National Cybersecurity Information Sharing Network
Introduction
Information sharing and integration of cyber data is a prerequisite for the protection of critical infrastructure providers. The National Cybersecurity Information Sharing Network (NCSISN) can be considered as a “security exchange” for sensitive cybersecurity information. It provides a secure venue for sharing cyber threat indicators (they identify malicious cyber activity) with trusted partners, experts, and authorities in real time.
The NCSISN is a national platform which supports integration and cybersecurity information sharing among critical infrastructure providers, including the private sector, to protect their data against breaches, attacks or lost. Also, it provides the ability for cross-sector cybersecurity monitoring of cyber threats, and cooperation between the critical infrastructure stakeholders.
The new platform will have the main features of data flow, integration, information sharing, and planned to detect cyber threats. Also, it enables cross-sector security monitoring of cyber threats, and cooperation between the critical infrastructure stakeholders.
The National Cybersecurity Agency (NCSA) provide a platform that can be used by multiple stakeholders in cybersecurity to implement rules and policies, collaborate with authorities, law enforcement and other stakeholders, share knowledge, monitor, and act against threats.
Objectives
Outcome
Strategic national defence and offense strategies, effective coordination among organizations, and continuous awareness of potential attacks.
National Information Sharing Network provides:
- critical infrastructures with reliable information about cybersecurity risks,
- facilitates information exchange among stakeholders,
- alerts managers to emerging threats
- promotes cooperation between organizations.
- in addition, NISPC organizes training courses for selected groups of users.
Page Break
Strategic Layer
The main goal of the National Cybersecurity Information Sharing Network (NCSISN) is to increase the detection capability of its network members.
Following sub-goals have also been identified as a driver of the main goal:
- Sharing indicators of compromises (IoCs),
- Collecting shared IoCs sightings,
- Ensuring quality of shared IoCs.
Desired outcome of the indicators of compromises (IoCs) sharing is a near-real-time information sharing between the network members. The desired outcome will be supported by the implementation of the MISP Threat Sharing (MISP) open-source threat intelligence platform.
Desired outcome of the collection of raised sightings on shared IoCs is a near-real-time sightings central reporting of all shared IoCs sightings detected on the network to the National Cybersecurity Agency (NSCA). The desired outcome will also be supported by the implementation of the MISP Threat Sharing (MISP) open-source threat intelligence platform.
Desired outcome of the ensuring quality of shared IoCs is to guaranteethe accuracy and the value of the IoCs and sightings circulating on the network to the network members. The desired outcome will be supported by a quality management process.
All goals are under the responsibility of the National Cybersecurity Agency (NSCA) team. The NSCA team is composed of:
- a security analyst team, composed of experts having capabilities in incident analysis allowing articulation and operationalization of indicators of compromises (IoCs) into the MISP Threat Sharing (MISP) open-source threat intelligence platform,
- an IT operation team, composed of experts having IT operation capabilities including operating systems, network components and into MISP management,
- a data analytic team, composed in experts having data analytic capabilities to ensure the continual quality management of the network. Analyzed data is composed of shared IoCs attributes and of related sightings.
NSCA operational excellence is vital to the sustainability of the network and trust into the network by its members. Operation excellence will ensure that the near-real-time sharing of IoCs, and collection of sightings is achieved. Having a secure network is a paradigm of the trust into the network. IoCs and sightings of value are also critical to ensure the long-term collaboration of the members into the network.
The National Cybersecurity Information Sharing Network (NCSISN), composed of multiple instances of the MISP Threat Sharing (MISP) open-source threat intelligence platform, is managed at the IT operational level by the IT operation department.
ArchiMate
Page Break
Motivation Layer
A National Cybersecurity Information Sharing Network (NCSISN) needs to be established at the national level to ensure information sharing allowing detection of cyberattacks against national interest like critical infrastructure.
The purpose of the NCSISN is to create a secure channel for exchange of information concerning cybersecurity incidents.
The continuous objective of NCISN is to increase the detection capabilities of its network members to reduce the potential consequences of cybersecurity incidents on national interests.
Stakeholders
The following stakeholders that represent their interests in the outcome of the network have been identified:
- NCSA: National Cybersecurity Agency sponsor of the project.
- Critical Infrastructure Operators: Critical infrastructure operators of critical infrastructures designated by law. Critical infrastructure operators are member of the network.
- CERTs / CSIRTs: Computer Emergency Response Teams and Computer Security Incident Response Teams. A CERT / CSIRT could be dedicated to a critical infrastructure operator (inhouse or outsourced) or to a sector covering multiple critical infrastructure operators (e.g., a CERT dedicated to the health sector). CERTs / CSIRTs are member of the network.
- ISACs: Information Sharing and Analysis Centres provide central resources to gathering information on cyber threats and sharing them. ISAC’s are most of the time dedicated to a specific sector. ISACs are member of the network.
Drivers
The following drivers, representing an external or internal condition that motivates the NCSA to define its goals and implement the changes necessary to achieve them, have been identified:
- National Security: The national security includes cybersecurity as a component.
- National Cybersecurity Strategy (NCS): The NCS has been developed by the government in collaboration with the private sector. The NCS include a strategic point related to the National Cybersecurity Information Sharing Network (NCSISN) and gives the responsibility to develop the NCSISN to the National Cybersecurity Agency (NCSA).
- National legislation: The national legislation gives to the National Cybersecurity Agency (NCSA) the mission to protect critical infrastructures and to distribute appropriate information to concerned entities. National legislation also requires from critical infrastructure operators to implement appropriate security measures to ensure national interest.
- Geopolitical situations: Some geopolitical situations can increase the risks that the national critical infrastructures could be target of cyber activities or state sponsored hackers.
Assessment
As of today, there is no cybersecurity information sharing network that can help to increase detection capabilities of the critical infrastructures. The lack of a cybersecurity information sharing network is a threat to the national interest to protect critical infrastructures and the economy. A national cybersecurity situational view of ongoing cybersecurity attacks and threats is currently not available not allowing effective coordination among impacted organizations, and the promotion of continuous awareness on cyber-attacks.
Goals
The main goal is to enhance the national security by increasing in near-real-time detection of cyberattacks and threats capacities targeting critical infrastructures operators supported by an information sharing network. A sub-goal is to provide though the cybersecurity information sharing network a near-real-time national overview of ongoing cybersecurity attacks and threats.
Outcomes
Identified outcomes are:
- Implementation of a secure information sharing network.
- Sharing of high-quality indicators of compromises (IoCs).
- All critical infrastructure operators been members of the network.
- All members actively reporting sightings on shared indicators of compromises (IoCs).
- Creating a national and sectoral situational view of ongoing cybersecurity attacks and threats.
Requirements
The following needs have been identified to achieve a successful National Cybersecurity Information Sharing Network (NCSISN):
- Implement a secure network to ensure confidentiality, integrity and availability of exchanged information’s and members.
- Ensure quality of shared indicators of compromises (IoCs) to keep stakeholders’ engagement in the network and to ensure that the situational view of ongoing cybersecurity attacks and threats is representative.
Page Break
Constraints
The following constraints that could prevents or obstructs the realisation of the main goal have been identified:
- Detection capabilities of critical infrastructure operators doesn’t exist, not allowing to take advantage of shared indicators of compromises (IoCs) and not allowing to National Cybersecurity Agency (NSCA) to collect sightings on these IoCs.
- Lack of data analytic resources at the NSCA would not allow NSCA to qualify if IoCs proposed to be shared and sightings reported by the network have value and are not leading to false positives. The situational view of cyber-attacks and threats would also be indirectly impacted by the lack of resources in data analytic expertise.
Principles
The following principles are necessary to be implemented:
- Adhere to the network confidentiality charter. A confidentiality charter is necessary to be sign by members as sensitive data is shared.
- Follow standardized taxonomies for indicators of compromises (IoCs) descriptions. Standardization of IoCs documentation is necessary to ensure coherence and quality of shared information.
ArchiMate
Page Break
Business Layer
Motivation
Provide a collaborative infrastructure, that facilitate accurate, complete, timely, and actionable information sharing. This will enable members to mitigate risks proactively and protect themselves from attack.
Business service
Information sharing is the main business service offered to the network members.
Business interfaces
The MISP Threat Sharing (MISP) open-source threat intelligence platform is the main business interface to the network members. MISP allow sharing of indicators of compromises (IoCs) and of sightings.
Business processes
Information sharing
Information sharing is under the responsibility of the NSCA security analyst team.
The source of the unqualified information event (composed of indicators of compromises) can be CSIRTs / CERTs, ISACs or critical infrastructure operators that are members of the network and desiring to share the information with other members. These business actors are identified as a role of submitter.
The destination of the qualified information event (composed of indicators of compromises) can be CSIRTs / CERTs, ISACs or critical infrastructure operators that are members of the network. These business actors are identified as a role of receiver.
Each unqualified information event submitted by a submitter must be published via the MISP business interface that support the articulation of business processes under the responsibilities of the NSCA security analyst team.
Each qualified information event validated by the NSCA security analyst team will be published via the MISP business interface to the receiver role.
The following business processes are under the responsibility of the NSCA security analyst team:
- Classification level validation: This process ensures that the proposed indicators have a defined classification traffic light protocol (TLP) level. TLP allow the submitter to specify the confidentiality level required by the receiver. If the TLP level is not specified, the unqualified information event is rejected, and rejection is notified to the submitter with documented reasons. If not rejected in this phase of the process the unqualified information event will have a validation of its model.
- Data model validation: This process ensure that the proposed indicators are respecting the MISP data model. If the MISP data model is not respected, the unqualified information event is rejected, and rejection is notified to the submitter with documented reasons. If not rejected in this phase of the process the unqualified information event will have a validation of its taxonomy.
- Taxonomy validation: This process ensure that the proposed indicators are respecting the proposed MISP taxonomies allowing classifications modelling. If the proposed MISP taxonomies are not respected, the unqualified information event is rejected, and rejection is notified to the submitter with documented reasons. If not rejected in this phase of the process the unqualified information event will have a validation of its quality with the sandbox validation process.
- Sandbox validation: This process ensure that the proposed indicators are not triggering important number of false positives (due to popularity by example) or are not deceptive indicators submitted to pollute the network. If the proposed sandbox validation doesn’t pass, the unqualified information event is rejected, and rejection is notified to the submitter with documented reasons. If not rejected in this phase of the process the unqualified information event will be published to the network members for sharing.
- Event rejection: This process is triggered when an unqualified information event is rejected as a rejected information event after the classification level validation, data model validation, the taxonomy validation or the sandbox validation processes. The rejection is notified via the MISP interface to the submitter with a documented reason of rejection.
- Event publication: This process consists of publishing a qualified information event to the network members identified as a role of receiver.
Data analytic
Data analytic is under the responsibility of the NSCA data analytic team and is triggered by a planned monthly review of all qualified information events that are shared on the network.
Data analytic is articulated around the following processes:
- Sightings review: This process reviews the quality of the sightings raised on the shared qualified information events to determine if the concerned qualified information events can still be shared on the network or if they should be decommissioned from the network.
- Lifetime review: This process ensures that the shared qualified information events lifetime is still accurate. A shared qualified information event that is too old will lose its pertinence despite sightings occurred or not on it. If the concerned qualified information event is too old, it will be decommissioned from the network.
- Context review: This process ensures that the shared qualified information events context is still accurate. Following reported sightings, the context could still be accurate or not. If the initial context of the concerned qualified information event is no more accurate, it will be decommissioned from the network.
- Event decommission: The process consist to decommission the qualified information event from the network. The decommission is notified via the MISP interface to the submitter with a documented reason of decommission.
ArchiMate
Page Break
Application Layer
MISP Threat Sharing (MISP) open-source threat intelligence platform is the main interface used in the project. MISP is developed by a third party.
Application services:
- Submitted unqualified information event.
- Collect qualified information event.
- Collect rejected unqualified information event.
Application components:
ArchiMate
Page Break
Technology Layer
ArchiMate
Risk and security
Conclusion
Get expert help for National Cybersecurity Information Sharing Network and many more. 24X7 help, plag free solution. Order online now!
