Optimizing CTI with OSINT information-sharing

Harnessing the power of information sharing is a valuable intersection of CTI and OSINT. We rundown the list of programs, organizations and tools that make information sharing easy and actionable.

Knowledge is power. And in the case of cyberthreat intelligence (CTI) investigations, knowledge sharing is a critical success factor. With global cybercrime costs expected to reach $10.5 trillion by 2025, CTI analysts face increasing pressure to improve productivity, efficiency and defense strategies. Tapping into OSINT resources for information-sharing is key to achieving better outcomes.

Cyberattack tactics are constantly evolving, and industry experts at the highest levels are reinforcing the need for information-sharing to improve CTI:

“Unless corporate and government security experts become more intentional and systematic in learning from one another in real or near-real time about the latest threats, critical information will too often remain siloed. The world can no longer afford that. Cyber defense has to be a team effort.”

Michael Mestrovich, former CISO of the CIA

Leveraging the power of community not only helps make organizations safer, it makes analysts more productive.

Related: 10 OSINT tools for CTI

Information-sharing at the national level

As part of their mission for “protection of critical infrastructure and the furthering of cybersecurity,” the government’s Cybersecurity and Infrastructure Agency (CISA) offers a no-cost service called Automated Indicator Sharing (AIS). Available to public and private sector users, the AIS service enables real-time exchange of information on cyberthreat indicators and defensive measures.

CTI analysts can participate in the AIS ecosystem by sharing and obtaining information using a variety of OSINT tools like TAXII, and communities such as ISACs or ISAOs for sharing open source data on threats.

Next we’ll take a look at some of these open source CTI resources.

OSINT resources for sharing cyberthreat data

The more CTI analysts around the globe share information, the more power organizations have to combat, predict and prevent cybercrime. Optimizing analyst productivity relies on staying current with the latest trends, threats and malware. OSINT tools and public forums are a critical way to stay informed through sharing current threat intelligence.

In addition to public forums, analysts can also pay to subscribe to membership organizations, which share sector-specific open source information.

Data-sharing tools

STIX

STIX™ (Structured Threat Information Expression) is a data-sharing standard for exchanging cyberthreat data. It uses JSON (a form of JavaScript) so information can be shared, stored and analyzed in a consistent way. The STIX format can help analysts improve their documentation by using objects and descriptive relationships to share information with contextual meaning.

Note: STIX requires a grasp of coding and software engineering fundamentals.

STIX Visualizer

STIX Visualizer is a web-based tool that provides a visualization of threat information, so investigators can see the relationships to other malicious links and files. With a visual map of CTI data, users can click on a node or path to further investigate. Some threat intelligence platforms may have similar functionality built-in, but for those low on budget who have some JSON coding experience, the STIX Visualizer is a great resource.

TAXII

TAXII (Trusted Automated Exchange of Intelligence Information) enables analysts to share cyberthreat intelligence in the form of STIX data via APIs over the internet. TAXII is the preferred exchange protocol for STIX, but it can also transport non-STIX data. TAXII users can share data with a specific trust group, or share openly with the AIS service noted earlier or other public groups. (TAXII also requires some coding experience).

abuse.ch

abuse.ch provides searchable databases for analysts to find information on malware, botnets, malicious SSLs and more. The site hosts community platforms dedicated to specific cyberthreats such as Malware Bazaar (malware samples), URL Haus (URLs used for malware distribution) and Threat Fox (IOCs). Forums also share data to help improve services for CTI platform and anti-virus solution providers.

Private groups sharing open-source information

ISACs

ISACs (Information Sharing Analysis Centers) are nonprofit organizations that provide a central resource to collect, analyze and share actionable data on threats to critical infrastructure. ISACs are supported by membership fees, and exist for numerous sectors including IT, utilities, financial services, healthcare and many more. The National Council of ISACs helps members connect with ISACs related to their sector.

ISAOs

ISAOs (Information Sharing Analysis Organizations) are collaborative entities developed to encourage sharing of cyberthreat information within industry sectors — even if they do not belong to an ISAC. The vision for ISAOs is to include private companies, government departments, state, regional and local agencies, and others. To help drive participation, ISAOs now have standards and guidelines for sharing information.

Training resources

While not information sharing in traditional terms, analysts can benefit from training options to learn how to get the most value out of various OSINT tools. Some training sites also include a central hub where researchers can learn from one another by asking questions, sharing best practices and more.

Cyberthreat Intelligence Network - Training Center

CTIN Training Center offers online training to help CTI analysts stay current on the latest threat tactics, cybersecurity standards and certifications. As an example, they offer courses on STIX and TAXII (OSINT tools discussed earlier), as well as use cases for STIX intelligence sharing.

Cyber Social Hub

Cyber Social Hub is an online community of digital investigators. Cybersecurity professionals can ask questions; collaborate with others facing similar challenges; and gain skills via webinars, podcasts and online training.

Improving CTI with collaborative insights

With cyberattacks growing more sophisticated every day, organizations cannot rely on technology alone to combat threats. CTI analysts need to tap the power of their community to increase the productivity of investigations, and stay ahead of threats on the horizon. 

OSINT tools and resources for information-sharing can make a powerful difference in mitigating cyber incidents. Analysts can gain critical data and new perspectives for their own use, and in turn, contribute insights and best practices that help others minimize the risk of cyberattacks.

How can you take CTI investigations to the next level?

Empower analysts to conduct online research without introducing security or attribution risk to themselves or their organization. Silo for Research makes it possible, enabling anonymous, secure online investigations from a purpose-built, cloud-based browsing environment: 

• Ensure malware never has a chance of touching analysts’ devices
• Mask IP address without a VPN and alter the digital fingerprint
• Automate collection and multi-search workflows to boost productivity

Start your 30-day free trial here