Mission #
SW-ISAC helps infrastructure owners, operators, and developers protect their operations, staff, and users from cyber and physical security threats and other hazards. ISACs collect, analyze and disseminate actionable threat information to their members.
Sector / Footprint #
Social Web: Federated messaging ActivityPub, AT Proto, and Nostr service providers.
Communication Tools #
Traffic Light Protocol #
TLP provides a simple and intuitive schema for indicating when and how sensitive information can be shared, facilitating more frequent and effective collaboration. TLP is not a “control marking” or classification scheme. If a recipient needs to share the information more widely than indicated by the original TLP designation, they must obtain explicit permission from the original source.
TLP:RED #
When should it be used? Sources may use TLP:RED when information cannot be effectively acted upon without significant risk for the privacy, reputation, or operations of the organizations involved. For the eyes and ears of individual recipients only, no further.
How should it be shared? Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.
TLP:AMBER+STRICT #
When should it be used? Sources may use TLP:AMBER+STRICT when information requires support to be effectively acted upon, yet carries risk to privacy, reputation, or operations if shared outside of the organization.
How should it be shared? Recipients may share TLP:AMBER+STRICT information only with members of their own organization on a need-to-know basis to protect their organization and prevent further harm.
TLP:AMBER #
When should it be used? Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risk to privacy, reputation, or operations if shared outside of the organizations involved. Note that TLP:AMBER+STRICT should be used to restrict sharing to the recipient organization only.
How should it be shared? Recipients may share TLP:AMBER information with members of their own organization and its clients on a need-to-know basis to protect their organization and its clients and prevent further harm.
TLP:GREEN #
When should it be used? Sources may use TLP:GREEN when information is useful to increase awareness within their wider community.
How should it be shared? Recipients may share TLP:GREEN information with peers and partner organizations within their community, but not via publicly accessible channels. Unless otherwise specified, TLP:GREEN information may not be shared outside of the cybersecurity or cyber defense community.
TLP:CLEAR #
When should it be used? Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release.
How should it be shared? Recipients may share this information without restriction. Information is subject to standard copyright rules.
Membership #
- Service providers (instance administrators)
- Cybersecurity community
- Platform developers
- App and API developers
- Hosting providers and content delivery providers
Common Goals #
- Situational awareness
- Reduced spam
- User safety
- Network integrity
- Cost savings/sharing
- Demonstrate commitment to continuity/cybersecurity
- Media relations
What kind of information would we like to share? #
- Immediate & Operational: actionable intelligence that can be shared either within the group, to specific at-risk parties, or to the public advisory lists.
Shared Resources #
IFTAS may consider buying services to share with the SW-ISAC or the provider community, e.g.
Additionally, IFTAS may consider creating API or application services to allow participating members to automate use of shared resources.
Scoped Activities #
IFTAS monitors various labelled activities. Not all labels are in scope for the SW-ISAC. The SW-ISAC focuses on threats to service and networks, and legal or regulatory requirements for operations.
Child Safety (csam): Imagery or videos which show a person who is a child and engaged in or is depicted as being engaged in explicit sexual activity.
Disinformation (disinformation): False information that is spread intentionally and maliciously to create confusion, encourage distrust, and potentially undermine political and social institutions.
Non-Consensual Intimate Imagery (ncii): Non-consensual image sharing, or non-consensual intimate image sharing (also called “non-consensual explicit imagery” (NCEI) or “revenge porn”), refers to the act of creating, publishing or sharing an explicit image or video without the consent of the individuals visible in it.
Network and Service Abuse (service-abuse): Use of a network, product or service in a way that violates the provider’s terms of service, community guidelines, or other rules, generally because it creates or increases the risk of harm to a person or group or tends to undermine the purpose, function or quality of the service.
Spam (spam): Unsolicited, low-quality communications, often (but not necessarily) high-volume commercial solicitations.
Terrorist or Violent Extremist Content (tvec): Content produced by or supportive of groups that identify as, or have been designated as terrorist or violent organizations, or content that promotes acts of terrorism or violent extremism.
Not included at launch (but may come in scope later) #
Account-Takeover, Astroturfing, Brigading, Catfishing, Content-and-Conduct-Related-Risk, Coordinated-Inauthentic-Behaviour, Copyright-Infringement, Counterfeit, Cross-Platform-Abuse, Defamation, Dehumanization, Doxxing, Explicit-Content, Farming, Glorification-of-Violence, Hate-Speech, Impersonation, Incitement, Misinformation, Abuse, Online-Harassment, Phishing, Sock-Puppets, Sextortion, Synthetic-Media, Troll, Violent-Threat