DORA Information Sharing: Cyber Threat Intelligence Exchange
DORA's fifth pillar encourages financial entities to share cyber threat information and intelligence. Unlike the other four pillars, information sharing is voluntary, but the regulation establishes a framework to facilitate trusted exchange among financial sector participants.
Sharing threat intelligence enables faster detection of emerging attacks, collective defense improvements, and reduced duplication of effort across the sector.
Key Takeaways
| Point | Summary |
|---|---|
| Voluntary participation | Information sharing is encouraged but not mandatory |
| Trusted communities | Sharing occurs among entities with compatible interests |
| Content types | Indicators of compromise, tactics, techniques, alerts, and mitigation tools |
| Safeguards required | Must protect confidential information and personal data |
| Regulatory notification | Participants must notify their competent authority |
Quick Answer: DORA encourages financial entities to voluntarily participate in cyber threat intelligence sharing arrangements. Participants can exchange indicators of compromise, attack tactics and techniques, security alerts, and mitigation tools within trusted communities. While sharing is voluntary, participants must notify their competent authority, protect confidential information, and comply with data protection requirements.
Why Information Sharing Matters
The financial sector faces sophisticated, coordinated cyber threats. Attackers often target multiple institutions using similar techniques. Information sharing provides several benefits:
| Benefit | Description |
|---|---|
| Earlier detection | Identify threats targeting peers before they reach you |
| Collective defense | Improve security across the sector by learning from others |
| Reduced duplication | Avoid redundant threat analysis efforts |
| Faster response | React more quickly to emerging attack patterns |
| Intelligence enrichment | Combine observations for better threat understanding |
What Can Be Shared
DORA Article 45 specifies types of information that may be shared within trusted communities:
Threat Intelligence
| Type | Examples |
|---|---|
| Indicators of compromise (IOCs) | Malicious IP addresses, domain names, file hashes, URLs |
| Tactics, techniques, and procedures (TTPs) | Attacker methodologies and behaviors |
| Security alerts | Warnings about active threats or campaigns |
| Vulnerability information | Details of exploited or exploitable weaknesses |
| Threat actor intelligence | Information about adversary groups and motivations |
Mitigation Resources
| Type | Examples |
|---|---|
| Configuration information | Recommended security settings |
| Detection rules | SIEM rules, YARA rules, Snort signatures |
| Mitigation tools | Scripts, patches, or tools to address threats |
| Best practices | Recommendations for defense improvement |
Information Sharing Arrangements
Trusted Communities
Information sharing under DORA occurs within trusted communities of financial entities with:
- Compatible interests and risk profiles
- Appropriate trust relationships
- Shared commitment to responsible use
- Technical capability to receive and process intelligence
Arrangement Framework
Participation typically involves:
| Element | Description |
|---|---|
| Membership criteria | Who can participate |
| Operating rules | How sharing operates |
| Confidentiality commitments | Protection of shared information |
| Use restrictions | Permitted uses of received intelligence |
| Technical infrastructure | Platforms and protocols for exchange |
Existing Communities
Financial entities may participate in established sharing communities:
- National financial sector ISACs (Information Sharing and Analysis Centers)
- European financial sector sharing groups
- Commercial threat intelligence platforms
- Vendor-sponsored sharing communities
Safeguards and Protections
Confidentiality Protection
Shared information must be protected appropriately:
| Protection | Description |
|---|---|
| Business confidentiality | Trade secrets and competitive information |
| Operational security | Details that could aid attackers |
| Source protection | Identity of reporting entities when requested |
| Personal data | Compliance with GDPR and data protection requirements |
Traffic Light Protocol
Many sharing communities use the Traffic Light Protocol (TLP) to indicate permitted distribution:
| TLP Level | Distribution |
|---|---|
| TLP:RED | Named recipients only |
| TLP:AMBER | Limited distribution within organization |
| TLP:GREEN | Community-wide distribution |
| TLP:CLEAR | Unrestricted distribution |
Data Protection
When shared information contains personal data:
- Legal basis for processing must exist
- Data minimization principles apply
- Purpose limitation must be respected
- GDPR rights must be accommodated
Regulatory Notification
Notification Requirement
Financial entities participating in information-sharing arrangements must notify their competent authority of their participation.
Notification should include:
- The sharing arrangement or community
- Types of information exchanged
- Operational rules governing participation
- Safeguards implemented
Regulatory Sharing
Competent authorities and ESAs may themselves share relevant cyber threat information with financial entities to:
- Warn of significant threats
- Coordinate sector-wide responses
- Support collective defense
Participation Considerations
Benefits of Participation
| Benefit | Impact |
|---|---|
| Threat visibility | Earlier awareness of relevant threats |
| Collective defense | Benefit from sector-wide observations |
| Network effects | Value increases with participation |
| Regulatory alignment | Demonstrates proactive security posture |
Challenges to Address
| Challenge | Mitigation |
|---|---|
| Confidentiality concerns | Clear agreements on use and distribution |
| Resource requirements | Start with consumption before contribution |
| Quality variability | Participate in curated communities |
| Legal uncertainty | Clear terms and regulatory notification |
Readiness Assessment
Before participating, assess your readiness:
- Can you consume and act on threat intelligence?
- Do you have resources to contribute?
- Are appropriate confidentiality controls in place?
- Is management aware and supportive?
Operationalizing Information Sharing
Consumption Capability
To benefit from shared intelligence:
| Capability | Description |
|---|---|
| Ingestion | Ability to receive intelligence in standard formats |
| Integration | Connection to security monitoring tools |
| Analysis | Capacity to assess relevance and reliability |
| Action | Processes to respond to relevant intelligence |
Contribution Capability
To contribute effectively:
| Capability | Description |
|---|---|
| Detection | Ability to identify threats worth sharing |
| Attribution | Proper marking and context |
| Sanitization | Removal of sensitive information |
| Distribution | Technical means to share |
Technical Standards
Common standards facilitate sharing:
- STIX: Structured Threat Information eXpression
- TAXII: Trusted Automated eXchange of Intelligence Information
- MISP: Malware Information Sharing Platform
- OpenIOC: Open Indicators of Compromise
Common Questions
Is information sharing mandatory under DORA?
No. Unlike the other four pillars, information sharing is voluntary. DORA establishes a framework to facilitate sharing but does not require participation.
Can we participate in multiple sharing communities?
Yes. Financial entities may participate in multiple arrangements. Ensure you can meet the commitments of each and manage confidentiality appropriately across communities.
What if shared information reveals our vulnerabilities?
Share appropriately sanitized information. Focus on observed attacks rather than specific vulnerabilities in your systems. Use TLP markings to control distribution.
How do we start participating?
Begin by consuming intelligence before committing to contribute. Join established communities appropriate to your sector and size. Build internal capability to process and act on intelligence.
Does sharing create liability?
Clear agreements should define liability terms. Good faith sharing of accurate information for security purposes is generally protected, but consult legal counsel regarding specific arrangements.
How Bastion Helps
Bastion supports financial entities in developing information sharing capabilities:
- Readiness assessment: Evaluation of current capability to participate in sharing
- Community identification: Guidance on appropriate sharing communities
- Operational design: Development of consumption and contribution processes
- Technical integration: Connection of threat intelligence to security operations
- Governance: Policies and procedures for responsible sharing
Ready to explore cyber threat intelligence sharing? Talk to our team
Sources
- DORA Article 45 - Information-sharing arrangements on cyber threat information and intelligence
- FIRST TLP Standard - Traffic Light Protocol for information sharing
- MISP Project - Open source threat intelligence platform