ENISA releases the first comprehensive report on cyber Threat Intelligence Platforms

Threat Intelligence Platforms

The European Network and Information Security Agency (ENISA) released the first comprehensive report on Cyber Threat Intelligence Platforms (TIP).

It is a platform that can support the entire security team, from CSO/CISO to security threat analysis team, and supports daily event response, network defense, and threat analysis. Mature TIP is used for day-to-day operations to support the prevention and processing of attacks, support strategic decisions, and process improvement, and it can help enterprise threat intelligence programs manage the full lifecycle of threat intelligence. The life cycle of threat intelligence includes analysis, collection, analysis, and use of threat intelligence requirements.

Taking into account that information exchange formats and tools are still the main concern of the cybersecurity circle (especially the event responders), ENISA analyzed the limitations and existing key opportunities of the existing TIP platforms and solutions. The following figure shows the existing TIP solution:

As information security management is increasingly becoming a key component of every modern enterprise, the need for situational awareness and security data continues to grow. ENISA invited experts to conduct research and analysis of existing tools, practices, and TIP scholarly literature, draw the report, and propose a series of practical recommendations to help organizations solve and overcome existing TIP limitations.

In addition, this report details the users of these platforms, the main features of TIP, and the different global teams (eg, CTI team, Security Operations Center SOC, Computer Security Incident Response Team CSIRT/CERT, Information Sharing, and Analysis Center ISAC, etc.) The status of the TIP used.

ENISA recommends that organizations focus on specific requirements and requirements for developing and deploying TIP solutions. ENISA also strongly recommends that organizations check whether different network intelligence activities they hold are backed by technology platforms and systems.

The agency also encourages organizations to invest time in PoC testing through open-source TIP before major capital investment and to understand the advantages of such systems. ENISA encourages developers of TIP solutions to provide effective threat categorization and relevance assessments, placing more emphasis on improving TIP analysis capabilities. In addition, TIP should have more flexible and available trust modeling capabilities. TIP developers and providers are encouraged to provide notification information to threat information consumers in case the information provided by the information source is not accurate enough or lack credibility.

ENISA calls on the research community and academia to continue to explore the advantages of TIP and how these platforms will further mature.