In the cybersecurity space, intelligence sharing isn’t as simple as it sounds. It can prove to be an ordeal when implemented in a multi-stakeholder environment consisting of ISACs/ISAOs and their members or in a private enterprise sharing environment consisting of an enterprise company with its subsidiaries, clients, partners, vendors, and other organizations. In addition to the number of stakeholders, the issues pertaining to technical and legal compliance can be a pain point.
Not to forget the changing data protocols and formats for ingesting threat intelligence that have propelled organizations to use different threat intelligence platforms (TIPs). However, such TIPs use threat intel lifecycle management models that fail to encourage effective threat intelligence sharing. Realizing the need of the hour, some of the advanced security providers have built TIPs that leverage the Hub and Spoke model to facilitate bidirectional threat intelligence sharing in a multi-stakeholder environment.
By implementing the Hub and Spoke model, organizations can collaborate with several teams and exchange threat intelligence with their peers, while ingesting intelligence from multiple sources, to obtain valuable insights into an attacker’s objectives, strategies, and tactics. This reflects on an organization's need to be a part of an intelligence exchange community (ISACs/ISAOs) as it provides a wide range of benefits, including improved real-time situational awareness, better decision making, and an enriched knowledge base that helps in incident response and management.
What is Hub and Spoke Model?
In cybersecurity, Hub and Spoke refers to an information sharing model in which one principal organization acts as a Hub which collects information from several other organizations acting as Spokes. When one Spoke wants to share any piece of information with other Spokes, it first shares that information with the Hub, which is passed on to all other Spokes after analyzing, enriching, and anonymizing the data as the need may be. A Hub may also collect information from non-spoke sources such as regulatory bodies, commercial threat intelligence feed providers, OSINT sources, among others to share contextualized information with Spokes. ISACs and ISAOs provide a very good example of this model of threat intelligence sharing. Another example would be a private enterprise creating its own sharing community with its vendors, partners, peers, etc., and sharing intelligence with them in a bidirectional fashion while acting as a centralized hub.
The Hub and Spoke model for threat information sharing can be effective if the hub takes actions that intensify the value of the shared information. This can include enriching the threat information with context and validating it.
Significance of Hub and Spoke
With the help of an advanced threat intelligence platform (TIP), organizations can station a Hub——that can collect and share threat information from various sources——and establish a client-server-like relationship with other partners that act as the Spokes. Such a TIP allows the Hub to combine and anonymize threat intel from different Spokes, eliminating duplicates and enriching and analyzing it before sharing it with other Spokes in an organization’s network.
The unique value proposition of the Hub and Spoke model lies in its ability to build trusted relationships with other organizations. Moreover, using this model, organizations can establish their own trusted sharing network. By leveraging this model, organizations can also ingest real-time alerts from CERTs or other government bodies, collaborate and exchange threat indicators with ISACs/ISAOs, exchange threat information with their own vendors and clients, and collect threat intel from multiple intel feed providers.
Note that if your TIP is data format-agnostic in nature, this model can help you seamlessly consume and share threat information in different formats such as STIX 1.x, STIX 2.0, JSON, XML, OpenIOC, CybOX, and MAEC. This can help streamline the integration and compatibility with existing tools and other partners. Thus, the Hub and Spoke model allows organizations to use relevant threat intelligence for quick and real-time incident investigations, alert triage processes, and contextualization.
How does Sharing Happen in Hub and Spoke Model?
Structured Threat Information eXpression (STIX) and Trusted Automated eXchange of Intelligence Information (TAXII) are two standards that were created in an effort to ameliorate the prevention and mitigation of attacks. Developed by MITRE and the OASIS Cyber Threat Intelligence (CTI) Technical Committee, STIX is a standardized language for describing threat information. STIX has been adopted as an international standard by different intelligence sharing organizations and communities and is designed to be communicated via TAXII. On the other hand, TAXII elucidates how threat information can be relayed, and is designed to support STIX information.
While STIX defines the “what” of threat intelligence, TAXII states “how” that information is disseminated. One of the principal models for TAXII includes the Hub and Spoke threat sharing model. In the Hub and Spoke sharing model, one organization functions as the hub or the core clearinghouse for information, systematizing information exchange between spokes or member organizations. Spokes can consume information from the Hub or produce information that can be shared with their peers via Hub.
Driven by STIX/TAXII, the Hub and Spoke model improves security measures by expanding the capabilities of threat intelligence sharing, maintaining response with proactive detection, and promoting a holistic approach to threat intelligence.
The key to successfully addressing sophisticated threats is collaboration-driven threat intelligence sharing. Being in a silo, organizations cannot defend themselves. They need to embrace a collective defense approach to tackle complex threats and adopt the Hub and Spoke model to share threat information with other peer groups. Only an advanced TIP that supports the Hub and Spoke model can provide a structured and flexible approach to threat intelligence sharing.