CTI — A community of communities

By Joep Gommers, CEO & Founder

The cyber threat intelligence landscape has undergone rapid change in recent years. This can be attributed to three main factors.

First, the growth in the number of security vendors has resulted in an increased supply of solutions and capabilities. Second, wide-ranging data protection legislation, government security incentivization and security stimulation programs, such as the NIS Directive, have driven investment in cyber threat intelligence.

But perhaps thesingle biggest influence has been the rise in adoption of industry standards for managing cyber threat intelligence — STIX and TAXII. These standards have given rise to an increasing number of community-driven threat intelligence centers for sharing and propagating data.

Today,organizations don’t need to map and constantly update their threat intelligence data to stay up to date. Instead,they can draw on the collective wisdom of intelligence communities, supported by open standards,for describing and reporting cyber threat feeds.

Too much of a good thing?

Many organizations are rapidly becoming active consumers of threat intelligence. But given the rapid proliferation of feeds and communities,it is becomingachallengeto stay incontrol.

Organizations can be at risk of information overload and suffer a breach after failing to act upon specific intelligence lost in the noise. Alternatively, organizations such as financial firms or utilities need to have complete trust in the source of intelligence feeds before they can accept them.

When you need to combine and contextualize threat intelligence from multiple different sources,the task becomes harder and harder as more become available.

The solution to this dilemma is to draw upon the expertise of a ‘community of communities’to manage cyber intelligence feeds.

Open standards = open sharing

The sharing and exchange of information by cyber intelligence professionals is underpinned by industry standards, namely STIX (StructuredThreat Information eXpression) and TAXII (Trusted Automated eXchange of Indicator Information).

Using STIX and TAXII, an ever-growing community of security professionals can share and exchange threat intelligence with confidence. These communities include:

  • Country-specific National Cyber Security Centers (NCSCs)

Organizations should take advantage of these communities by offloading the exchange, fusion and

qualification of threat intelligence so they can focus on what matters for them. In other words, understanding their threat reality and turning insights into business value.

Depending on the nature and size of the organization, intelligence feeds can be chosen generically or with specific geographies, verticals and lines of business as required. In some cases,feeds that are highly specific and granular can be chosen.

There’s no reason to keep all this ‘in house’. Allowing intelligence communities to a manage data feeds and fusion operations means organizations can spend more time on analysis, defensive actions and stakeholder management.

Threat intelligence teams should always remember to ‘give something back’to the community by confirming observations, reporting sightings of specific attack types and sharing details of new


Naturally, STIX and TAXII make it easy for this information to be structured, shared and propagated across communities to the benefit of all participants.

Getting started with intelligence communities

Consider this five-point plan to start benefiting from the work being done by intelligence communities.

  1. Evaluate your threat intelligence requirements–Distinguish between generic threats affecting everybody, sector and geographic threats affecting particular communities, and targeted threats specific to your organization.

Threat intelligence communities, supported by industry standards, can deliver huge benefits for organizationsthatneed to secure their perimeters, data, employees and brand reputation.

We hope you enjoyed this post. Follow us here on Medium for more interesting reads on Cyber Threat Intelligence or check out our resource section for whitepapers, threat analysis reports and more.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

EclecticIQ is a global threat intelligence, hunting and response technology provider. Its clients are some of the most targeted organizations, globally.