Collective Intelligence Framework (CIF)

Hello everyone, I broke up to write a blog post for a while. Anyways, the good news is that I’m back! So after I posted several Turkish language posts, I decided to write this post in English.

Today, companies have had to increase their budgets for cyber security products. Day by day, the damage caused by cyber attacks started to cost more than the money they would give to security products and human resources. Companies that have deployed their investments in this direction have started to invest in cyber intelligence not only preventively, but proactively, in order to obtain the intelligence earlier and keep the risk and damage to the maximum level. Therefore, I would like to talk about “Collective Intelligence Framework (CIF)” .

Source: https://csirtgadgets.com/collective-intelligence-framework

Basically, Collective Intelligence Framework can be defined as cyber intelligence management system. It allows to organizations to combine known malicious threat information from many sources and use that information for identification, detection and mitigation. The most common type of threat intelligence warehoused in CIF are generally, IP addresses, FQDNs, and URLs.

CIF gets the information in various data observation from plenty of source and creates a series of message “over time”. So how CIF benefits to you? The answer is right down:

The CIF basically helps you parse, normalize, store, post-process, query, share and produce data sets of the threat intelligence:

• Parse: CIF supports collects information in many different sources of data of the similar type, for example, data sets or the feeds of malicious domains. Each those similar data set can be signed with different attributes such as “source” and “confidence” so on.
• Normalize: The framework normalizes the data sets, which give you a predictable experience when leveraging the threat intelligence in other processes or applications.
• Post-process: The framework has several post-processors that derive additional intelligence from a single piece of threat intelligence.
• Store: CIF uses JSON and ElasticSearch as it is a data store to warehouse billions of records of threat intelligence.
• Query: The framework can be queried via web browser, native CLI client, or directly using the API itself.
• Share: The framework also supports users, groups and API keys. Each these threat intelligence record can be tagged to be shared with the specific group of users.
• Produce: The framework supports creating new data sets from the already stored threat intelligence. CIF also supports whitelisting during the feed generation processes.

After all those, this is the not only a framework about cyber threat intelligence. Also there are some additional threat intelligence frameworks for the specific purposes which I will mention my next blog posts.

Farewell for now :)