CTX Enhanced can help improve an organization’s ability to attain timely, consumable, actionable cyber threat information, and make it available to a larger audience, which allows it to become a much more valuable resource in defending a larger eco-system against attacks.
Any organization meeting the program requirements (summarized below) can request to participate in the program. Once participation is requested, a representative will be in contact to review the requirements, organizational capabilities and answer any questions.
In addition, for organizations that do not have the technical capabilities to meet the requirements, HITRUST may provide, free of charge, Deep Discovery Technology from Trend Micro® and associated installation, training, support and HITRUST CTX integration to enable their participation. When requesting participation, please indicate you would like to receive the technology assistance.
Summary Program Requirements
The specifics and expectations for IOC sharing include the ability of an organization to detect cyber threat activity, the time it takes to share IOCs, and the level of detail associated with the IOCs.
- Organizational Cyber Security Detection Effectiveness
Organizations should deploy technology capable of a security effectiveness, as defined by NSS Labs Breach Detection Systems (BDS) Testing, over 90%. The technology should be deployed to evaluate at least 50% of an organization’s inbound and outbound SMTP, HTTP, HTTPS, FTP, and IM traffic. Cyber Security Detection. Effectiveness is defined as the ability to accurately detect and log IOCs, and attempted breaches with a high level of confidence to avoid false positives. Detection must include accurately and effectively identifying exploits, malware, and offline infections. HITRUST CTX is leveraging the methodology developed by NSS Labs for their Breach Detection Systems (BDS) evaluation.
- Timeliness of Submission
Organizations should be capable of submitting IOCs to HITRUST CTX within 10 minutes of detection. Submission can occur through an API or Threat Stream Optic Link.
- Required IOC Attributes
For cyber threat intelligence sharing to be most effective, the IOCS must include a certain level of detail that addresses the salient facts about the threat; allows the recipient to understand if and how the threat may affect them; and, if appropriate, implement defenses or countermeasures. It is expected that IOCs submitted will not contain any submitting entity information other than the organizational type submitting.
The proposed IOC dataset includes:
- Confidence: Numerical value representing indicator confidence (0-100)
- Type: Type of indicator (URL, IP, Domain, File, Email Address, etc.)
- Classification: Classification level of the indicator (Public, Private)
- Severity: Severity of the associated threat (Low, Medium, High, Very High)
- Metadata: Contextual information associated with the indicator (Threat Name, Source, Threat Type, etc.)
- Value: The indicator value
- CTX Trust Circles: Areas within CTX the IOC should be shared
- Threat Score: Calculated