This Guide will provide you with the training how to use the Threat Sharing Community Platform. At the end of the training, you will have an understanding of how to use this platform and its functions.
The Dashboard - how to navigate the layout, carry out tasks and administer your account
What is a Community and the difference between a Private and Public Community
How to create your own Community
How to invite members to join your Communities
How to join other Communities
The Threat Sharing platform is an early warning system deployed across a network providing inbox level incident responding, investigation and response giving users maximum agility and reducing response time.
This allows users to expand their threat intelligence reach by leveraging their collective network knowledge, reduce costs, and accelerate implementation.
With Threat Sharing in place, users will now no longer need to directly experience a malicious attack to initiate inbox investigations delivering faster response times and proactive protection.
When an Incident occurs, the user reports this to the community or communities, of which they are a member within the Threat Sharing Community Platform.
This intelligence will now be automatically shared with the rest of the community triggering investigations throughout the Threat Sharing Community network.
Each organisation within the community can create a trust and reputation-based relationship with any other organisation on a decentralised, peer-to-peer basis using the Threat Sharing APIs.
In the left hand pane, your name, company details and current module (highlighted) used are displayed. Here, you will be able to edit your profile, change password, view login history and log out of the platform. To hide this pane, please click on the three lines and these details will be hidden.
In the top right corner, you will find the following:
Notifications icon which informs you of any invite requests and/or incidents.
Knowledge Bank icon: click here to -
Take a Tour
Under Threat Sharing, there are two fields - Incidents and Communities.
In this section, you are able to view all reported, malicious and/or suspicious emails which have been shared by members of Threat Sharing Communities.
When the Incidents field is selected, all the incidents are displayed.
To search for specific incidents, use the filter for attributes and/or keywords.
Communities are often made up of companies from a specific sector, industry or organisation who have a common professional purpose and interests in sharing threats to prevent malicious attacks and expand their threat intelligence. It is a peer-to-peer body built on trust and reputation and participants are given the option to share intelligence anonymously.
To use the Threat Sharing Community, you have to either a) create a Community or b) become a member of an existing Community.
To create a Community, go to the right hand pane and click on the Create Community button.
After clicking on Create Community, you will be taken to the first stage of creating a Community. Here you enter the following:
The Description of the Community with its rules and goals (max. 300 words)
The Industry best relating to the Community
Public: anyone can find the community and see posted threats
Private: only members invited by the Community Owner can see posted threats and the community is listed publicly
Hidden: Only members can see posted threats and the group in communities list
Before creating your Community, please accept the Terms and Conditions. Then click on Create to create your Community.
After creating your Community, you will be directed to the new Threat Sharing Community homepage:
You will now be able to post your first incident.
220.127.116.11 About Community
In this section, you will see the following:
The Owner of the Community
The number of Members of the Community and option to invite
The Industry related to the Community
The Total Incidents reported to and by the Community
To change the Settings of your Community, click on the settings wheel on the Community homepage to see the options:
18.104.22.168 Edit Community
This allows you to edit the General Information and Settings of the Community:
Once you have edited and/or changed the General Information and Settings, in the bottom right hand corner of the window of the Community homepage, please click on SAVE to keep your changes or if you do not, you can CANCEL.
22.214.171.124 Notification Settings
In this section, you will be able to change how the Community receives notifications of incidents.
When you disable the first Notifications Setting, no notifications will be sent out to the Community to inform them of any posted incidents.
With the Notifications Setting enabled, you can choose how the Community is informed of posted incidents by:
Once the changes have been made, click on SAVE or if you no longer want to change the settings, please CANCEL.
Select LEAVE if you want to leave the community. Note that you will no longer be able to post incidents to this community (you will have to rejoin or be re-invited). If you do not wish to delete, please CANCEL.
126.96.36.199 How to Transfer Ownership of a Community
If you no longer wish to be the Owner of a Community, you have the option to transfer ownership of the Community to a fellow member. To do this:
Go to the Communities dashboard
Select the Community you want to transfer ownership of
Select the Member you would like to have as the New Owner
Click on the Three Dots to the right of the Member’s name
Assign as Owner
Confirm that you are willing to give Admin Privileges (includes rights to remove users and delete the Community) to the New Owner.
Click ACCEPT to go ahead with the transfer of ownership or click CANCEL not to go ahead.
A message will appear to confirm that the transfer of the community’s ownership has been successful.
188.8.131.52 Delete a Community
If you no longer wish your Community to exist, you can delete it with this option.
Please be aware that all posts and data will be lost after deletion.
To go ahead with the deletion, click on DELETE or if you do not wish to delete, please CANCEL.
184.108.40.206 Invite new members to your Community
After setting up your Community, you are now able to invite members to be part of that Community. Only a maximum of five can be invited at one time.
To invite new members, go to the right hand pane of the Community homepage and under About Community, click on +Invite and enter their email addresses of your intended members. Then click on INVITE to send your request or choose CANCEL not to proceed.
The names of the Members of your Threat Sharing Community will appear under Members.
To quickly find names, you can enter the members’ names in the search window on the Community homepage.
Under the Requests field on the Community homepage, you will see who has sent requests to join your Threat Sharing Community.
Under the Incidents field on the Community homepage, click on the Post Incident button. This will take you to the Post an Incident screen where you can begin to post your Incident.
To post an Incident, you can either find an already Reported Incident under Find Incident or upload the email you wish to report under Upload Email. Emails can be uploaded or dropped in as .eml or .msg files.
Once the email has been uploaded, the first step of the Post an Incident process Select Incident will be displayed.
Click on NEXT in the bottom right corner of the screen and the next steps of the posting of the Incident can be actioned.
At each stage of the posting of the Incident, a blue check box will be ticked to show your progress.
Enter the following fields:
Title: Type in the Title of the Incident
Description: Briefly describe the Incident (max. 300 words)
Category: Select the Category which best describes the threat
Security Label TLP: Use TLP labels to inform recipients about how to share sensitive information
Enter information on the discovery of the threat, how it affects and how to fight against it.
Complete the fields:
Discovery and Detection: Explain how the threat was detected and what tools were used
Affect Area (what systems and programs are affected)
Scope (how does it work and affect your systems)
Select the attributes you would like to share or hide with the Community. At least one attribute must be chosen.
To flag certain attributes of the Incident such as Subject, Sender Info and Links etc., select the options on the drop down menus next to the section you would like to flag. You are then able to flag these links in the Incident as Flagged Sender or Phishing Links.
220.127.116.11 Edit Post Email
Edit Post Email allows you to edit and change the email as required with custom components. Click on Edit to access this function.
Before posting, you are able to preview the Incident and the number of harmful items will be displayed:
There is the option to Post as Anonymous: If you use this option, your details about your identity will then be hidden. If this option is not selected, your post will be displayed with your name and profile information.
Please put a tick in the check box as above.
To make changes, click on PREVIOUS to return on the section you would like to edit. Complete the posting of the Incident by clicking on POST.
The Threat Sharing Community will now be informed of the Incident you have posted.
By clicking on DETAILS of the Incident, you are able to expand and see more information about the Incident.
To Edit, Investigate, Share or Delete a posted Incident, click on the three dots to the right of the title for the options.
The Edit option will bring you back to the first stage of Post an Incident and then you will be able to edit the Incident.
The Investigate option allows you to start a New Investigation. Complete the following fields:
Enter a name for the New Investigation
Target Users: select from Users, User Groups or Specific Users
Search Criteria: select the criteria you would like to use in the investigation. You can add additional criteria
Email Date Range: select the range of the email’s sending date
Select Sources: select the email software to be investigated
Duration: select for how many days the investigation will run
Action: select the action to be taken if the investigated email is found
After completing the New Investigation, click on Save.
Sharing can only be allowed as part of a public Community: no incidents posted from a private or hidden Community are allowed to be shared outside of that Community.
To share an Incident with someone who is not already a member of the private or hidden Community, first send them an Invite to join.
Once they have received the invite and joined the private or hidden Community, the posted incidents of this Community can now be accessed and viewed.
After you have selected the Share option, you will be able to the email addresses (maximum of ten) of contacts in your networks you would like to notify about the posted incidents from the public communities.
Here you can view the posted or shared Incident showing who it was posted by (or not if the Anonymous feature was chosen) as an Email Preview or its Details. The number and type of suspected harmful items will be displayed and where they can be found. You have the opportunity to up- or down-vote the Incident to help grade and verify the severity of the Incident.
18.104.22.168 How to Investigate an Incident posted in a Community
When you have seen an Incident posted in one of your Communities and would like to investigate if the same Incident has occurred in your own organization, go to the relevant incident and click on the three dots and then select Investigation.
In the right hand pane on the Threat Sharing homepage under Create Community, you can see the following:
Your Posts: All your posts created in all the communities of which you are a member. Top Posts from your Communities: The most popular posts from your communities.
Suggested Communities are displayed. These are communities suggested on the basis of ones already joined and those you have requested to join or yet to join.
Joining a Community depends on its Privacy options.
For a public Community, you are able to join without having to request or receive an invite.
For a private Community, you can either receive an invite from the Community owner before you are able to join and see the incidents posted in that Community OR send a join request to the specific Community you want to be in.
A hidden Community can only be joined by invite only. Once you have created or have joined a hidden Community, invitations can be sent in the same way as for a private Community.
To leave a Community of which you no longer want to be a member, please click on the three dots to the right of the title of the Community.
Please note that once you have left a Community public, hidden or private, you will no longer be able to post incidents. Once you have left a Community that is private or hidden, you will also no longer be able to view its posted incidents.
Invitations can be sent out when:
You are the owner of a private Community and have sole control over the permissions and who can be invited to be a member.
Or when the Community is public and as a member, you are able to invite potential interested members.
Or if the Community is hidden, invitations can only be sent out once you have either created that Community and selected the hidden option or have become a member of that hidden Community.
In the Invitations field under Communities, you are able to view the invitations you have received. When there are no invitations, you can search for communities to join in the search window.
When a user is invited to a Community, a notification will be sent via email and SMS (if configured).
A: Yes, you can. When you want to keep your organization's details private, you are able to Post as Anonymous. To select this option, when you are Posting an Incident in your Community, tick the check box in the Preview section and tick the box.
When you see an Incident posted and shared by a fellow user of a Community, you can easily launch an investigation by selecting the Investigate option. Then add the criteria, target users, duration etc. to be used as part of the new investigation’s search. For more information go to How to Edit, Investigate, Share or Delete an Incident.
A: No, it is only possible to invite individuals on behalf of organizations/companies and not organizations/companies directly who are not registered on the platform. Once an organization has been accepted to the platform as a member, then all registered users of that organization are eligible to be invited to become members of Communities if they choose to do so.
For more information about invitations and to invite new members, go to Invitations or Invite New Members.
A: The shared incidents will be in the database
A: Before a user is able to post an incident, they have to accept the Terms and Conditions to ensure the maximum reliability of the shared posted incidents.
A: No they are not verified. However, as Threat Sharing Communities are peer-to-peer networks formed and built on trust. This in turn can be used to verify the posts/incidents.
A: There are no limits, you can share as many as you want
A: Yes you can. Select the member of the Community you want to transfer ownership to and after clicking on the three dots next to their name, you can Assign as Owner. If you do not want to have another member as owner of your Community, you can delete it. Please note that if you decide to delete all posts and data of the Community will be erased.
The best solution would be to post anonymously. My details will be withheld and kept private. The Post as Anonymous option is ideal as the name of the person who is posting the incident and the name of the organisation/company will be hidden from view and remain confidential. Further levels of privacy can be chosen if required when posting an incident. It is possible to decide what attributes of the incident can be made visible or hidden in the Header field or Body or Attachment.
When setting up a Community, there is a high degree of control about who can access and view that Community. The privacy options (public, private or hidden) allow the Community owner to restrict who can view, join or be invited.
Choosing the hidden or private privacy option, allows the owner of the Community to control who can either be invited or ask to join. When a Community is created, the owner has administrator rights which control the membership. The Community Owner can also decide to delete the community if they want to or transfer ownership to a fellow member. A private Community can be visible and the hidden one will remain secret and confidential.
If there is no need to keep the community private or hidden and to allow anyone to join, then the best option is to choose the public privacy option when it is created.
With the search option in Communities, it is possible to find the industries or sectors most relevant to your interests. Someone who works in Financial Services can search for related Communities such as Banking, Brokerage, Investment Banking or Private Equity and if the privacy options allow, to become members in those Communities. To further protect privacy, it is possible to search for industries and sectors by privacy option. Threat Sharing also helpfully suggests to users which Communities will be of potential interest.
If there are no relevant, related Communities of interest to join, this is an opportunity to be seized and to create a new Community with other similar members from a certain industry or sector.
This can be a great way to establish your Community and become a thought leader within your industry or sector.
In the Incidents section, there are several solutions to use which enable you to search for particular incidents which you would like to investigate if they have already impacted your organisation or potentially could do so in the future and the type of threat. Keyword, Company, and Threat fields can be used to search for Incidents that have been reported.
This can provide excellent insights into present and future threats, able to run searches through Incident Response systems to discover if these incidents are taking or have already taken place in an organisation. Then appropriate Awareness Education Training can take place to address any vulnerabilities or weaknesses in an organisation’s information security systems and networks.
Community members will want to know immediately what incidents are and have been considered to be the most harmful. When an incident is posted, the most harmful attributes will have been flagged by Community members and the member can access the specific details and accordingly take the right response in their organisation.
Invitations are an invaluable way to grow Communities. The owner of a hidden or private Community is the gatekeeper, who is the ultimate decision maker of how invitations are administered and to whom. The more invitations you make, the more members a community will have and more threats can be shared. This will be an excellent way to improve cyber resilience, as organisations will be better prepared against future attacks as they have already been warned by Community members of these threats.
A Community which is public has no limits on how many invitations can be issued and to whom, unlike a Community which is hidden or private.
The best way to make a Community successful is through the proactiveness of the members and in particular the Community’s owner. The larger the community, the more successful it will be for everyone but also the high integrity and calibre of the Community will be additional strengths as it is built on the trust of a peer-to-peer Community.
The Community is the baby of the person who has created it and they have had the wonderful idea of its creation. The Community’s owner can share the reasons behind the purpose with their fellow community members in the Description the Community has been given when it was created.
After it has been established which posted incidents are of most interest to members, they can act according to their own organisation’s cyber security protocols and Incident Response procedures using the information discovered in both actual and potential Threats.
Priorities always change in an organisation and the same happens in Threat Sharing World of Communities too. If the owner of a Community no longer feels that it is relevant and the purpose for it to continue no longer exists then the Community can be deleted and all incidents reported and which members were part of it, will be destroyed as well.