This document discusses threat information sharing to strengthen human rights. It defines threat information as knowledge that can help protect against harm, such as attack indicators, tactics, and security alerts. Threat information is created through detection, analysis, and data collection. It is important to share selectively based on trust and whether the information will help others defend themselves. Information can be shared with threat researchers, practitioners, and at-risk communities and groups through a "traffic light" framework. The document proposes making threat information more actionable by informing risk management, creating awareness materials from research reports, and data-driven defense improvements.
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Threat Sharing for Human Rights Communities
1. Threat Sharing for
Human Rights
A look at how we can strengthen our
communities by sharing information
Megan DeBlois, June 2020
2. What we’ll cover …
● What is threat information?
● How is it produced and created?
● Who shares? And with whom?
● Ideas around how to make it more
actionable
Photos by unsplash, credit to @jurrehoutkamp
3. Who am i?
● Based in California
● Part-time grad student at the University
of Oxford
https://megdeb.github.io/mydissertatio
n/tabs/about/
● Also work at Internews as an InfoSec
Advisor and Technologist
● Side project:
https://covid19apptracker.org My fabulous pup to keep you awake
5. Threat Information …
“Information related to a threat that
might help an organization protect itself
against a threat or detect the activities
of an actor.”
- NIST Guide to Cyber Threat
Information Sharing
????
????
6. Threat Information …
Knowledge or data that can help you protect
yourself, your organization, or your community
against someone who is attempting to cause
harm.
- My Definition
7. Threat Information …
Knowledge or data that can help you protect
yourself, your organization, or your community
against someone who is attempting to cause
harm.
- My Definition
- Indicators of an attack
- TTPs, or tactics,
techniques and
procedures
- Security alerts,
advisories and bulletins
- Threat intelligence
reports
- Tool configurations (e.g.,
instructions on how to
install a tool to extract and
remove malicious .apks
from an Android phone)
- Countermeasures
8. Category Description An example of being operationalized
Indicators of compromise Data observed in the system that is
highly indicative that an attack has
happened or is likely to happen
● Block lists, blocking IPs and domains in your firewall
configuration (e.g., using OpenDNS)
● File hashes of known malicious things
● SSH Fingerprints, Email Addresses, and more!
Tactics, techniques, and procedures Attack patterns and methods the
adversary uses to carry out their
operations.
● Creating a YARA rule based on the attack pattern
identified
Security alerts, advisories, and
bulletins
Information about a security concern
that describes:
- what happened,
- why it’s important, and
- an action a user should take
● Sharing alerts over a closed Signal, WhatsApp, or
Wire group.
Threat research reports A more detailed document outlining
how an attack happened, indicators
users should look out for, and more
information about the attack(s).
● Creating case studies to use in training or awareness
materials.
Tool configurations Details around how to configure a
security tool to effectively protect your
system.
● Setting up a tool utilizing the configuration relevant to
your industry or community.
Countermeasures Defensive measures to take against a
particular attack.
● Training users in your community how to enable
two-factor authentication for greater account
protection..
10. Critical pieces to the threat sharing puzzle …
Trust
Threat Detection
Photos by unsplash, credit to @olloweb
11. A Threat is Detected … now what?
● Sample collection (if possible)
○ Full Email Headers
○ Suspicious File
○ Logs
● Triage Analysis
○ As quickly as you can, find as many
indicators
● Deeper Technical Analysis
○ This sometimes leads to more indicators
● Capturing Insights and Trends through
Data
● So when to share?
16. Threat Researchers & Analysts
Community Researchers
Amnesty International Human Rights Watch
Electronic Frontier Foundation eQualit.ie
Citizen Lab DSL Ukraine
Media Diversity Institute Armenia Quirium
Internews TibCERT
Fundacion Karisma MISP
Freedom of the Press And more!
Private Sector: AV companies, Cybersecurity Firms,
Platforms and Services
First Responders
/ Practitioners
Some members of the
CiviCERT Community
(www.civicert.org)
Rapid Response Networks
Some of the Researchers
and Analysts (listed
above)
Beneficiaries
Civil Society
Human Rights Groups
Media Organizations
At Risk Individuals:
Journalists, Activists, HRDs
Producers
Beneficiaries, First Responders, Threat Researchers
Consumers
Private Sector:
Platforms (Microsoft,
Google. Facebook, etc.)
Cybersecurity Firms
Antivirus Companies
Threat Researchers &
Analysts
First Responders
Practitioners
The
People
17. Joint Research
● Backstop partner
organizations who are
interested in doing research
● Support technical capacity to
do the research
● Review any additional
support
● Private sector share where
possible and appropriate
● Partner organization leads
community sharing
Direct Research
● Support direct threat
research and threat analysis
internally (e.g., phishing and
malware analysis)
● Private sector where possible
and appropriate
● Community sharing where
actionable (with specific
organizations)
Our Approach
19. Threat Sharing --> Action
Goal: Better defense and greater protections against targeted attacks.
● Data Driven - we’re not talking big data, Anything that helps us gain more
knowledge around attack methods and mitigations that address them
● Inform your Risk Management Decisions, Processes, Practices.
● Transform into Awareness Raising and Training Materials
● Publish excellent threat research reports (hat tip to Fundacion Karisma, Quirium,
Amnesty, Human Rights Watch, EFF, CitLab, and others!)
● And more!