Threat-Intel Sharing and Sector Reporting
Convert the investigation's findings into shareable artifacts: IoCs, TTPs mapped to MITRE ATT&CK, hunt queries, detection rules, and a redacted narrative. Share through the appropriate channels (private vendor, ISAC, CISA, industry peers) respecting classification and legal constraints.
Actions
- 1
Assemble the IoC package: hashes with algorithms, IPs with first-seen timestamps, domains with WHOIS/DNS snapshots, email indicators, TLS certificate thumbprints, file paths, registry keys, mutexes.
- 2
Publish hunt queries in a shareable format (Sigma, KQL, SPL) and tag them with the originating TTP; submit Sigma rules to the Sigma public repo when non-sensitive.
- 3
Prepare a TTP narrative mapped to MITRE ATT&CK tactics, techniques, and sub-techniques; reference the ATT&CK Group ID if attribution is high-confidence.
- 4
Redact the narrative for external sharing: remove internal hostnames, users, and specific business context while preserving technical fidelity.
- 5
Submit findings through the appropriate channels: sector ISAC, CISA (for US), NCSC (for UK), relevant national CSIRT, and trusted vendor partners.
Queries
Which IoCs in this incident have already been publicly reported, and which are novel?
Are there detection rules we built during this incident that would benefit peers in our sector?
Notes
Share quickly but share correctly. Classification mistakes (accidentally including internal identifiers) are the most common failure mode -- have a second pair of eyes review before publishing.
Private-channel sharing (ISAC, vendor, peer) often reaches targets faster than public-channel sharing and carries lower reputational risk.