Security Information Sharing and ISACs
Security information sharing is the practice of exchanging cybersecurity threat data, indicators of compromise (IOCs), vulnerability intelligence, and incident information between organizations to enable collective defense.
# Security Information Sharing and ISACs
Definition
Security information sharing is the practice of exchanging cybersecurity threat data, indicators of compromise (IOCs), vulnerability intelligence, and incident information between organizations to enable collective defense. Information Sharing and Analysis Centers (ISACs) are sector-specific organizations that coordinate this sharing among member organizations within a defined industry.
The premise of information sharing is asymmetric efficiency. An attacker who compromises one financial institution can use the same techniques against every other financial institution in the sector. If the first institution detects the attack and shares the indicators, every other institution can block those indicators before the attacker reaches them. The attacker must now compromise 500 institutions with 500 different techniques rather than 500 institutions with one technique. Sharing transforms individual defense into collective defense.
Without sharing, every organization defends alone. The attacker's techniques are unknown until they are used against each target individually. The same phishing campaign compromises dozens of organizations because each discovers it independently rather than benefiting from the first victim's detection. The intelligence gap between what one organization knows and what the community needs to know is the gap that information sharing closes.
How It Works
ISACs and ISAOs
ISACs (Information Sharing and Analysis Centers). Sector-specific organizations established to share cybersecurity threat information among member organizations. ISACs were originally mandated by Presidential Decision Directive 63 (1998) for critical infrastructure sectors and have expanded to cover most major industries.
Major ISACs:
FS-ISAC (Financial Services): the largest and most mature ISAC. Over 7,000 member organizations across banking, insurance, securities, and payments. FS-ISAC operates 24/7 threat intelligence operations, conducts sector-wide exercises, and coordinates incident response across the financial sector.
H-ISAC (Health): healthcare organizations including hospitals, health plans, pharmaceutical companies, and medical device manufacturers. H-ISAC shares healthcare-specific threat intelligence: ransomware campaigns targeting hospitals, PHI-targeting actors, medical device vulnerabilities.
IT-ISAC (Information Technology): technology companies sharing threat intelligence relevant to the IT sector. IT-ISAC coordinates response to vulnerabilities and campaigns that affect technology infrastructure.
E-ISAC (Electricity): operated by NERC for the electricity subsector. E-ISAC shares threat intelligence specific to the power grid, including OT/ICS threats.
MS-ISAC (Multi-State): operated by CIS for state, local, tribal, and territorial (SLTT) government organizations. MS-ISAC provides free threat intelligence, incident response, and security services to government entities.
Additional ISACs cover aviation (A-ISAC), automotive (Auto-ISAC), defense industrial base (DIB-ISAC), education (REN-ISAC), maritime (MTS-ISAC), real estate (RE-ISAC), retail (R-ISAC), and water (WaterISAC).
ISAOs (Information Sharing and Analysis Organizations). Broader sharing organizations that are not limited to a specific sector. ISAOs serve communities of interest (small businesses, regions, cross-sector groups) that do not fit neatly into ISAC sector boundaries. Executive Order 13691 (2015) encouraged the formation of ISAOs to extend sharing beyond critical infrastructure sectors.
Sharing Mechanisms
Automated indicator sharing. Machine-readable IOCs (IP addresses, domain names, file hashes, email addresses, URLs) are shared through automated platforms using standardized formats:
STIX (Structured Threat Information eXpression): the standard format for representing threat intelligence in a structured, machine-readable format. STIX objects include indicators, attack patterns, threat actors, malware, vulnerabilities, and courses of action. STIX provides the common language that enables automated sharing across organizations using different security tools.
TAXII (Trusted Automated eXchange of Intelligence Information): the transport protocol for sharing STIX objects between systems. TAXII defines how systems discover, request, and receive threat intelligence. TAXII servers publish intelligence. TAXII clients consume it. The combination of STIX (format) and TAXII (transport) enables fully automated intelligence sharing.
CISA AIS (Automated Indicator Sharing): a free, government-provided automated sharing service. CISA AIS distributes IOCs from federal government sources and participating organizations to all AIS participants. AIS uses STIX/TAXII and is available to any U.S. organization at no cost.
Analyst-to-analyst sharing. Structured intelligence reports, threat advisories, and analytical assessments shared through ISAC portals, secure email, and collaboration platforms. Analyst-to-analyst sharing provides the context that automated IOC sharing lacks: which actor is behind the campaign, what is their objective, what techniques are they using beyond the shared IOCs, and what defenses are effective.
Threat briefings. ISAC-organized briefings where member analysts present current threat activity, campaign analysis, and defensive recommendations. Briefings may be sector-wide (all FS-ISAC members) or sub-group specific (community banks, insurance companies).
Exercises. Sector-wide tabletop exercises and simulation exercises coordinated by ISACs. These exercises test cross-organizational coordination during major incidents (sector-wide ransomware campaign, supply chain compromise affecting multiple members, coordinated DDoS against the sector).
Traffic Light Protocol (TLP)
The Traffic Light Protocol defines four classification levels for shared intelligence, governing how recipients can use and further share the information:
TLP:RED. For the eyes and ears of individual recipients only. Cannot be shared with anyone outside the specific exchange. Used for highly sensitive intelligence that could cause harm if disclosed.
TLP:AMBER. Limited sharing within the recipient's organization on a need-to-know basis. Cannot be shared outside the organization. Used for intelligence that is sensitive but needed by the recipient's security team.
TLP:AMBER+STRICT. Limited to the recipient's organization only. Cannot be shared with clients, customers, or constituents even if they are affected.
TLP:GREEN. May be shared with the broader community (other ISAC members, industry peers) but not publicly. Used for intelligence that benefits the sector but should not be publicly disclosed.
TLP:CLEAR. No restrictions. May be shared publicly. Used for general advisories, best practices, and non-sensitive threat information.
TLP enables sharing by establishing clear expectations: the sharer marks the intelligence with the appropriate TLP level, and recipients know exactly how they can use and further distribute it. Without TLP, organizations hesitate to share because they cannot control how the intelligence will be used. TLP provides that control.
The Sharing Paradox
Organizations that would benefit most from sharing are often the most reluctant to participate. The barriers:
Competitive concerns. Organizations fear that sharing incident information reveals weaknesses that competitors could exploit commercially or that customers could learn about.
Legal liability. Organizations fear that sharing information about incidents or vulnerabilities could create legal liability: admitting to a breach, identifying a vulnerability that an attacker later exploits, or sharing information that is later used in litigation.
Classification uncertainty. Organizations are uncertain what they can share, at what TLP level, and through which channels. The uncertainty creates paralysis.
Resource constraints. Participating in information sharing requires staff time: monitoring ISAC portals, attending briefings, analyzing shared intelligence, and contributing the organization's own intelligence. Understaffed security teams deprioritize sharing in favor of operational demands.
The Cybersecurity Information Sharing Act of 2015 (CISA Act) addresses the legal barrier by providing liability protection for organizations that share cyber threat indicators in compliance with the act's requirements. The protection covers antitrust liability, regulatory liability, and private liability for sharing in good faith.
Why It Matters
Collective Defense
No organization has complete visibility into the threat landscape. Every organization sees only the threats that target it directly. Information sharing aggregates the visibility of thousands of organizations into a collective picture that is vastly more complete than any individual view. A ransomware group that targets 50 organizations may be detected by the first victim. If the first victim shares the indicators through the ISAC, the other 49 can block the campaign before it reaches them.
Sector-Specific Intelligence
Generic threat intelligence (global IOC feeds) is useful but noisy: most indicators are not relevant to any specific organization. ISAC intelligence is sector-specific: FS-ISAC shares intelligence about threats targeting financial services, H-ISAC shares intelligence about threats targeting healthcare. Sector-specific intelligence has higher signal-to-noise ratio because it focuses on the threats that actually target the member organizations' industry.
Government Intelligence Access
ISACs serve as a conduit for classified and sensitive government intelligence that individual organizations cannot access directly. CISA, NSA, and FBI share threat intelligence with ISACs (often at TLP:AMBER or TLP:GREEN) that ISACs then distribute to their members. This intelligence includes information about state-sponsored campaigns, critical infrastructure targeting, and emerging threats that government agencies detect through national intelligence capabilities.
Regulatory Expectations
Regulators increasingly expect organizations to participate in information sharing. NIST CSF 2.0 includes information sharing as part of the Govern function. The FFIEC (Federal Financial Institutions Examination Council) expects financial institutions to participate in information sharing programs. CISA encourages critical infrastructure organizations to join their sector ISAC. While participation is not mandatory in most sectors, it is increasingly viewed as a component of a mature security program.
CDA Perspective
Information sharing sits in the TID (Threat Intelligence and Defense) domain of the Planetary Defense Model with RGA governance implications. TID consumes shared intelligence to inform detection rules, hunting hypotheses, and threat assessments. RGA governs the sharing program: membership decisions, contribution policies, TLP compliance, and legal review.
CDA's Predictive Defense Intelligence (PDI) methodology integrates ISAC intelligence as a primary input to client-specific threat assessments. "See the threat before it sees you." ISAC intelligence provides the earliest warning of sector-targeted campaigns: a threat detected by one member and shared through the ISAC reaches CDA's clients before the threat reaches their environment.
TID-B03 (Threat Intelligence Integration, 20 estimated hours) includes ISAC enrollment and integration as a component: identifying the appropriate ISAC for the client's sector, establishing membership, integrating the ISAC's automated feeds into the SIEM (STIX/TAXII ingestion), and establishing the workflow for consuming and acting on analyst-level advisories.
CDA's approach to information sharing includes one principle that extends beyond consumption: organizations should contribute, not just consume. A member organization that consumes ISAC intelligence but never contributes its own findings is free-riding on the collective. CDA encourages clients to contribute indicators from confirmed incidents (at appropriate TLP levels, reviewed by legal) because collective defense requires collective contribution. The Roman analogy: every legion that defended a section of the frontier contributed scouts (exploratores) to the shared intelligence picture. A legion that consumed intelligence but contributed none weakened the collective defense.
Key Takeaways
- Information sharing transforms individual defense into collective defense. One organization's detection becomes every member's prevention.
- ISACs are sector-specific sharing organizations. Major ISACs cover financial services, healthcare, IT, electricity, government, and 10+ additional sectors.
- STIX/TAXII enable automated, machine-readable intelligence sharing. TLP governs how shared intelligence can be used and further distributed.
- The Cybersecurity Information Sharing Act provides liability protection for good-faith sharing, addressing the legal barrier that inhibits participation.
- CDA integrates ISAC intelligence into client threat assessments and encourages contribution, not just consumption. Collective defense requires collective contribution.
Related Articles
- Threat Intelligence Operations
- Threat Intelligence and Defense (TID): The Atmosphere
- MITRE ATT&CK Framework
- Cyber Threat Landscape: 2025 and Beyond
- Incident Response Lifecycle
- State-Sponsored Cyber Threats: A Global Overview
Sources
- National Council of ISACs. "Member ISACs." nationalisacs.org, updated continuously.
- OASIS. "STIX 2.1 and TAXII 2.1 Standards." oasis-open.org, 2021.
- Cybersecurity and Infrastructure Security Agency (CISA). "Automated Indicator Sharing (AIS)." CISA.gov, updated continuously.
- FIRST. "Traffic Light Protocol (TLP) v2.0." FIRST.org, 2022.
- U.S. Congress. "Cybersecurity Information Sharing Act of 2015 (CISA Act)." Public Law 114-113, December 2015.
Word count: 1,923
Related CDA Missions
CDA Theater missions that address topics covered in this article.
Written by Evan Morgan
Found an issue? Help improve this article.