources from their primary threats). In blind terms, these groups have a high degree of diversity. So it's impossible for them to agree on what kind of information they can share.

Theft and apt also showed a high degree of cooperative resistance. Apt group members do not trust the operation security behavior of theft groups, and resist sharing information with them, fearing that the information will be leaked to apt threat attackers.

We describe these relationships in the figure below. Optimal information sharing efforts occur along diagonal boundaries, only when there is an appropriate balance between what (details) to share and who (diversity) to share.

There are two main influences on the quality of information sharing in Regional Sharing organizations. First of all, this characterization clearly expresses the main failure of information exchange, that is, trying to share too much detail among too diverse stakeholders.

Secondly, this feature emphasizes two main methods of information sharing initiatives. Limit the number of details shared, or the diversity of details involved (in terms of operational practices). Even so, this representation shows that some professional groups can not share information directly and effectively.

Initial contacts with Regional Sharing organizations indicate that there are often members from all categories of groups. This means that the operational diversity among members is much higher than that of industry-based sharing organizations. The diversity of ideas and experiences discovered by RSOs can be used as a resource, but designers must try to identify and manage diversity so that sharing is effective.

Therefore, the main approach is to group within a shared organization based on the type of organization, as this helps to ensure that business practices are more closely aligned. If grouping of this nature can be determined, more detailed sharing within these groups can be promoted, and more detailed grouping forms can be considered.

(5) Blacke analysis of Regional Sharing organizations

The first and most important step for a regional sharing organization is to recognize that its members (or a collection of potential members) can be divided into three groups - the sabotage group, the theft group, and the apt group. In terms of information sharing, these kinds of groups should be considered different. These differences, if not recognized, cannot be managed and can easily place regional shared organizations in infeasible areas.

There are two ways to get out of the infeasible zone: reduce diversity or detail. This leads to three main recommendation strategies of Regional Sharing organizations. The first is to intentionally reduce the number of diversity among its members by focusing on a group (sabotage, theft, or APT) and limit its members to that group. This method will help to share structural intelligence reports meaningfully, so as to improve situation awareness among members. By working hard, this approach may gradually mature to support automatic sharing.

The second is to deliberately lower the level of detail to share. This can be done through face-to-face meetings and desktop exercises to focus on providing (people to people) communication channels and building readiness and trust among members. Continue to automate sharing, and even continue to share structured intelligence reports. Instead, the focus is on promoting effective collaboration among the various members.

The third and most ambitious approach is to combine the above. There are three (or two) types of organization members (depending on the members), and each organization is divided by category. Then, we should promote the regular and highly detailed sharing of threat intelligence among organizations. In addition, sharing organizations can promote effective and specific cooperation between groups by providing communication channels and through preparation and trust building activities (such as face-to-face meetings and desktop exercises).

We put forward important warnings about our classification into different groups. The organization's defense capabilities should directly and accurately match the level of threat they face. This is not always the case. On the one hand, because financial and human resources are usually too expensive to allow unreasonable network security expenditure, generally speaking, the organization's defense is higher than the threat it faces, which is not common. What's more, the defense capability is not enough to prevent the threats they face. In the latter case, we suggest that the organization improve the level of network security prevention, so as to effectively share activities with other organizations suffering from similar threats. Before that, the organization will be an invalid member of the prevention group, which is not conducive to threat information sharing. Therefore, we suggest that organizations group mainly according to their demonstrated capabilities, rather than using the threats they face as a means to achieve better sharing. In particular, we do not recommend that organizations be placed in unclassified groups of shared organizations, in the hope that experience will help them with their education. Education and improvement may come from participating sharing organizations, but education is not the main goal of sharing organizations, and sharing is.

Based on the above considerations, it is recognized that the differences between the preparation teams (assets, attackers, defense strategies and operational capabilities) provide the basis for developing more detailed concepts of operations (CONOPS) for information sharing among the same team members. Therefore, our final recommendation is to develop these CONOPS, especially for theft and apt group.

As a first step in developing a more formal CONOPS, we recommend sharing policies for each of the groups in the following sections. Experience has shown that the release of shareable information is the most important first step. Because sharing in a single preparation group is quite different from sharing across organizations, it needs to be considered separately. Note that successful automated machine sharing and structured human sharing depend on the operational capabilities of qualified managers.

5.1 apt preparation group: recommendation for information sharing

Sharing information about apt threats has a huge risk of information disclosure, which will enable apt attackers to understand the known and monitored processes, so that they can change their behavior. Therefore, members of apt group can only share with mature and reliable partners. With this, members of the apt group may be able to publish and share the following with other members of the apt group:

·Automatic machine sharing

Attack indicators related to potential 0day attacks (such as IDS signature)

Recommended COA

·Structured human sharing

Malware analysis results

Event alerts related to suspected 0-day attacks

Attacker analysis (e.g. identity and Technology)

Analysis method

Information on attack movement

·Special collaboration

Apt oriented collaborative event response activities

·Intermediary translation

State of the art best practices (e.g., active defense technology, advanced malware analysis).

There is no trust building between apt group members and members of theft and sabotage organizations. But in some cases, the benefits shared by apt group members will outweigh the potential risks; the white paper "APT1" above is an example. In this case, members of apt organization can publish and share the following content to members of theft and sabotage organization:

· automatic machine sharing

Attack indicators related to known attacks

·Structural human sharing

Bolo request

Request information (for example, have you seen this?)

Malware analysis results related to known malware

Event alerts related to known attacks

· special collaboration

Not sure

·Intermediary translation

Apt lessons learned

Theft oriented collaborative event response exercise.

5.2 theft preparation group: recommendation of information sharing

The theft attacker and the theft defender are in a state of competition when they publicly discover new vulnerabilities or attacks. Attackers attempt to develop or acquire attack tools that exploit new vulnerabilities while defenders wait for patch development, testing, and deployment. Members of theft organizations have the incentive to share with each other to increase their security products while waiting for their security product suppliers to respond to updates. Members of the theft organization may be able to publish and share the following with other members of the theft organization.

·Automatic machine sharing

Attack metrics related to known attacks (e.g. IDS signature)

Recommended COA (consumers will never execute COA without some approval process.)

·Structural human sharing

Bolo request

Request information (for example, have you seen this?)

Malware analysis results related to known malware

Event alarms related to known attacks

·Special collaboration

Collaborative event response activities

· intermediary translation

Best practices for theft oriented advanced technology

Theft oriented joint event response exercise.

Members of a theft group usually do not share information outside their preparation group, which can leak information to attackers. However, if there is not enough space, they will keep it for sharing. That is, if they think they are submitting useful information and others are not, they will have no incentive to continue to share the relationship. Sharing information with members of the saboteur organization is even more a problem, and they may not be able to respond to sharing at the same level. Members of the theft group may be able to publish and share the following with apt and members of the destruction group:

·Automatic machine sharing

Attack metrics related to known attacks (e.g. IDS signature)

Recommend COA (consumers will never perform COA without some approval process.)

·Structural human sharing

Bolo request

Request information (for example, have you seen this?)

Malware analysis results related to known malware

Event alarms related to known attacks

·Special collaboration

Joint event response activities focusing on theft or destruction

·Intermediary translation

State of the art technology theft oriented best practices

A joint event response exercise focusing on theft or sabotage.

5.3 damage preparation group: suggestions for information sharing

Members of the sabotage preparation organization may be able to publish and share the following with other members of any group.

· automatic machine sharing

Not sure

· structured human sharing

Request information (for example, have you seen this?)

Event alarms related to known attacks

·Special collaboration

False oriented joint event response activities

· intermediary translation

False oriented joint event response exercise.

(6) Conclusion and next work

We have applied two MITR frameworks to answer how to better manage regional sharing organizations and achieve more effective sharing. The first cyber prep framework allows organizations to categorize according to the types of cyber threats they face. Organizations facing similar network threats often have similar network defense status. Although cyber prep defines five different categories, interviews with participating threat analysts led us to simplify into three groups - vandalism, theft and apt. Of these three, the most common are theft and apt groups. The second framework, Blaise, argues that there is a balance between the amount of diversity among sharing partners (based on organizational practice) and the level of detail that can be effectively shared. Blaise further provides four shared patterns of classification - automated, structured, pattern specific, and mediation translation. Finally, we combine these two frameworks and give some concrete suggestions on the sharing model with high probability of success.

We hope that future work can continue. We identified three possibilities.

·First of all, although our proposal is based on the input and guidance of operation subject experts, it is worth carrying out in-depth case study on Regional Sharing organizations to implement the proposal and verify the effectiveness of sharing.

Second, although our analysis focuses on Regional Sharing groups and our recommendations are specific to them, we hope that the insights and methods of this paper will also be conducive to managing members of sector based sharing organizations.

·Third, although our research focuses on the sharing of network threat information, we believe that the combination of the views of network preparation framework (different according to different network threats) and Blaise (sharing methods should be selected according to similarities or differences) will be conducive to network security information and cooperation.

It is a continuous and iterative process to realize and maintain effective information sharing. Therefore, we suggest further study, apply these methods to regional sharing groups and monitor their impact, and hope to further develop effective sharing best practices. We also suggest further studies to determine the extent to which these methods can be applied to sector based shared organizations, or more broadly to general isaos.

Several figures in Appendix A