As the threat landscape continues to evolve, one way to better understand current threats impacting your sector and region is to share information and experiences with peers. Intelligence information, when combined with proactive technical defense as well as organizational training, may aid in reduction of risk for an organization both in terms of likelihood of threats and speed of recovery. To share information about threats effectively, include details where appropriate and legal. Tips to provide valuable intelligence include:
Share only known and confirmed information.
Threats orginating from a reputable organization: To aid in containment of the threat, notify the orginating organization. When notifying the sender organization for suspected business email compromise, include the sender’s email account, email subject details, email receipt time, and any other relevant information. Attempt to notify the organization’s technology support staff.
Consider the appropriate audience and clarify if the information can be re-shared. (See federal Traffic Light Protocol for examples of information sharing classifications.)
Searchable Email Subject: For phishing attempts, what does the subject contain that could be used by other organizations to search for that message? (Replace personal or individualized information with a general description.)
Example: Subject Contains: Fax message for [recipient name] [random additional text]
Sender Email Address: Before sharing information about the sender address, determine the actual sender’s address. Information to gather: Was the email address spoofed? Is this a known or suspected business email account compromise? Obfuscate the email address for compromised or malicious accounts.
Example: Sender account: abc[at]xyz[dot]org
Malicious Links: Obfuscate malicious links or domains when sharing details of a threat
Example: Malicious domain: xyxsite[dot]com
Prior notifications: If sender’s account is suspected to be compromised, include whether or not the sender organization has been notified of the potentially compromised account.
Victim experience: Confirmed information regarding the experice of the victim or user. (What happens if the link is clicked/site is visited/etc.?)
Timeframe: Any known information regarding how long threat actor had access to accounts, if appropriate to share.
Threat actors function in highly organized environments. Relevent intelligence sharing allows organizations to leverage the power of a larger group to help defend against the threats.