Beyond IoCs: Modernizing Cyber Defense in the CISA 2015 Lapse

Ten years after the Cybersecurity Information Sharing Act was enacted, the cybersecurity landscape has evolved dramatically. AI-powered threats (with threat actors leveraging identity-based attacks to rapidly infiltrate and disrupt United States infrastructure) are increasingly pervasive, with 80% of ransomware attacks now powered by AI. These threats out-pace traditional Indicators of Compromise (IoCs) that were once a core tenant of information sharing strategy. With the CISA 2015 temporarily lapsing, this moment spotlights the ways in which the U.S. must rethink its cyber intelligence strategy — moving from reactive, infrastructure-based signals to proactive, behavior-driven insights that enable organizations to anticipate and disrupt attacks before they materialize.

Evolving CISA 2015 beyond IoCs should be a core focus of building a robust information sharing policy. IoCs change frequently and become stale in a short period of time. The short-lived infrastructure that threat actors use allows them to employ stealth activities to evade cyber defenses, which help threat actors maintain their persistence in cyberattacks. 

Modernizing information sharing frameworks requires more reliable threat intelligence that focuses on behavior-based analytics, to contextualize the likely behaviors that drive tactics and techniques used in threat actors’ tradecraft. Even more important, the threat intelligence must be actionable and curated in a way that is applicable and useful to organizations — focusing on “what is happening,” instead of relying on stale intelligence derived from IoCs that frames what has already happened. 

The Real Challenge: Quality Over Quantity in Threat Intelligence

I recently spoke to a current Chief Information Security Officer (CISO) for a state agency and a former Chief Information Officer for a state agency at the GovRamp Cyber Summit. They both indicated that conceptually information sharing is essential for whole of state cybersecurity, but currently the quality and fidelity of the threat intelligence is not actionable, nor does it drive situational awareness for enhancing cyber defense.  

Many proponents for information sharing policies have raised concerns that our cyber defense capabilities are weakened and that our critical infrastructure is more vulnerable because of the lapse in policy. I would counter that it is not our inability to share threat intelligence that weakens our cyber defenses and makes us more vulnerable to cyberattacks, but the threat intelligence shared is not actionable or reliable. Organizations must be able to codify and curate threat intelligence into their existing protection capabilities and cyber defenses, otherwise it is useless and does not have any real value in elevating cyber defense capabilities. 

How Did We Get Here? Adapting Our Cyber Defense Beyond IoCs

The cyber battlefield has changed drastically since 2015 when the CISA was enacted. Threat actors have evolved their techniques given the rise in cloud infrastructure and SaaS, AI and the growing reliance on software in our new digital world. The evolution from drive-by malware infections on endpoint to now logging in with stolen credentials to access entire networks, expedites and changes the dynamics of an attack chain to be more identity centric:  

• 2015-2017: Threat actors were “breaking into systems” using infrastructure vulnerabilities and malware to exploit weaknesses and trust relationships in systems — leading to a rise in ransomware and weaponizing vulnerabilities to exploit software systems. Threat used malware and Command and Control to establish persistence. 
• 2018-2019: Shifting to credential theft targeting Active Directory, the focus was primarily on Kerberoasting and Pass-the-Hash where threat actors started to leverage stolen credentials to log in. In addition, threat actors leveraged the Dark Web for stolen identities and credentials to scale their operations. 
• 2020-2021: Cloud & SaaS identities become prime targets, along with malicious OAuth applications and the ability to exploit cloud admin roles and SaaS trust relationships. Threat actors began to rotate and pivot through cloud infrastructure and resources which diminished the value of IoCs. 
• 2022-2023: The rise in Ransomware as a Service (RaaS) and MFA Fatigue helped threat actors scale operations and blend cybercrime with nation-state activity. Threat actors heavily targeted MFA social engineering tactics, SIM swapping tactics, targeting privileged accounts across hybrid environments. 
• 2024-2025: Focusing on privileges and identity fabric as the control plane of modern enterprises, threat actors targeted excessive privileges, tokens, secrets, and cloud entitlements. The growing concern with the explosion of non-human identities and growing use of AI identities rendered traditional IoCs obsolete.

Pathways to Sharing

No one can argue the importance of laws for liability, safe harbor and antitrust exemptions for private industry in sharing threat intelligence. There is no information sharing act without these protections. However, the House Homeland Security Committee, the Senate and industry advocates of the information sharing policy must realize that our threat intelligence framework as currently defined is outdated and needs to modernize towards behavior-based analytics. 

This should drive identity security context in a sea of telemetry that relies heavily on IoC driven from technologies like Endpoint Detection and Response (EDR), Extended Detection and Response (XDR) and network activity. Most cyberattacks are identity-related and typically start with a compromised account and then pivot to privilege escalation to move lateral and maintain persistence. 

It should be noted that in lieu of the reauthorization, there are sector specific ISAC/ISAO communities that can facility threat intelligence sharing, especially for continuity among larger and critical operators. These communities of practice are well established with NDAs, membership agreements and traffic-light protocol (TLP) mechanisms for threat information sharing. The goal is to encourage organizations who participate within these communities of interest to keep sharing under existing trust agreements (and modify as need on a case-by-case basis). 

Government engagement with ISACs has been essential and in some sectors very strong, but with the lapse in the information sharing policy, industry may seek stronger contractual frameworks like modified NDAs, MOUs to keep threat intelligence flowing to critical sector organizations. However, this still does not address the quality of threat intelligence, but it allows threat communication to flow. 

Another pathway for information sharing would be the use of Cooperative Research and Development Agreements (CRADAs) which in theory could be repurposed as a legal and operational bridge until reauthorization. CRADAs are often used in government to facilitate collaboration and knowledge sharing through sector pilots, advanced research and development (R&D) and cyber exercises with non-federal entities. They can be tailored with similar language from CISA 2015 to codify safe harbors, antitrust exemptions and liability shield for information sharing.  

Parties can stipulate the period for the agreement, as such, “This agreement shall remain in effect until superseded by statutory protections enacted by Congress, or until terminated by either Party with sixty (60) days’ notice.” 

If industry and government officials are truly concerned about the increase of nation-state cyberattacks against US infrastructure during the lapse, now is the time to explore different routes to keep the information flowing to inform cyber defense posture.  

Modernization During the Lapse

CRADAs create unique opportunities to advance the state of the art and practice for threat information sharing.  This lapse isn’t time to be making excuses; it is time to level up this nation’s cyber defense posture by modernizing an information sharing act for an accelerated and evolving threat environment.  

Specifically, CRADA can be tailored and drafted to modernize key aspects such as the following:

Enhanced Threat Intelligence Pilots

Industries should work with national labs, DHS S&T and FFRDCs to develop a framework to advance threat intelligence beyond IoCs.   Behavior-based telemetry with identity-centric context is needed to develop early warning signs of potential and impending cyberattacks — essentially a framework and ontology for defining behavior-based analytics and telemetry, and how to share it in a meaningful way. 

Threat Intelligence Research and Development

Developing models for early warning telemetry to disrupt threat actor activities is essential.  With current models, IoCs are too late and represent the presence of a threat actor on a system or network. The goal with the early warning models is to shift cyber defense from relying heavily on detection to a prevention-first approach, to reduce the attack surface in US critical infrastructure and enterprises. Threat hunting for IoCs is too reactive, the aim should be to hunt early for behavior-based activity. This will facilitate timely, reliable and actionable behavior-based threat intelligence that can be used to disrupt cyberattacks. 

Using CRADAs to test and prove new concepts for advancing our cyber defense represents a prudent approach, where industry and government collaboration accelerates operationalizing into practice.  

The CISA lapse should be reframed as an opportunity to modernize our nation’s cyber defense strategy — focusing on advancing information sharing (leveraging tools like tools like CRADAs and emphasizing behavior-based, identity-centric intelligence) to in turn improve collaboration between the public and private sectors. The next era of information sharing must focus not on what already happened — but on leveraging the right tools to build a more proactive, intelligent defense strategy that allow us to move left in the ATT&CK lifecycle to prevent and disrupt cyberattacks.