ENISA has released the first comprehensive study on cyber Threat Intelligence Platforms (TIPs) focused on the needs of TIP users, developers, vendors and the security research community.

The study channels its efforts into identifying some of the key opportunities and limitations of existing platforms and solutions, since information exchange formats and tools remain central items on the agenda of the cybersecurity community in general, and particularly of incident responders.

The project came as an acknowledgment of the increasing demand for relevant and ‘context aware’ security data, as information security management is becoming a key component of any modern organisation.

For the purpose of this project, ENISA has engaged leading field experts and has performed a research of existing tools, practices and TIPs academic literature. The report concludes with a series of actionable findings and recommendations, so that current TIPs limitations are addressed and overcome.

Furthermore, the report presents a detailed overview of the users of these platforms, the main functional areas of TIPs as well as the current landscape of the TIPs used globally by different teams (CTI teams, SOCs, CSIRTs/CERTs, ISACs, etc.).

The report identified the below TIPs:

The report identified the below limitations of current TIPs:

The report concludes with a series of recommendations addressed to users and organisations, TIPs developers and vendors as well as the research community and academia.

1. ENISA recommends organisations to focus on their specific requirements and needs before developing and deploying TIP solutions. In addition, ENISA strongly encourages organisations to check if the different cyber intelligence activities they undertake are enabled by technology platforms and systems. Moreover, organisations are encouraged to invest time on Proof of Concepts with an open source TIPs, to familiarize themselves with the benefits of such systems, before making any significant financial investment.
2. ENISA encourages TIPs solution developers to focus more on enhancing TIP analysis capabilities by providing efficient threat triage and relevancy assessment. In addition, TIPs should come with more flexible and usable trust modelling functionalities. Furthermore, TIPs developers and vendors are encouraged to provide threat information consumers with functionalities allowing them to be informed in case the confidence and accuracy of the shared information is not guaranteed by the source.
3. ENISA calls upon the research community and academia to continue pursuing and investigating the benefits of TIPs, and the means by which these platforms may mature further.

Finally, the report is complemented by a TIP maturity model assessment scheme provided as an ANNEX. The functional requirements of a TIP have also been mapped to the intelligence cycle and they can act as a good starting point for your organisation’s TIP requirements.

The above text has been partially copied from ENISA’s Press Release: https://www.enisa.europa.eu/news/enisa-news/enisa-publishes-first-study-on-cyber-threat-intelligence-platforms

The full report can be consulted here. https://www.enisa.europa.eu/publications/exploring-the-opportunities-and-limitations-of-current-threat-intelligence-platforms

Finally, the report has been written by Razvan Gavrila and Andreas Sfakianakis and peer reviewed by Chris Beard, Sarah Brown, Jane Ginn, Pasquale Stirparo and Alexandre Dulaunoy. Any feedback is more than welcome! Enjoy!

PS. A couple of key points worth mentioning:

1. Focus on requirements! Your requirements should drive the selection of the TIP that you will end up using.

2. Before any major investment spend some time with PoC’ing open source intelligence (platforms). This is a good approach for faster success.

3. Use the information in the ANNEX of the study as a starting point for the functional requirements of your organisation’s TIP.

4. Work with your TIP vendor for Product Enhancement Requests based on prioritization. Contribute to the open source projects that you participate and/or let them know your future enhancements. It is critical to provide feedback to the TIP vendors and open source projects.

5. Go through the extensive bibliography provided to get more context and information if needed.