NIST Sets Out Draft Guidelines for Sharing Cyberattack Information

A FierceHealthIT article reports that the National Institute of Standards and Technology (NIST) has created draft guidelines to help organizations when sharing cyberattack information. The document is called Guide to Cyber Threat Information Sharing.

The article says this is a way for healthcare providers to help each other, but the guidelines can be applied to other organizations in various fields too.

Christopher Johnson, lead author of the guidelines, spoke about the draft in an announcement, quoted in the article.

“By sharing cyber threat information, organizations can gain valuable insights about their adversaries,” he said. “They can learn the types of systems and information being targeted, the techniques used to gain access and indicators of compromise.”

According to a Federal Times article, the NIST document states:

“Organizations should move from informal, ad hoc, reactive cybersecurity approaches where the organization operates in isolation to formal, repeatable, adaptive, proactive, risk-informed practices where the organization coordinates and collaborates with partners. Through the aggregation and analysis of information from internal and external sources the organization can build richer context about activities on its networks, identify campaigns or better detect blended threats (i.e. threats that use multiple methods of attack). This enrichment process allows ambiguous data to be transformed into actionable information.”

Here are some of the NIST recommendations as they were printed in the FierceHealthIT article:

  • Perform an inventory: Organizations should understand where critical information is kept, who owns it, how to protect it and when it can be shared. Some factors when sharing data that should be considered: Risk of disclosure; the urgency and need for sharing; benefits gained by sharing; sensitivity of information
  • Exchange tools and techniques with others: Groups should coordinate and collaborate with one another. Instead of operating in isolation, they should have adaptive, proactive and risk-informed practices.
  • Use open and standard data formats: Standard formats and protocols allow for interoperability and a rapid exchange of information. Organizations should use formats that are widely known and easily accessible as well as secure, according to the guidelines.
  • Ensure resources are available: Providers must consider the possibility of sharing personnel, training and hardware. “Organizations must have a sustainable approach that provides the resources needed for ongoing participation to achieve sustained benefits from information sharing activities,” according to the authors.

By the way, according to FierceHealthIT, NIST is looking for organizations to comment on the draft document by November 28. NIST will then release a final version of the document.

 

For the FierceHealthIT article, click here: http://www.fiercehealthit.com/story/nist-releases-draft-guidance-sharing-cyberattack-info/2014-11-13
For the Federal Times article, click here: http://www.federaltimes.com/article/20141111/FEDIT03/311110016/Advantages-pitfalls-sharing-data-cyberattacks
The NIST draft guidelines can be accessed here: http://csrc.nist.gov/publications/drafts/800-150/sp800_150_draft.pdf