CONCORDIA’s take on Threat Intelligence
Defining the scope of a threat intelligence platform
“Threat Intelligence” was a topic of paramount importance since the beginning of CONCORDIA. This aspect is not just present among the initial objectives, but it almost derives directly from the main purpose of the project. Specifically, if CONCORDIA sets its primary goal on building communities, we can say that all project’s activities revolve around leveraging these communities to improve cybersecurity. In this regard, threat Intelligence represents a necessary tool for communities to discuss today’s digital threats and, its “implementation”, represents a basic building block to face the aforementioned threats together and fight them collectively.
Over the last four years, the work on a CONCORDIA Platform for Threat Intelligence aimed not just to build technology but also to define the scope in which this technology is meant to be used. To clarify this, we started our journey from Gartner’s definition of Threat Intelligence. According to Gartner, Threat Intelligence is:
“Evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”
Within CONCORDIA, we especially focused on three key aspects (marked in bold). The “evidence-based knowledge” emphasizes the origin of threat intelligence information. This is often obtained from extended analysis and likely validated. For this reason, CONCORDIA generally refers to Threat Intelligence as high-quality data assuming a process (e.g., incident investigation) behind its creation. The part “about an existing or emerging menace” clarifies the meaning of the data. Threat Intelligence provides information either about concrete cyberattacks or potential ones. For this reason, CONCORDIA assumes that Threat Intelligence is a piece of information providing context to a given cyberattack. Finally, the phrase “to inform decisions regarding subjects’ response” indicates that not every piece of information about cyberattacks should be considered threat intelligence by default, but only those that are useful to respond (or prepare) against the related attacks. For this reason, CONCORDIA assumes that threat intelligence is “actionable” data, ready to be used to face or counteract a given threat.
With a definition of Threat Intelligence and a set of assumptions based on the aspects described above, we can think at a platform handling such information as a technological solution allowing partners to effectively share and manipulate data such that the assumptions hold. In other words, the CONCORDIA Platform for Threat Intelligence we started building creates a space where high-quality information about cyberattacks is stored as well as retrieved and leveraged by partners to improve their capability to respond or prepare against threats.
The scope in which the CONCORDIA Platform for Threat Intelligence works conceivably extends to the limit of the previous definition and could potentially cover any type of high-quality information about cyberattacks as well as provide any kind of service capable of manipulating that information to make it “actionable” for a given partner. However, concretely speaking, the set of possible information types, technologies, and services has been defined by CONCORDIA relevant stakeholders and planned in relation to the timeframe and the priorities of the project. This definition is the scope of the CONCORDIA Platform for Threat Intelligence and it corresponds today to the extent by which the platform is capable of operating from an “Architectural”, “Technological”, “Data” and “Operational” perspective.
The architectural scope represents the structure of the platform, its building blocks, and their relationships, internal as well as external, towards the rest of the “CONCORDIA Ecosystem”. This scope also includes the possible ways in which the building blocks can communicate and, thus, the standards (e.g., languages, protocols, data formats) leveraged by each one of them to exchange information. The “Technological” scope directly follows the “Architectural” by defining the related implementation choices and, thus, describes the set of technologies used within the platform as well as the actual data those technologies are able to store, analyze and exchange. Intrinsically related to the “technological” scope, the “data” scope delineates the set of data types handled by the technologies employed in the CONCORDIA Platform for Threat Intelligence. These data types represent the extent of the platform’s semantic power and allow to share a common language across all platform’s users. Finally, the “operational” scope represents the set of mandates and processes regulating the access to the CONCORDIA Platform of Threat Intelligence as well as its collaborative usage.
With the project approaching the end, all details about the aforementioned scopes will be completed and made public next year showing the full extent of the threat intelligence solutions envisioned within CONCORDIA. With this contribution, we hope to support European and non-European stakeholders in either starting their journey with threat intelligence or further leveraging the information they already handle within their own communities with the goal of achieving an increasingly (cyber) secure future.
(By Marco Caselli, Siemens AG)