Tackling advanced cyber threats requires intelligence exchange and collaboration between various organizations. It is not possible for an organization to defend itself by being in a silo and moreover, it is becoming increasingly impractical in our evermore connected world. By exchanging and collaborating using cyber threat intelligence from various sources, defenders can gain valuable insights into an adversary’s overall goals and strategies. Being part of an intelligence exchange community provides many benefits including enhanced situational awareness, improved decision making, and an enriched knowledge base that aids in incident response and management.
Why Intelligence Exchange is challenging?
Intelligence exchange sounds great in theory, however, it can be a nightmare to implement it in a multi-stakeholder environment which includes subsidiaries, partners, clients, vendors, regulatory agencies, sectorial ISACs, and other large organizations. Just the sheer number of stakeholders can be challenging, let alone the issues regarding technical and legal compliance.
With the advent of data formats and protocols for storing and exchanging threat intelligence, various Threat Intelligence Platforms were built which used different information sharing models. However, most of the issues faced by organizations in setting up effective cyber threat intelligence operations remain unaddressed.
While building CTIX, we are always cognizant of the pain points of our clients. To address them, we introduced the Hub-and-Spoke model which provides a structured yet flexible approach for threat intelligence exchange.
How do we solve this?
In CTIX, organizations deploy a ‘CTIX Hub’ that can share threat information from multiple sources by setting up client-server like relationships with different partners which act as the ‘CTIX Spokes’ using subscriber management features.
The Hub combines and anonymizes threat intel from multiple Spokes, while removing duplicates, and enriching it with further analysis before sharing it back with other Spokes in the Organization’s network.
CTIX’s Hub and Spoke model enables organizations to build trusted relationships to serve different purposes like:
- Receiving real-time alerts from CERT or other government agencies
- Exchanging threat indicators and collaborating as part of a sectoral ISAC
- Exchanging threat information with their own clients and vendors
- Receiving threat intel from various Intel feed providers
Furthermore, organizations can also build their own Trusted Sharing Network using this model.
Due to the data format-agnostic nature of CTIX, you can consume and share threat information in different formats like STIX 1.x, STIX 2.0, XML, JSON, Cybox, OpenIOC, MAEC. This eases the integration with existing tools and compatibility with other partners as data format becomes a non-issue.
Thus, CTIX enables organizations to utilize relevant threat intelligence for faster contextualization, incident investigations, and alert triage processes.
Posted on: March 07, 2019