Threat Sharing

1. Introduction

This Guide will provide you with the training how to use the Threat Sharing Community Platform. At the end of the training, you will have an understanding of how to use this platform and its functions.

This includes:

  • The Dashboard - how to navigate the layout, carry out tasks and administer your account

  • What is a Community and the difference between a Private and Public Community

  • How to create your own Community

  • How to invite members to join your Communities

  • How to join other Communities

2. What is Threat Sharing?

The Threat Sharing platform is an early warning system deployed across a network providing inbox level incident responding, investigation and response giving users maximum agility and reducing response time.

This allows users to expand their threat intelligence reach by leveraging their collective network knowledge, reduce costs, and accelerate implementation.

With Threat Sharing in place, users will now no longer need to directly experience a malicious attack to initiate inbox investigations delivering faster response times and proactive protection.

3. How does Threat Sharing work?

When an Incident occurs, the user reports this to the community or communities, of which they are a member within the Threat Sharing Community Platform.

This intelligence will now be automatically shared with the rest of the community triggering investigations throughout the Threat Sharing Community network.

Each organisation within the community can create a trust and reputation-based relationship with any other organisation on a decentralised, peer-to-peer basis using the Threat Sharing APIs.

3.1. Your Threat Sharing platform

Figure 1: Threat Sharing platform

In the left hand pane, your name, company details and current module (highlighted) used are displayed. Here, you will be able to edit your profile, change password, view login history and log out of the platform. To hide this pane, please click on the three lines and these details will be hidden.

In the top right corner, you will find the following:

  • Notifications icon which informs you of any invite requests and/or incidents.

  • Knowledge Bank icon: click here to -

    • Take a Tour

    • View Documentation

    • Get Help

    • Video Tutorial

    • Feedback

Under Threat Sharing, there are two fields - Incidents and Communities.

3.1.1 Incidents

In this section, you are able to view all reported, malicious and/or suspicious emails which have been shared by members of Threat Sharing Communities.

When the Incidents field is selected, all the incidents are displayed.

To search for specific incidents, use the filter for attributes and/or keywords.

Note: Before posting your first Incident, you will have to be part of a Community.

There are three ways to do this:

  • Create a new Community

  • Join an existing public, private or hidden Community

3.1.2 Communities

Communities are often made up of companies from a specific sector, industry or organisation who have a common professional purpose and interests in sharing threats to prevent malicious attacks and expand their threat intelligence. It is a peer-to-peer body built on trust and reputation and participants are given the option to share intelligence anonymously.

4. How to Use the Threat Sharing Community

To use the Threat Sharing Community, you have to either a) create a Community or b) become a member of an existing Community.

4.1 Communities

4.1.1 How to create a Community?

To create a Community, go to the right hand pane and click on the Create Community button.

After clicking on Create Community, you will be taken to the first stage of creating a Community. Here you enter the following:

  1. Community Name

  2. The Description of the Community with its rules and goals (max. 300 words)

  3. The Industry best relating to the Community

  4. Privacy Options:

    • Public: anyone can find the community and see posted threats

    • Private: only members invited by the Community Owner can see posted threats and the community is listed publicly

    • Hidden: Only members can see posted threats and the group in communities list

Before creating your Community, please accept the Terms and Conditions. Then click on Create to create your Community.

4.1.2 Your New Community Page

After creating your Community, you will be directed to the new Threat Sharing Community homepage:

You will now be able to post your first incident.

4.1.2.1 About Community

In this section, you will see the following:

  • The Owner of the Community

  • The number of Members of the Community and option to invite

  • The Industry related to the Community

  • The Total Incidents reported to and by the Community

4.1.3 How to administer a Community

To change the Settings of your Community, click on the settings wheel on the Community homepage to see the options:

  • Edit Community

  • Notification Settings

  • Leave

  • Delete

4.1.3.1 Edit Community

This allows you to edit the General Information and Settings of the Community:

Once you have edited and/or changed the General Information and Settings, in the bottom right hand corner of the window of the Community homepage, please click on SAVE to keep your changes or if you do not, you can CANCEL.

4.1.3.2 Notification Settings

In this section, you will be able to change how the Community receives notifications of incidents.

When you disable the first Notifications Setting, no notifications will be sent out to the Community to inform them of any posted incidents.

With the Notifications Setting enabled, you can choose how the Community is informed of posted incidents by:

  • Dashboard Notifications

  • Email Notifications

  • SMS Notifications

Once the changes have been made, click on SAVE or if you no longer want to change the settings, please CANCEL.

4.1.3.3 Leave

Select LEAVE if you want to leave the community. Note that you will no longer be able to post incidents to this community (you will have to rejoin or be re-invited). If you do not wish to delete, please CANCEL.

4.1.3.4 How to Transfer Ownership of a Community

If you no longer wish to be the Owner of a Community, you have the option to transfer ownership of the Community to a fellow member. To do this:

  • Go to the Communities dashboard

  • Select the Community you want to transfer ownership of

  • Select the Member you would like to have as the New Owner

  • Click on the Three Dots to the right of the Member’s name

  • Assign as Owner

  • Confirm that you are willing to give Admin Privileges (includes rights to remove users and delete the Community) to the New Owner.

  • Click ACCEPT to go ahead with the transfer of ownership or click CANCEL not to go ahead.

  • A message will appear to confirm that the transfer of the community’s ownership has been successful.

4.1.3.5 Delete a Community

If you no longer wish your Community to exist, you can delete it with this option.

Please be aware that all posts and data will be lost after deletion.

To go ahead with the deletion, click on DELETE or if you do not wish to delete, please CANCEL.

4.1.3.6 Invite new members to your Community

After setting up your Community, you are now able to invite members to be part of that Community. Only a maximum of five can be invited at one time.

To invite new members, go to the right hand pane of the Community homepage and under About Community, click on +Invite and enter their email addresses of your intended members. Then click on INVITE to send your request or choose CANCEL not to proceed.

4.1.4 Members

The names of the Members of your Threat Sharing Community will appear under Members.

To quickly find names, you can enter the members’ names in the search window on the Community homepage.

4.1.4.1 Requests

Under the Requests field on the Community homepage, you will see who has sent requests to join your Threat Sharing Community.

5. How to Post and Share Incidents

5.1 Posting an Incident in your Community

Under the Incidents field on the Community homepage, click on the Post Incident button. This will take you to the Post an Incident screen where you can begin to post your Incident.

To post an Incident, you can either find an already Reported Incident under Find Incident or upload the email you wish to report under Upload Email. Emails can be uploaded or dropped in as .eml or .msg files.

Once the email has been uploaded, the first step of the Post an Incident process Select Incident will be displayed.

Click on NEXT in the bottom right corner of the screen and the next steps of the posting of the Incident can be actioned.

At each stage of the posting of the Incident, a blue check box will be ticked to show your progress.

5.1.1 General Info

Enter the following fields:

  • Title: Type in the Title of the Incident

  • Description: Briefly describe the Incident (max. 300 words)

  • Category: Select the Category which best describes the threat

  • Security Label TLP: Use TLP labels to inform recipients about how to share sensitive information

5.1.2 Incident Details

Enter information on the discovery of the threat, how it affects and how to fight against it.

Complete the fields:

  • Discovery and Detection: Explain how the threat was detected and what tools were used

  • Impact Range:

    • Affect Area (what systems and programs are affected)

    • Scope (how does it work and affect your systems)

5.1.3 Attributes

Figure 2: Post an Incident > Attributes

Select the attributes you would like to share or hide with the Community. At least one attribute must be chosen.

To flag certain attributes of the Incident such as Subject, Sender Info and Links etc., select the options on the drop down menus next to the section you would like to flag. You are then able to flag these links in the Incident as Flagged Sender or Phishing Links.

5.1.3.1 Edit Post Email

Edit Post Email allows you to edit and change the email as required with custom components. Click on Edit to access this function.

5.1.4 Preview

Before posting, you are able to preview the Incident and the number of harmful items will be displayed:

Figure 3: Post an Incident Timeline > Preview

There is the option to Post as Anonymous: If you use this option, your details about your identity will then be hidden. If this option is not selected, your post will be displayed with your name and profile information.

Please put a tick in the check box as above.

To make changes, click on PREVIOUS to return on the section you would like to edit. Complete the posting of the Incident by clicking on POST.

The Threat Sharing Community will now be informed of the Incident you have posted.

By clicking on DETAILS of the Incident, you are able to expand and see more information about the Incident.

5.1.5 How to Edit, Investigate, Share or Delete an Incident

To Edit, Investigate, Share or Delete a posted Incident, click on the three dots to the right of the title for the options.

  • The Edit option will bring you back to the first stage of Post an Incident and then you will be able to edit the Incident.

  • The Investigate option allows you to start a New Investigation. Complete the following fields:

    • Enter a name for the New Investigation

    • Target Users: select from Users, User Groups or Specific Users

    • Search Criteria: select the criteria you would like to use in the investigation. You can add additional criteria

    • Email Date Range: select the range of the email’s sending date

    • Select Sources: select the email software to be investigated

    • Duration: select for how many days the investigation will run

    • Action: select the action to be taken if the investigated email is found

After completing the New Investigation, click on Save.

Sharing can only be allowed as part of a public Community: no incidents posted from a private or hidden Community are allowed to be shared outside of that Community.

To share an Incident with someone who is not already a member of the private or hidden Community, first send them an Invite to join.

Once they have received the invite and joined the private or hidden Community, the posted incidents of this Community can now be accessed and viewed.

After you have selected the Share option, you will be able to the email addresses (maximum of ten) of contacts in your networks you would like to notify about the posted incidents from the public communities.

5.1.6. How to understand a Shared Incident

Figure 4: A Posted or Shared Incident

Here you can view the posted or shared Incident showing who it was posted by (or not if the Anonymous feature was chosen) as an Email Preview or its Details. The number and type of suspected harmful items will be displayed and where they can be found. You have the opportunity to up- or down-vote the Incident to help grade and verify the severity of the Incident.

5.1.6.1 How to Investigate an Incident posted in a Community

When you have seen an Incident posted in one of your Communities and would like to investigate if the same Incident has occurred in your own organization, go to the relevant incident and click on the three dots and then select Investigation.

5.2 Posts

In the right hand pane on the Threat Sharing homepage under Create Community, you can see the following:

Your Posts: All your posts created in all the communities of which you are a member. Top Posts from your Communities: The most popular posts from your communities.

Suggested Communities are displayed. These are communities suggested on the basis of ones already joined and those you have requested to join or yet to join.

5.3 How to Join a Community

Joining a Community depends on its Privacy options.

For a public Community, you are able to join without having to request or receive an invite.

For a private Community, you can either receive an invite from the Community owner before you are able to join and see the incidents posted in that Community OR send a join request to the specific Community you want to be in.

Top Tip: To find a Community you would like to join, go to the search bar under Communities and filter by keywords.

A hidden Community can only be joined by invite only. Once you have created or have joined a hidden Community, invitations can be sent in the same way as for a private Community.

5.3.1 Leaving a Community

To leave a Community of which you no longer want to be a member, please click on the three dots to the right of the title of the Community.

Please note that once you have left a Community public, hidden or private, you will no longer be able to post incidents. Once you have left a Community that is private or hidden, you will also no longer be able to view its posted incidents.

5.4 Invitations

Invitations can be sent out when:

  • You are the owner of a private Community and have sole control over the permissions and who can be invited to be a member.

  • Or when the Community is public and as a member, you are able to invite potential interested members.

  • Or if the Community is hidden, invitations can only be sent out once you have either created that Community and selected the hidden option or have become a member of that hidden Community.

In the Invitations field under Communities, you are able to view the invitations you have received. When there are no invitations, you can search for communities to join in the search window.

5.4.1 Invitation Notifications

When a user is invited to a Community, a notification will be sent via email and SMS (if configured).

Figure 5: Invitation to join a Community

6. FAQ

‌Q: Can I hide my organization details when I post an incident to a community?

‌A: Yes, you can. When you want to keep your organization's details private, you are able to Post as Anonymous. To select this option, when you are Posting an Incident in your Community, tick the check box in the Preview section and tick the box.

Q: How can I launch an Investigation?

When you see an Incident posted and shared by a fellow user of a Community, you can easily launch an investigation by selecting the Investigate option. Then add the criteria, target users, duration etc. to be used as part of the new investigation’s search. For more information go to How to Edit, Investigate, Share or Delete an Incident.

‌Q: Is it possible to invite a company which is not a customer on this platform to a community?

‌A: No, it is only possible to invite individuals on behalf of organizations/companies and not organizations/companies directly who are not registered on the platform. Once an organization has been accepted to the platform as a member, then all registered users of that organization are eligible to be invited to become members of Communities if they choose to do so.

For more information about invitations and to invite new members, go to Invitations or Invite New Members.

‌Q: Where are shared incidents stored?

A: The shared incidents will be in the database

‌Q: What is the reliability of the shared posts/incidents?

A: Before a user is able to post an incident, they have to accept the Terms and Conditions to ensure the maximum reliability of the shared posted incidents.

‌Q: Are shared threats/incidents/posts human verified?

A: No they are not verified. However, as Threat Sharing Communities are peer-to-peer networks formed and built on trust. This in turn can be used to verify the posts/incidents.

Q: Is there any limit to sharing posts on a community?

A: There are no limits, you can share as many as you want

Q: Is it possible to leave a Community of which I am the owner? How can I transfer ownership?

A: Yes you can. Select the member of the Community you want to transfer ownership to and after clicking on the three dots next to their name, you can Assign as Owner. If you do not want to have another member as owner of your Community, you can delete it. Please note that if you decide to delete all posts and data of the Community will be erased.

7. Use Cases

Use Case: Keeping details private for members when posting an incident and avoid exposing confidential information

The best solution would be to post anonymously. My details will be withheld and kept private. The Post as Anonymous option is ideal as the name of the person who is posting the incident and the name of the organisation/company will be hidden from view and remain confidential. Further levels of privacy can be chosen if required when posting an incident. It is possible to decide what attributes of the incident can be made visible or hidden in the Header field or Body or Attachment.

Use Case: Make a Community to be available to certain members only and prevent unwanted ones

When setting up a Community, there is a high degree of control about who can access and view that Community. The privacy options (public, private or hidden) allow the Community owner to restrict who can view, join or be invited.

Choosing the hidden or private privacy option, allows the owner of the Community to control who can either be invited or ask to join. When a Community is created, the owner has administrator rights which control the membership. The Community Owner can also decide to delete the community if they want to or transfer ownership to a fellow member. A private Community can be visible and the hidden one will remain secret and confidential.

If there is no need to keep the community private or hidden and to allow anyone to join, then the best option is to choose the public privacy option when it is created.

With the search option in Communities, it is possible to find the industries or sectors most relevant to your interests. Someone who works in Financial Services can search for related Communities such as Banking, Brokerage, Investment Banking or Private Equity and if the privacy options allow, to become members in those Communities. To further protect privacy, it is possible to search for industries and sectors by privacy option. Threat Sharing also helpfully suggests to users which Communities will be of potential interest.

Use Case: No Communities relate to my sector - what can be done?

If there are no relevant, related Communities of interest to join, this is an opportunity to be seized and to create a new Community with other similar members from a certain industry or sector.

This can be a great way to establish your Community and become a thought leader within your industry or sector.

Use Case: Searching for specific Incidents in the Threat Sharing Database

In the Incidents section, there are several solutions to use which enable you to search for particular incidents which you would like to investigate if they have already impacted your organisation or potentially could do so in the future and the type of threat. Keyword, Company, and Threat fields can be used to search for Incidents that have been reported.

This can provide excellent insights into present and future threats, able to run searches through Incident Response systems to discover if these incidents are taking or have already taken place in an organisation. Then appropriate Awareness Education Training can take place to address any vulnerabilities or weaknesses in an organisation’s information security systems and networks.

Use Case: Knowing what Incidents are more harmful than others

Community members will want to know immediately what incidents are and have been considered to be the most harmful. When an incident is posted, the most harmful attributes will have been flagged by Community members and the member can access the specific details and accordingly take the right response in their organisation.

Use Case: Using Invitations to grow a Community

Invitations are an invaluable way to grow Communities. The owner of a hidden or private Community is the gatekeeper, who is the ultimate decision maker of how invitations are administered and to whom. The more invitations you make, the more members a community will have and more threats can be shared. This will be an excellent way to improve cyber resilience, as organisations will be better prepared against future attacks as they have already been warned by Community members of these threats.

A Community which is public has no limits on how many invitations can be issued and to whom, unlike a Community which is hidden or private.

Use Case: Making a Community successful for the owner and members

The best way to make a Community successful is through the proactiveness of the members and in particular the Community’s owner. The larger the community, the more successful it will be for everyone but also the high integrity and calibre of the Community will be additional strengths as it is built on the trust of a peer-to-peer Community.

Use Case: How to Decide the Purpose of a Community and What is the Purpose of a Community

The Community is the baby of the person who has created it and they have had the wonderful idea of its creation. The Community’s owner can share the reasons behind the purpose with their fellow community members in the Description the Community has been given when it was created.

Use Case: Once an Incident is Posted: what action can be taken and what investigations can be started?

After it has been established which posted incidents are of most interest to members, they can act according to their own organisation’s cyber security protocols and Incident Response procedures using the information discovered in both actual and potential Threats.

Use Case: The Community has lost its way, how can it be saved

Priorities always change in an organisation and the same happens in Threat Sharing World of Communities too. If the owner of a Community no longer feels that it is relevant and the purpose for it to continue no longer exists then the Community can be deleted and all incidents reported and which members were part of it, will be destroyed as well.

Contents
1. Introduction
2. What is Threat Sharing?
3. How does Threat Sharing work?
3.1. Your Threat Sharing platform
4. How to Use the Threat Sharing Community
4.1 Communities
5. How to Post and Share Incidents
5.1 Posting an Incident in your Community
5.2 Posts
5.3 How to Join a Community
5.4 Invitations
6. FAQ
‌Q: Can I hide my organization details when I post an incident to a community?
Q: How can I launch an Investigation?
‌Q: Is it possible to invite a company which is not a customer on this platform to a community?
‌Q: Where are shared incidents stored?
‌Q: What is the reliability of the shared posts/incidents?
‌Q: Are shared threats/incidents/posts human verified?
Q: Is there any limit to sharing posts on a community?
Q: Is it possible to leave a Community of which I am the owner? How can I transfer ownership?
7. Use Cases
Use Case: Keeping details private for members when posting an incident and avoid exposing confidential information
Use Case: Make a Community to be available to certain members only and prevent unwanted ones
Use Case: Find communities related to a particular industry or sector for a member
Use Case: No Communities relate to my sector - what can be done?
Use Case: Searching for specific Incidents in the Threat Sharing Database
Use Case: Knowing what Incidents are more harmful than others
Use Case: Using Invitations to grow a Community
Use Case: Making a Community successful for the owner and members
Use Case: How to Decide the Purpose of a Community and What is the Purpose of a Community
Use Case: Once an Incident is Posted: what action can be taken and what investigations can be started?
Use Case: The Community has lost its way, how can it be saved