Threat Sharing

1. Introduction

This guide explains the Threat Sharing Community platform and how to use it.
This includes:
  • The dashboard - how to navigate the layout, carry out tasks, and administer your account.
  • What a community is, and the difference between a private and public community.
  • How to create your own community
  • How to invite members to join your communities
  • How to join other communities

2. What is Threat Sharing?

The Threat Sharing Community platform is an early warning system deployed across a network that provides inbox-level incident response and investigation capability, giving users maximum agility and reducing response time.
Users have the ability to expand their threat intelligence reach by using their collective network knowledge, as well as reduce their costs and accelerate implementation of a response.
With a threat sharing system in place, users can preemptively initiate inbox investigations before suffering a malicious attack, which provides proactive protection.

3. How does Threat Sharing work?

Users typically join or form communities that share industry interests and concerns. The cooperative effort to identify, evaluate, and respond to threats leverages and protects the assets of the community.
When an incident occurs, a user reports this to their community or communities using the tools provided on the Threat Sharing Community platform.
This intelligence is then automatically shared with the rest of the community and triggers the ability to initiate investigations throughout the threat sharing community network. Community members are alerted to potential threats and have the opportunity to detect, contain, or prevent them rapidly and efficiently.
Each organization within the community can create a trust and reputation-based relationship with any other organization on a decentralized, peer-to-peer basis using the Threat Sharing APIs.

3.1. Your Threat Sharing platform

Figure 1: Threat Sharing platform
Your name, company details, and the module currently in use (highlighted) are displayed on the left. Here, you can edit your profile, change your password, view your login history, and log out of the platform. To hide this pane, simply click on the three horizontal lines at the top of the sidebar.
In the top right corner, you will find the following:
  • Notifications (bell) icon, which informs you of any invitation requests or incidents.
  • Knowledge Bank (?) icon: click here to
    • Take a Tour
    • View Documentation
    • Get Help
    • Video Tutorial
    • Feedback
Within Threat Sharing, there are two sections: Incidents and Communities.

3.1.1 Incidents

This section displays all of the reported malicious and/or suspicious emails that have been shared by members of threat sharing communities that you participate in.
To search for a specific incident, use the filter to select attributes and/or keywords.
Before you can post an incident, you must be a member of a community
There are two ways to do this:
  • Create a new community
  • Join an existing public, private or hidden Community

3.1.2 Communities

Communities are often made up of companies from a specific sector, industry, or organization that have a common professional purpose and interest in sharing threats in order to prevent malicious attacks and expand their threat intelligence. A community is a peer-to-peer body built on trust and reputation. Members have the option to share intelligence anonymously, if preferred.

4. How to Use the Threat Sharing Community

You must either a) create a community, or b) become a member of an existing community.

4.1 Communities

4.1.1 How to create a Community?

  1. 1.
    Go to the right-hand pane and click on the Create Community button.
  2. 2.
    Next, you will be asked to enter the following:
  3. 3.
    Community Name
  4. 4.
    A description of the community with its rules and goals (max. 300 words)
  5. 5.
    The industry most relevant to the community
  6. 6.
    Privacy options:
    • Public: Anyone can find the community and see posted threats
    • Private: Only members invited by the community owner can see posted threats, but the name of the community is listed publicly in the communities list
    • Hidden: Only members can see posted threats and the name of the group is not displayed in the list of communities
  7. 7.
    Please read and accept the terms and conditions.
  8. 8.
    Click on Create to complete the process.

4.1.2 Your New Community Page

After creating your community, you will be directed to the new Threat Sharing Community homepage:
You will now be able to post your first incident. About Community
In this section of the page, you can find the following information:
  • The owner of the community
  • The number of members and the option to invite someone to join
  • The industry related to the community
  • The incidents reported to the community

4.1.3 How to administer a Community

Click on the settings wheel on the community homepage for the following options:
  • Edit community characteristics
  • Notification settings
  • Leave
  • Delete Edit Community
This allows you to edit the general information and settings of the community. Once you have made the desired revisions, click on Save in the bottom right-hand corner of the window. Notification Settings
These settings determine how the members receive a notification of an incident.
If you disable the first notifications setting, no notifications will be sent out to the community to inform them of posted incidents.
Once the notifications setting is enabled, you can choose how the community is informed of posted incidents:
  • Dashboard notification
  • Email notification
  • SMS notification
Click on Save to preserve the selected settings. Leave
Select Leave if you want to withdraw from the community. Note that you will no longer be able to post incidents to this community; you will have to rejoin or be re-invited. How to Transfer Ownership of a Community
If you no longer wish to be the owner of a community, you have the option to transfer ownership to a fellow member.
  • Go to the Communities dashboard
  • Select the community for which ownership is to be transferred
  • Select the member who will be the new owner
  • Click on the three dots to the right of the member’s name
  • Assign as owner
  • Confirm that you are willing to give admin privileges (includes rights to remove users and delete the community) to the new owner
  • Click Accept to complete the transfer of ownership
  • A message will appear to confirm that the transfer of the community’s ownership has been successful. Delete a Community
Only the owner of a community has the option to delete it.
Please be aware that all posts and data will be lost after removal.
  • Go to the Communities dashboard
  • Select the community to be deleted
  • Confirm the elimination of the community by clicking Delete Invite new members to your Community
Once a community has been established, you are able to invite members to join the group. A maximum of five can be invited at one time.
To invite new members;
  • Go to the right-hand pane of the community homepage
  • Under About Community, click +Invite and enter the email address of the invite
  • Click Invite to send your request

4.1.4 Members

The names of the members of your threat sharing community are visible under the Members option.
A search window is available to help quickly find a name on the community homepage. Requests
Individuals who are not currently members of the community can request to join. These requests are visible under the Requests option on the community homepage.

5. How to Post and Share Incidents

5.1 Posting an Incident in your Community

  • Go to the Community homepage
  • Select Incidents and click on the Post Incident button.
  • You can either find a previously reported incident under Find Incident or upload the email you wish to report using Upload Email. Emails can be uploaded or dropped in as .eml or .msg files.
  • Once the email has been uploaded, choose Select Incident.
  • Click Next in the bottom right corner of the screen to complete the process. You will be prompted to enter the additional details described in the next section.
At each stage of posting an incident, a blue check box will show your progress.

5.1.1 General Info

Complete the following fields:
  • Title: Provide an incident report title
  • Description: Briefly describe the incident (max. 300 words)
  • Category: Select the category that best describes the threat
  • Security Label TLP: Use TLP labels to advise recipients about how to share sensitive information

5.1.2 Incident Details

Provide the information available related to the discovery of the threat, the mechanism and effects, and how it can be counteracted.
Complete the fields:
  • Discovery and Detection: Explain how the threat was detected and what tools were used
  • Impact Range:
    • Affected Area (what systems and programs are involved)
    • Scope (how it affects your systems)

5.1.3 Attributes

Figure 2: Post an Incident > Attributes
Select attributes of the incident you would like to share or hide with the community. At least one attribute must be selected.
To flag certain attributes of the incident, such as the subject, sender info, or phishing links, select the options on the drop-down menus next to the relevant section. Edit Post Email
The Edit function allows you to customize components of the email as desired.

5.1.4 Preview

Before posting, you can preview the incident report, including the number of harmful items detected.
Figure 3: Post an Incident Timeline > Preview
Note that you have the option to post anonymously, which will conceal the details of your name and profile information from the community.
If you wish to make changes, click on Previous to return to the section you would like to edit.
Once complete, click Post. The threat sharing community will now be informed of the incident you have posted.
Click Details to see more information about the incident.

5.1.5 How to Edit, Investigate, Share or Delete an Incident

Click on the three dots to the right of the title of the incident for the available options.
  • The Edit option will bring you back to the first stage of posting an incident and you will be able to edit the components of the report.
  • The Investigate option allows you to start a new investigation. You will need to complete the following fields:
    • Name: Enter a name for the investigation
    • Target users: Select all users, user group(s) or specific users
    • Search criteria: Select or add criteria to be used in the investigation
    • Email date range: Select a range for the email’s send date
    • Select sources: Select the email software to be investigated
    • Duration: Select the number of days the investigation is to remain open
    • Action: Select the action to be taken if the investigated email is found
Click Save to initiate the investigation.
The Share option allows you to select the email addresses of contacts in your networks (maximum of ten) you would like to notify about the posted incidents from public communities.
Sharing is only allowed in a public community; no incidents posted from a private or hidden community are shared outside of that group. To share an incident with someone who is not a member of a private or hidden community, they must be invited to join. Once they have received the invitation and joined the community, they will have access to the posted incidents of the community.

5.1.6. How to Assess a Shared Incident

Figure 4: A Posted or Shared Incident
A posted or shared incident will display who reported it (if not posted anonymously) and an email preview with details of the incident, including the number and type of suspected harmful attributes and where they can be found.
You have the opportunity to up-or down-vote the incident to help grade and verify the severity of the incident and assist your community with assessment of and reaction to the threat. How to Investigate an Incident posted in a Community
From within the incident, click on the three dots and select Investigation to determine if the same activity has occurred in your own organization.

5.2 Posts

In the right-hand pane on the Threat Sharing homepage under Create Community, you can view:
  • Your Posts: All of the posts you have created in all communities of which you are a member.
  • Top Posts from Your Communities: The most popular posts from your communities.
  • Suggested Communities: Other existing communities you might be interested in joining are suggested on the basis of current memberships and those you have requested to join.

5.3 How to Join a Community

Community membership is managed according to the group’s privacy options.
  • Public Community access is open to all platform users; you may join without an invitation.
  • Private Community membership is administered by the community owner. Users may be invited to join the group or request an invitation to join in order to participate in the community activity and see the incidents posted for members.
  • Hidden Community membership is by invitation only. As in a private community, the community owner issues invitations.
Use the search bar under Communities and filter by keyword to find groups that may be relevant to your business.

5.3.1 Leaving a Community

To withdraw from a community, click on the three dots to the right of the title of the community.
Please note that once you have left a community - public, private, or hidden - you will no longer be able to post incidents. Withdrawal from a community that is private or hidden means that you will also no longer be able to view incidents posted to that group.

5.4 Inviting Others to Join a Community

  • As a member of a public community, you may invite colleagues who may be interested in joining the group
  • As the owner of a private community, you have sole control over the permissions granted and membership invitations.
  • As the owner of a hidden community request you to join.
In the Invitations field under Communities, you are able to view the invitations you have received. When there are no invitations, you can search for communities to join in the search window.

5.4.1 Invitation Notifications

When a user is invited to a community, a notification will be sent via email and SMS (according to configuration).
Invitations you receive are displayed in the Invitations field under Communities. You can also search for communities you may wish to join using the search box.
Figure 5: Invitation to join a Community

6. FAQ

Q: Can I hide my identity when I post an incident to a community?

‌‌A: Yes. If you do not want to disclose your name and organization when posting an incident, you can select the anonymous option offered in the preview section.

Q: How do I launch an investigation to assess the threat at my company?

A: When you see an incident posted and shared by a fellow member of a community, you can easily begin an investigation to determine potential risk to your firm by selecting the Investigate option. You will be prompted to add the criteria, target users, duration, and other details to be used as part of the investigation.

‌Q: Is it possible to invite someone from a company that is not currently a client to join a community?

‌A:‌ No. Community membership is limited to employees of organizations that have registered to the platform. Once an organization has registered, all registered users of that organization are eligible to participate, if they choose to do so.
For more information about invitations, go to Invitations or Invite New Members.

Q: Where are shared incidents stored?

A: Shared incidents will be maintained in the database

Q: What is the reliability of shared posts/incidents?

A: A user must accept terms and conditions before a post will be accepted in order to ensure maximum reliability of the shared information.

‌Q: Are shared threats/incidents/posts human-verified?

A: No, they are not verified. However, threat sharing communities are peer-to-peer networks formed and built on trust. This can be used to verify the posts/incidents.

Q: Is there any limit to the number of posts that can shared in a community?

A: No. You can share as many as you want to.

Q: Is it possible to leave a community of which I am the owner? Can I transfer ownership?

A: Yes. The owner of a community may transfer ownership to another member of the group. Select the name of the member to become the new owner, click on the three dots next to their name, and you have the option to Assign as Owner.
If you do not wish to assign a new owner, you also have the option to delete the community, however, please all posts and the data of the community will be erased.

Q: What is the reliability of shared posts/incidents?

A: A user must accept terms and conditions before a post will be accepted in order to ensure the maximum reliability of the shared information.

7. Use Cases

Use Case: Keep details private when posting an incident to avoid exposing confidential information

The best solution would be to post anonymously. The poster’s profile details – including the name of the individual and that of the organization - are withheld. It is also possible to select the attributes of the incident that will be visible or hidden in the Header field or Body or Attachment to provide additional confidentiality.

Use Case: Limit membership to a community

When setting up a community, the owner has a high degree of control about who can access and view that community information. The public, private, and hidden types of community offer different levels of disclosure and participation. Only public communities have unrestricted membership.
The owner of a private or hidden community has administrator rights and controls membership.
The name of a private community is displayed on the Communities homepage; however, membership is restricted.
The search option on the Communities page allows you to locate established groups in industries or sectors most relevant to your interests. For example, a user who works in financial services can search for communities concerned with banking, brokerage, investment banking, or private equity and, if the privacy options allow, become a member of those communities. It is also possible to search for industries and sectors according to the privacy option.
The Treat Sharing page also suggests communities that may be of potential interest.
If there are no existing communities of interest to join, this is an opportunity to create a new community for members of an unrepresented industry or sector.
This could be a great way to establish a presence for your community and become a thought leader within your industry or sector.

Use Case: Searching for specific incidents in the threat sharing database

The Incidents section offers several ways to search for a particular incident to determine if it may have already impacted your organization. The keyword, company, and threat fields can be used to filter the results.
This can provide excellent insights into past, present, and future threats to an organization, as well as guidance for targeted awareness training and to address any vulnerabilities in information security systems and networks.

Use Case: Assessing the threat of an incident

Community members can see which incidents are and have been considered the most harmful. The most dangerous attributes are flagged in the post, and members can immediately access the specific details and take the appropriate action for their organization.

Use Case: Using invitations to grow a community and improve security posture

Invitations are an invaluable way to expand and enrich communities. A large community has greater resources and expanded ability to improve cyber resilience. The member organizations will be better prepared for attacks based on the knowledge shared by others in the community.
There is no limit to the number of invitations to a public community, and all members may invite a colleague to join. The owner of a hidden or private community serves as a gatekeeper to membership and is the ultimate decision-maker of how many invitations are issued and to whom.

Use Case: Ensuring and enhancing the value of a community for the owner and members

The best way to make a community successful is the proactiveness of the membership, and in particular, the community owner. The larger the community, the more useful and valuable it will be for everyone, but the integrity and caliber of the membership provides additional strength, trust, and reliability.

Use Case: Defining the purpose of a community

The intended vision and goals of a community are provided when it is created and serve as a guide to activities and membership.

Use Case: What action can community members take in response to a posted incident?

Users have a range of options to choose from in response to a posted incident according to their own organization’s cybersecurity protocols and incident response procedures. Valuable information is provided related to both actual and potential threats and may be used according to individual needs.

Use Case: The community has lost its way. How can it be saved?

Priorities always change in an organization, and the same is true in the threat sharing world of communities. If the owner of a community no longer feels that it is functional, relevant or the purpose no longer exists, then the community can be deleted, and all incidents reported and which members were part of it will be destroyed as well.