Intelligence sharing: A Rick the Toolman episode.
In J.R.R. Tolkien’s classic novel, “The Fellowship of the Ring,” Gandalf the Grey, after months of research and analysis, makes a discovery. He realizes that the Bilbo-Baggins-magic-invisibility-ring, the one that Bilbo used to trick Gollum into showing him the way out of the caves underneath the Misty Mountains, is in reality, the “one ring to rule them all.” This is the singular weapon that the big bad guy, Sauron, could use to conquer all Middle Earth but, if the ring is destroyed by the good guys, would take Sauron off the board.
This makes Gandalf the Grey the first intelligence analyst ever portrayed in a fantasy novel. I'm just saying.
Gandalf, and another member of the Wise, Elrond the Halfelven, make the extraordinary decision to share that intelligence with a loose group of frenemies: select members of the White Council, various elf clans, hobbits, dwarfs, and men. This group represents a set of competing interests. The participating members don’t hate each other per se, but also don’t invite each other to dinner parties either. Let’s just say that they agree to disagree on many things. But in this one thing, this singular monumental task, the destruction of Sauron, their interests are completely aligned. It makes total sense to share that key piece of intelligence to facilitate working together to accomplish it.
And that is the perfect analogy to the current state of cyber security intelligence sharing today. Even if we compete in the business world on all things, we can come together and cooperate to defeat a common threat. In the business world for example, a set of banks ruthlessly battle against each other in the marketplace. But criminals engaged in cyber crime and cyber fraud don’t just impact a single victim bank. When they are successful, they impact the entire industry. It causes customers to lose faith in the system, to be afraid of it, to not spend their money in it. The same is true for nation-states trying to ruin or degrade an enemy by attacking that country’s financial system. Those attacks don’t just hurt the victim bank and the financial sector, they reverberate across the entire nation. It makes people start to distrust the entire banking system. That’s why It makes total sense for the banking community and the government to share cyber threat intelligence with each other so that they can work together to defeat this common-to-all enemy.
All of that sounds great when you say it fast, but there is friction in the system. Just because we all agree that there is a common threat doesn’t negate the trust issues we have with our frenemies. It’s tough to hold these loose intelligence sharing alliances together or make them useful. Even the “Fellowship of the Ring” in the Tolkien story disbanded at the end of the first book because of trust issues.
The question then is, what is working today in cyber threat intelligence sharing? What is the current state and what are the next steps to making the system more useful? It’s time to break out the Rick-the-Toolman toolbox and look under the hood.
The shot heard around the world.
At around 8:30 p.m. on November 2, 1988, a 23-year-old Cornell University graduate student named Robert Tappan Morris released the Morris worm. According to the FBI, within 24 hours, 10% of the existing 60,000 internet facing computers at the time became incapacitated. The Morris Worm marked the first global use of a destructive Internet worm and it was clear that nobody had anticipated that bad guys would use the entire internet for malicious purposes. Impacted administrators were mostly on their own to deal with the problem because no formal relationships had been established yet to deal with incident response. And, they couldn’t communicate anyway because their internet connection was down.
The first CERTS.
In the aftermath, DARPA (the Defense Advanced Research Projects Agency, a science and technology organization of the US Department of Defense) sponsored Carnegie Mellon University to establish the initial CERT/CC (Computer Emergency Response Team/Coordination Center) in 1988 to orchestrate and share information regarding incident response for global events. And the idea of CERTs started to catch on. They became so popular that by 1990, the FIRST organization was founded to coordinate incident response and security teams from every country across the world. According to Rich Pethia, the first CERT/CC director, one of his missions was to help the military services build their own CERTS, which they did. The U.S. Air Force established the AFCERT (Air Force Computer Emergency Response Team) in 1993. The other services followed suit soon thereafter. By 1998, the military CERTS contributed to the eventual stand-up of the Joint Task Force - Computer Network Defense (JTF-CND).
The first ISACs.
By the late 1990s though, many security practitioners began realizing they needed a more robust information sharing framework, something that was bigger then just responding to global incidents like the Morris worm. Y2K was approaching and it represented another global existential threat not only to the internet but to business computing in general. According to Investopedia, Y2K (Year 2000) referred to the anticipated “widespread computer programming shortcut that was expected to cause extensive havoc as the year changed from 1999 to 2000.” Cobol programmers used only two digits to represent dates in the early days, not four, and IT experts expected that millions of lines of business logic code would break on the new year.
In anticipation of Y2K and other factors (like Solar Sunrise attacks earlier in the year), U.S. President Clinton established the ISAC system, the information sharing and analysis center framework, when he signed Presidential Decision Directive-63 (PDD-63) on May 22, 1998. He aligned the ISACs specifically around designated critical infrastructure sectors and intentionally didn’t mandate specific requirements in order to encourage innovative information sharing approaches.
Out of all the ISACs that formed in those first years, the FS-ISAC (Financial Sector ISAC) emerged as the most organized and most resourced in the next decade. Leadership from across the banking sector lended their big thinkers and doers to the project. Denise Anderson, currently the President and CEO of the Health ISAC, was employee number two at the FS-ISAC after the organization hired its first CEO, Bill Nelson. Bill hired Denise as a kind of COO to corral all of the cats. According to Denise, Bill liked the idea that she was a volunteer firefighter and understood the importance and gravity of first responders.
According to Denise, the success of the FS-ISAC depended on visionary leaders who believed in the concept of information sharing. They built trust by insisting that their organizations contribute. People like Byron Collie (Wells Fargo and later Goldman Sachs), Jason Healey and Phil Venables (both at Goldman Sachs), Mark Clancy and Gary Owen (both at Citigroup) led by example and insisted that their organizations shared intelligence with the FS-ISAC membership.
I know how important leadership by example is. I helped found the Cyber Threat Alliance back in 2012, the first Information Sharing and Analysis Organization (ISAO) for security vendors. More on ISAOs in a bit, but one of the guiding principles of the Cyber Threat Alliance was that every member had to share intelligence everyday and we kept track of how much. The mandate I gave to my team at Palo Alto Networks was that we would always be the number one contributor at the end of the day. When I got the numbers, I would make fun of the other Alliance members for being contributing slackers. The next day, they would be atop the leaderboard making fun of me.
Errol Weiss, Denise’s CSO at the Health ISAC today was also heavily involved with the FS-ISAC at the beginning. He worked for SAIC at the time and Bill Nelson and Denise Anderson chose SAIC as the first contractor to run their SOC. And to prove the point that the infosec community is a small place, SAIC vacated the SOC contract in 2006 to be filled by Verisign/iDefense, an organization that I was just hired to run. Errol and I missed working together at iDefense by inches. That said, Errol went on to work for Mark Clancy and Gary Owen at Citigroup and followed their lead about building trust with the FS-ISAC members.
Traffic Light Protocol.
Even with Citigroup, Goldman Sachs and Wells Fargo leading by example, establishing trust between FS-ISAC members was a difficult task. According to both Denise and Errol, one of the key innovations that helped was the formalization of the Traffic Light Protocol.
The National Infrastructure Security Coordination Centre in the UK (now called the Center for the Protection of National Infrastructure - CPNI), developed The Traffic Light Protocol (TLP) as a method for labeling and handling shared sensitive information. Bill Nelson and Byron Collie attended a meeting in London at Mi5, heard about the protocol, and brought it back to the FS-ISAC.
According to Eric Luiijf and Allard Kernkam in a paper titled, “Sharing Cyber Security Information Good Practice Stemming from the Dutch Public-Private-Participation Approach,” TLP provides a simple method for labeling and handling shared sensitive information. “One of the key principles of the TLP is that whoever contributes sensitive information also establishes if and how widely the information can be circulated. The originator of the information can label the information with one of four colors
- RED – Restricted to a need-to-know subset of the group.
- AMBER - Adding additional members who need to take action.
- GREEN - Everybody in the group.
- WHITE – Public information
According to Denise and Errol, Jim Routh (the CISO at the Depository Trust & Clearing Corporation at the time) was instrumental in formalizing the FS-ISAC Stop Light Protocol. That meant that every communication between members through the FS-ISAC portal had to be labeled with the proper color. By doing so, every FS-ISAC member felt less anxiety about sharing intelligence with the group because they all saw that there were formalized processes for handling sensitive information.
According to Denise, with the success of the TLP, The First Organization, the coordinator for all CERTs internationally, picked up the best practice for their incident response missions. Today, TLP is a standard best practice for most sharing organizations.
According to Errol, at this point, all ISACs were sharing information on cyber incident response events, best practices around combatting existential threats like Y2K, and general best practices for what everybody else was doing in the space.
With the formalized procedures in place to share intelligence with other members–the how–the next question was what were they going to share, the intelligence and information that was going to be the reason that members joined. Jason Healey and Byron Collie established the foundational FS-ISAC threat intel committee in the early 2000s, a convergence of threat intelligence and SOC operations. This influential group provided the value that all FS-ISAC members wanted.
The first Fusion Centers.
The U.S. Congress passed the Intelligence Reform and Terrorism Prevention Act to provide regional situational awareness and analysis (including cyber) at both the state and city levels. The nexus for that activity in each location is called a Fusion Center. According to the the Florida Department of Law Enforcement this year (2022), “Fusion centers were established following the terrorist attacks of September 11, 2001 to connect-the-dots between critical information housed in different agencies and share information and intelligence to aid in protecting communities.” As of this writing, 79 fusion centers have been established in the U.S.
The first ISAOs.
Arguably, the FBI founded the first Information Sharing and Analysis Organization (ISAO) in 1996, although the community wouldn't have a name for it until two decades later. They called it the InfraGard National Members Alliance, or InfraGard National, and designed it to facilitate information sharing between law enforcement and the private sector. InfraGard isn’t a CERT, although it does some of the same things a CERT does, and it isn’t an ISAC because it doesn’t service one of the U.S. government’s critical infrastructure sectors. It’s a different thing. The FBI was way ahead of its time in establishing InfraGard by realizing that other communities of like minded people might want to share intelligence on their communal set of existential threats, in this case cyber crime.
In 2015, U.S. President Obama signed Executive Order 13691 establishing the Information Sharing and Analysis Organization (ISAO) framework that made it legal to share information about cybersecurity incidents without fear of prosecution. ISAOs are sector-agnostic and can be any group of like-minded organizations, like the Cyber Threat Alliance. The Executive Order also established a funding path for an ISAO standards organization. I actually worked as the Co-Chair to the Security and Privacy Committee to help get it started. As of this writing, there are just over 90 ISAOs officially registered with the ISAO standards body.
U.S. Government sharing programs.
According to Bruce Bakis and Edward Wang over at the MITRE Corporation, the Department of Homeland Security (DHS) is the epicenter of the U.S. cyber information-sharing ecosystem. In 2018, U.S. President Trump signed into law the Cybersecurity and Infrastructure Security Agency Act which established the Cybersecurity and Infrastructure Security Agency (CISA) inside of DHS. According to the department’s official website, CISA coordinates cybersecurity defense for the federal government, acts as the incident response execution arm for the national cyber defense, and owns the responsibility of intelligence sharing. The National Cybersecurity and Communications Integration Center (NCCIC) and the United States Computer Emergency Response Team (US-CERT) work for CISA.
CISA manages four formal information sharing programs, one at the senior leadership level (the Joint Cyber Defense Collaborative) and three at the operator level.
Joint Cyber Defense Collaborative (JCDC): Established in August 2021 to enhance collaboration with the private sector, one of the six pillars of the Cyberspace Solarium Commission, is a group of public and private sector organizations as well as federal and SLTTs (State, Local, Tribal, and Territorial Government entities) designed to bring senior leaders from the government and the commercial sector together to collaborate on global issues. Their first success story was how the group responded to the log4J crisis in 2021 and 2022.
Enhanced Cybersecurity Services (ECS): Initially intended for Communications Service Providers (CSPs), President Obama’s Executive Order 13636 in 2013 expanded the service to the 16 critical infrastructure sectors and to their corresponding customer bases. DHS shares sensitive and classified cyber-threat information with accredited organizations through automated means.
Cyber Information Sharing and Collaboration Program (CISCP): DHS shares unclassified information exchange through trusted public-private partnerships across all critical infrastructure sectors.
The DHS Automated Indicator Sharing (AIS) program: provides unclassified, bidirectional, machine-to-machine sharing of cyber-threat indicators between the NCCIC and the private-sector, ISACs, ISAOs, public-sector, and international partners and companies.
These are all great mechanisms to share and collaborate on threat intelligence between the U.S. Government and the private sector. The criticism of these programs is that the intelligence that the government shares has not been that usefu,l and has mostly been shared manually. The AIS program automated the process with STIX and TAXII, but the quality of the intelligence was so low from the government side that most commercial organizations didn’t bother with it. The commercial side of the JCDC is a collection of high end security and cloud providers (like AWS, Cisco, Crowdstrike, Microsoft, and Palo Alto Networks, as of this writing, 21 in all) but the information sharing mechanisms are zoom calls and email. There has to be a better way
What should we be sharing and how?
The bulk of information sharing even today centers around identifying new technical threats like zero -day vulnerabilities and exploits, new malware, and other kinds of ephemeral indicators of compromise (IOCs) like bad IP addresses. These are not useless per se, but they are endless, likely have no bearing on what our cyber adversaries are actually using, or the adversaries change them so often that blocking them is not helpful.
For example, according to Barclay Ballard at TechRadar last year (2021), out of the 18,000 + vulnerabilities discovered in 2019, only 473 “were exploited in a way that was likely to impact businesses.” For the math-challenged out there, that’s only 3 percent. If the primary purpose of our infosec program was to patch vulnerabilities as they were discovered, all 18,000 of them, we might be wasting resources on stuff that doesn’t matter. I'm just saying.
The cybersecurity community started re-thinking that idea starting in 2010, with the Lockheed Martin Kill Chain paper. The researchers realized that adversaries have to string a bunch of actions together in order to be successful. If we can break that chain, the kill chain, anywhere along that sequence, we could defeat the adversary. In other words, we should be designing defenses to defeat the adversary’s objectives, not stop every potential malicious tool that pops up. The intelligence we should be sharing with each other is the attack sequence for all known adversary groups. In 2011, the Department of Defense published their Diamond Model paper that outlined adversary activity events as relationship pairs at each phase of the kill chain across four elements: adversaries, capability, infrastructure and victims. This gave intelligence analysts a road map for what intelligence they should be collecting. Finally, in 2013, MITRE rolled out their first version of the ATT&CK framework, standardizing the language we all use to describe adversary behavior but also publishing a free-to-use open source collection of all known nation state adversary playbooks. In other words, they published the tactics, techniques and procedures for the known nation state actors like Fancy Bear and Sandworm, across the intrusion kill chain.
All we have to do now is start sharing intelligence with this in mind. As a community though, we were slow to respond and adapt to this new paradigm. We continued to simply share IOCs because that’s easier to do. That started to change in 2018. The FBI indicted the Russian military personnel responsible for the hacks against Secretary Clinton, the Democratic National Committee (DNC) and the Democratic Congressional Campaign Committee ( DCCC) in 2016. In the indictment, in an unprecedented release of government intelligence, the FBI laid out the complete set of tactics, techniques, and procedures across the intrusion kill chain that the Main Intelligence Directorate of the Russian General Staff (the GRU) used in the attacks. That’s progress.
In February 2022, two days after Russia began its military invasion of Ukraine, CISA released its first Shields Up warning for US-based organizations, stating: “Every organization—large and small—must be prepared to respond to disruptive cyber activity.” In March, they released the entire Russian adversary playbook, everything the Russians have done in cyberspace to the U.S. and international Energy Sector from 2011 to 2018 across the intrusion kill chain using the MITRE ATT&CK framework model. And in May, they updated the Russian playbook with new intelligence regarding multi factor authentication protocols. This is the kind of intelligence we need to share.
What’s the future of cybersecurity information sharing?
As of this writing, the MITRE ATT&CK framework tracks some 150 nation state actor groups. Microsoft, last year, said that they track about 100 different cyber crime groups. Imagine if we, as a community, could automatically keep both databases up to date in real time by collecting Diamond Model level of intelligence across each phase of the intrusion kill chain. Once established, each organization could automatically download updates to each new tactic, technique, and procedure discovered, and automatically deploy prevention and detection controls to whatever we have deployed in our own security stack. The U.S. government would automatically share new adversary playbook intelligence with the JCDC, the ISACs, the ISAOs, and the Fusion Centers through their various information sharing programs. According to both Denise and Errol, this kind of automation is the next big thing and something we should all be striving for.
That would be nirvana. Or better, a clear path to the forges of Orodruin.
- The first CERT: In the aftermath of the Morris Worm—the first destructive Internet worm— DARPA (Defense Advanced Research Projects Agency, a science and technology organization of the US Department of Defense) sponsored Carnegie Mellon University to establish the first CERT/CC (Computer Emergency Response Team/Coordination Center).
- CERTs: FIRST was founded to bring together incident response and security teams from every country across the world to ensure a safe internet for all.
- CERTs: The Air Force established the AFCERT (Air Force Computer Emergency Response Team). The other services followed suit soon thereafter.
- The first ISAO: The FBI founded the InfraGard National Members Alliance, or InfraGard National, to facilitate information sharing between law enforcement and the private sector. ISAOs would not be an official thing until 2015.
- CERTs: The military CERTS contributed to the eventual stand-up of the Joint Task Force - Computer Network Defense (JTF-CND).
22 May 1998
- The first ISACs: U.S. President Clinton established the ISAC system, the information sharing and analysis center framework, when he signed Presidential Decision Directive-63 (PDD-63)
- CERTs: The United States Computer Emergency Response Team (US-CERT) initially formed. It eventually became the Computer Emergency Readiness Team.
- Traffic Light Protocol: The National Infrastructure Security Coordination Centre (NISCC), an inter-departmental center of the UK government (now Center for the Protection of National Infrastructure | CPNI), developed The Traffic Light Protocol (TLP), a method for labeling and handling shared sensitive information.
- DHS: US Congress established the Department of Homeland Security (DHS) combining 22 different federal departments and agencies into a unified, integrated Cabinet agency.
- DHS: DHS Assigned the responsibility for “responding to major incidents, analyzing threats, and exchanging critical cybersecurity information with trusted partners around the world.”
- Fusion Centers: In response to 9/11, the U.S. Congress passes the Intelligence Reform and Terrorism Prevention Act to provide regional situational awareness and analysis (including cyber) at both the state level and major metropolitan level in the U.S.
- NCCIC: The National Cybersecurity and Communications Integration Center (NCCIC) created as a unified operations center combining the U.S. Computer Emergency Readiness Team (US-CERT), the National Coordinating Center for Telecommunications (NCC), and the Industrial Control Systems CERT.
- Kill Chain: Lockheed Martin’s Hutchins , Cloppert , and Amin publish “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains" , the origination of the intrusion kill chain strategy.
- Kill Chain: Sergio Caltagirone, Andrew Pendergast, and Christopher Betz, working for the US Department of Defense, published "The Diamond Model of Intrusion Analysis”, written around the same time that the Lockheed Martin research team published their intrusion kill chain model. The authors designed the Diamond model specifically for intelligence analysts to track adversary groups across the intrusion kill chain.
- Kill Chain: MITRE established the ATT&CK Framework , an extension of the intrusion kill chain model that operationalized the Lockheed Martin strategy document with adversary tactics, techniques, and procedures.
- The first ISAOs: U.S. President Obama, with Executive Order 13691, established the Information Sharing and Analysis Organization (ISAO) framework that made it legal to share information about cybersecurity incidents without fear
- ISAOs: Congress passes the Cybersecurity Information Sharing Act (CISA), the federal law that provides various protections to non-federal entities that share cyber-threat indicators or defensive measures with each other or with the Federal Government. CISA removes barriers that were impeding robust cyber information sharing in the U.S
- US sharing adversary Playbook intelligence: The U.S. Justice Department indicts members of two specific units of the Main Intelligence Directorate of the Russian General Staff—known by the acronym GRU—that are called Unit 26165 and Unit 74455, the first time a U.S. Government agency shared tactics, techniques, and procedures across the intrusion kill chain of an adversary playbook to the public.
- JCDC: The Cybersecurity and Infrastructure Security Agency (CISA) established the Joint Cyber Defense Collaborative (JCDC), a group of public and private sectors as well as federal and SLTT (State, Local, Tribal, and Territorial Government entities) to strengthen the nation’s cyber defenses through innovative collaboration, advanced preparation, and information sharing and fusion.
- Shields Up: Two days after Russia began its military invasion of Ukraine, CISA released its first Shields Up warning for US-based organizations, stating: “Every organization—large and small—must be prepared to respond to disruptive cyber activity.”
- US sharing adversary Playbook intelligence: The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Energy (DOE) release a joint Cybersecurity Advisory (CSA) to provide information on multiple intrusion campaigns conducted by state-sponsored Russian cyber actors from 2011 to 2018 that targeted U.S. and international Energy Sector organizations using the MITRE ATT&CK framework.
- US sharing adversary Playbook intelligence: The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) release a joint Cybersecurity Advisory (CSA) to warn organizations that Russian state-sponsored cyber actors have gained network access through exploitation of default MFA protocols and a known vulnerability using the MITRE ATT&CK framework.
22 JUN 2020:
CSOP S1E12:: Cybersecurity first principles - intelligence operations
20 JUL 2020:
CSOP S2E1: Security operations centers: a first principle idea.
27 JUL 2020:
CSOP S2E2: Security operations centers: around the Hash Table.
- Hash Table Guests:
- Don Welch: Interim CIO of Penn State University
- Helen Patton: CISO for Ohio State University
- Bob Turner: CISO for the University of Wisconsin at Madison
- Kevin Ford: CISO for the State of North Dakota
- Link: Podcast
- Link: Transcript
- No Essay
30 AUG 2021
CSOP S6E7: Pt 1 - Cybersecurity first principles - adversary playbooks.
13 SEP 2021
CSOP S2E8: Pt 2 - Cybersecurity first principles - adversary playbooks.
- Hash Table Guests: None
- Ryan Olson, the Palo Alto Networks (Unit 42) Threat Intelligence VP
- Link: Podcast
- Link: Transcript
- No Essay
15 NOV 2021:
CSOP S7E4: Introducing Rick the Toolman Series: Pt1 - MITRE ATT&CK
29 NOV 2021:
CSOP S7E5: Rick the Toolman Series: Pt 1 on XDR.
6 DEC 2021:
CSOP S7E6: Rick the Toolman Series: Pt 2 - Hash Table on MITRE ATT&CK
- Hash Table Guests:
- Jon Oltsik, Senior principal analyst and fellow at the Enterprise Security Group
- Link: Podcast
- Link: Transcript
- No Essay
13 DEC 2021:
CSOP S7E7: Rick the Toolman Series: Pt 2 - Hash Table on XDR.
7 MAR 2022:
CSOP S8E6: Vulnerability Management: An essential tactic for zero trust from the Rick the Toolman Series..
14 MAR 2022:
CSOP S8E7: Kill chain models.
21 MAR 2022:
CSOP S8E8: Security infrastructure as code.
“About FIRST,” 2015.
“ABOUT ISACs,” by The National Council of ISACs.
“About Us – ISAO Standards Organization,” Isao.org, 2020.
“A Practical Guide for Shields up,” ExtraHop, 2021.
“Automated Indicator Sharing,” by CISA, 2015.
“Automated Indicator Sharing,” by the Office of Inspector General, DHS, 25 September 2020.
“Building a National Cyber Information-Sharing Ecosystem,” by Bruce Bakis and Edward Wang, The MITRE Corporation, 2017.
“Case 1:18-cr-00215-ABJ: Indictment,” by The Grand Jury for the District of Columbia, 2018.
“CISA’s New JCDC Worked as Intended, Witnesses Say at Senate Hearing on Log4Shell Bug,” by Tonya Riley, CyberScoop, 8 February 2022.
“Critical Infrastructure Protection (PDD 63),” by President Clinton, THE WHITE HOUSE, WASHINGTON, 22 May 1998.
“Cyber Information Sharing and Collaboration Program (CISCP),” by CISA, 2015.
“Cybersecurity and Critical Infrastructure,” by Usalearning.gov, 2022.
“Enhanced Cybersecurity Services,” The IT Law Wiki, 2013.
“Executive Order 13636 -- Improving Critical Infrastructure Cybersecurity,” by President Obama, Whitehouse, 12 February 2013
“Executive Order (Executive Order 13691) -- Promoting Private Sector Cybersecurity Information Sharing,” by President Obama, Whitehouse, 13 February 2015.
“Fusion Center History,” by the Florida Department of Law Enforcement, 2022.
“History,” Department of Homeland Security,” 2022.
“Information Sharing Groups – ISAO Standards Organization,” by Isao.org, 2020.
"Implementing Intrusion Kill Chain Strategies by Creating Defensive Campaign Adversary Playbooks," by Rick Howard, Ryan Olson, and Deirdre Beard (Editor), "The Cyber Defense Review," by the Army Cyber Institute, Volume 4, Number 2, Fall 2020.
"Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains,” by Hutchins, Clopper, and Amin, Lockheed Martin Corporation, 2010, Last Visited 5 August 2019.
“JCDC,” by CISA, 2021.
“ISACS vs ISAOs: Supporting the Cybersecurity Information Sharing Ecosystem,” by the Advanced Cyber Security Center, 26 November 2018.
“Making the Joint Cyber Defense Collaborative Work,” by Mark Montgomery, Lawfare, 6 August 2021.
“MITRE ATT&CK®.” MITRE.org, 2021.
“MITRE ATT&CK: Design and Philosophy,” by Blake E. Strom, Andy Applebaum, Doug P. Miller, Kathryn C. Nickels, Adam G. Pennington, Cody B. Thomas, published July 2018, revised March 2020
“MITRE ATT&CK® Framework.” MITRE, YouTube Video. YouTube, January 25, 2021.
“National Cybersecurity and Communications Integration Center,” The IT Law Wiki, 2022.
“National Network of Fusion Centers Fact Sheet,” Homeland Security, 2022.
“Number of vulnerabilities reported in 2021 hits record high,” by BY DUNCAN RILEY, SiliconANGLE, 9 December 9, 2021.
“Only a Tiny Percentage of Security Vulnerabilities Are Actually Exploited in the Wild,” by Barclay Ballard,
TechRadar, 19 February 2021.
“Our Sharing Model,” by the Cyber Threat Alliance, 19 April 2022.
“Overview - InfraGard National Members Alliance,” by the InfraGard National Members Alliance, 8 February 2022.
“Report,” Cyberspace Solarium Commission, March 2020.
“Robert Mueller’s Indictment Today of 12 Russian Hackers Could Be His Biggest Move Yet,” by Garrett Graff, Wired, 13 July 2018.
“S.2588 - 113th Congress (2013-2014): Cybersecurity Information Sharing Act of 2014,” by Senator Dianne Feinstein [D-CA], Congress.gov. 2013.
“Sharing Cyber Security Information Good Practice Stemming from the Dutch Public-Private-Participation Approach,” by Eric Luiijf and Allard Kernkamp, GCCS 2015 - The Netherlands, March 2015.
“Shields up,” by CISA,” 2021.
“Solar Sunrise,” by The IT Law Wiki, 2022.
“Testimony of Richard Pethia, Manager, Trustworthy Systems Program and CERT Coordination Center Software Engineering Institute, Carnegie Mellon University, Before the Permanent Subcommittee on Investigations U.S. Senate Committee on Governmental Affairs,” Federation of American Scientists (FAS), 5 June 1996.
“The CERT Division,” by the Software Engineering Institute, Carnegie Mellon University.
"The Diamond Model of Intrusion Analysis,” by Sergio Caltagirone, Andrew Pendergast, and Christopher Betz, Center for Cyber Threat Intelligence and Threat Research, Hanover, MD, Technical Report ADA586960, 05 July 2011.
"The Exabeam 2020 State of the SOC Report,” by Exabeam, 2020.
“The Fellowship of the Ring (The Lord of the Rings #1),” by J.R.R. Tolkien, Published by Ballantine Books, 29 July 1954.
“The Morris Worm: 30 Years Since First Major Attack on the Internet,” FBI, 2 Novemebr 2018.
“The One Wiki to Rule Them All,” Fandom.com, 2019.
“What Is an ISAC? How Sharing Cyber Threat Information Improves Security,” by Jaikumar Vijayan, CSO Online, 9 July 2019.
“What Is Y2K?” Investopedia, 2022.