COI Report – Part VII
Page
333 of
425 (c) Classified information provided by commercial companies to their trusted partners and d) Classified information provided by security partners in other countries.
42.1.1 Intelligence generated by CSA from their investigations with their investigative partners 965. CSA operates an intelligence centre which analyses intelligence generated from its investigations. Where CSA is involved in
containment and investigation, it will concurrently share threat intelligence from such investigations with all CII sectors so that protective and precautionary measures can betaken. The threat intelligence is proactively shared in the form of actionable items,
i.e. by providing malware indicators or specific instructions. CE, CSA’s
evidence is that actionable intelligence is important in order to let the enterprises know what steps to take. Dan’s evidence is that CII operators have different levels of maturity and not all CII operators will be able to analyse the intelligence and translate it into useful technical information that they can pass to their IT departments for action. Actionable intelligence is thus required, so that CII operators can consume the intelligence for immediate use.
CSA thus informs the CII of the potential threats they need to lookout for in particular systems or applications, and how they should mitigate against the threats.
967. CSA has a few modalities of sharing threat intelligence a) Alerts or advisories are sent to CII operators. In 2017, 80 alerts or advisories were sent. Where one sector
is subject to a cyber attack,
CSA shares actionable intelligence to enable CII sectors to level up across the board to prevent other sectors from being similarly attacked.
