EclecticIQ Blog

Threat Intelligence

CTI – A community of communities

By Joep Gommers

community of communities illustration

The cyber threat intelligence landscape has undergone rapid change in recent years. This can be attributed to three main factors.

First, the growth in the number of security vendors has resulted in an increased supply of solutions and capabilities. Second, wide-ranging data protection legislation, government security incentivization and security stimulation programs, such as the NIS Directive, have driven investment in cyber threat intelligence.

But perhaps the single biggest influence has been the rise in adoption of industry standards for managing cyber threat intelligence – STIX and TAXII. These standards have given rise to an increasing number of community-driven threat intelligence centers for sharing and propagating data.

Today, organizations don’t need to map and constantly update their threat intelligence data to stay up to date. Instead, they can draw on the collective wisdom of intelligence communities, supported by open standards, for describing and reporting cyber threat feeds.

Too much of a good thing?

Many organizations are rapidly becoming active consumers of threat intelligence. But given the rapid proliferation of feeds and communities, it is becoming a challenge to stay in control.

Organizations can be at risk of information overload and suffer a breach after failing to act upon specific intelligence lost in the noise. Alternatively, organizations such as financial firms or utilities need to have complete trust in the source of intelligence feeds before they can accept them.

When you need to combine and contextualize threat intelligence from multiple different sources, the task becomes harder and harder as more become available.

The solution to this dilemma is to draw upon the expertise of a ‘community of communities’ to manage cyber intelligence feeds.

Open standards = open sharing

The sharing and exchange of information by cyber intelligence professionals is underpinned by industry standards, namely STIX (StructuredThreat Information eXpression) and TAXII (Trusted Automated eXchange of Indicator Information).

Using STIX and TAXII, an ever-growing community of security professionals can share and exchange threat intelligence with confidence. These communities include:

  • Country-specific National Cyber Security Centers (NCSCs)
  • Industry-specific Information Sharing and Analysis Centers (ISACs) and Information Sharing and Analysis Organizations (ISAOs)
  • Commercial networks of vendors and ‘Fusion Centers’

Organizations should take advantage of these communities by offloading the exchange, fusion and qualification of threat intelligence so they can focus on what matters for them. In other words, understanding their threat reality and turning insights into business value.

Depending on the nature and size of the organization, intelligence feeds can be chosen generically or with specific geographies, verticals and lines of business as required. In some cases, feeds that are highly specific and granular can be chosen.

There’s no reason to keep all this ‘in house’. Allowing intelligence communities to a manage data feeds and fusion operations means organizations can spend more time on analysis, defensive actions and stakeholder management.

Threat intelligence teams should always remember to ‘give something back’ to the community by confirming observations, reporting sightings of specific attack types and sharing details of new threats.

Naturally, STIX and TAXII make it easy for this information to be structured, shared and propagated across communities to the benefit of all participants.

Getting started with intelligence communities

Consider this five-point plan to start benefiting from the work being done by intelligence communities.

  1. Evaluate your threat intelligence requirements – Distinguish between generic threats affecting everybody, sector and geographic threats affecting particular communities, and targeted threats specific to your organization.
  2. Establish your planning assumptions – When will industry and regional communities evolve to the point where you can rely upon them? In some regions and industries, that level of maturity has already arrived.
  3. Develop a threat intelligence practice – A standards-compliant threat intelligence platform is a start. Then identify threat analysts who understand your sector – either within the organization or an external partner.
  4. Benchmark your progress – Do your endpoints update automatically? How quickly can you respond to a breach? Identify what can be improved and keep track of progress for budgeting and performance management.
  5. Share your insights – Always give something back. The ‘community-of-communities’ model requires active participation by members to succeed. The STIX and TAXII standards support this sharing mentality.

Threat intelligence communities, supported by industry standards, can deliver huge benefits for organizations that need to secure their perimeters, data, employees and brand reputation.

We hope you enjoyed this post. Follow us here for more interesting reads on Cyber Threat Intelligence or check out our resource section for whitepapers, threat analysis reports and more.