Skip to main content

Cyware Threat Intelligence eXchange

Hub and Spoke

Notice

This feature is available on the Intel Exchange applications deployed on Cyware Cloud only.

Hub and Spoke is a threat intelligence sharing model where one organization functions as the central information hub and shares threat intel and coordinates information exchange between spokes and partner organizations who receive the intel. This model enables a central, formal, and secure exchange of information with its spokes and subsidiaries.

CTIX offers a hub and spoke model for easy and secure sharing of threat intelligence data. The hub acts as a head organization, a source collection where all the information is stored and shared with spokes while protecting each member's identity. Every spoke or subsidiary must install a CTIX spoke to enable the bi-directional exchange of threat intelligence data. CTIX enhances the threat intel-sharing collaboration among members of large associations by creating an information-sharing mechanism on the basis of the hub and spoke model. This mechanism enables real-time sharing of IOCs, TTPs, incidents, threat actor data, and Course of Action with your organizations.

In CTIX, admins can manage multiple spokes for threat intel sharing based on the license and subscription plan. You can create the required number of spokes with appropriate features for sharing threat intelligence data of the organization. Each spoke contains unique source collections from the hub based on their feature requirements.

The hub functions as the CTIX application and provides the following services:

  • combine information from multiple participants,

  • remove duplicates,

  • add its own private data, and

  • provide additional analysis to the recipients to make the information more efficient.

For example, a large organization, where CTIX is deployed, acts as the central hub. The organization controls the collection and dissemination of the threat intel data from multiple sources such as peer organizations, vendors, third parties, member organizations, TI feed providers, and National CERTs. The central hub shares threat intel data to and from the participating member organizations that will act as a spoke.

CTIX Spoke

CTIX spoke is a subsidiary entity of CTIX and offers a set of specific CTIX features based on your license. A spoke polls data from the selected CTIX collections.

As an admin, you can:

  • configure up to three external sources for receiving the threat intel. Cyware threat feeds and the selected CTIX hub collections are the fixed threat intel sources for all spokes.

  • share spoke's private data or threat intel to the CTIX hub, enabling the bi-directional exchange of information.

  • create and manage up to two automation rules.

  • integrate SIEM tools based on your requirements. You can provide API credentials and a subscription for the integration.

  • export intel in CSV and JSON formats.

CTIX spoke contains the following features:

  • ATT&CK Navigator dashboard and Analyst dashboard with limited widgets

  • Up to 2 reports

  • Threat Mailbox with one account

  • Threat Data with support for all STIX Data Objects

  • Quick Add Intel

  • One default STIX collection

  • Import Intel through text, file, and URL

  • User name and Password Authentication

  • Integration with Cyware Threat Feeds and a maximum of five STIX feeds

  • SIEM tool integration support for QRadar, Exabeam, Splunk, and ArcSight

  • SOAR tool integration support for Splunk Phantom, and Cortex XSOAR

  • Maximum 2 users in the system

  • Configuration module in the Administration module

Add Spoke

You can add and configure spokes to access data from a specific set of threat intel from the hub. Each spoke acts as a subscriber and receives threat intel from the configured collections of the hub.

You can create a spoke or add an existing spoke to the hub.

Create Spoke

Create a spoke instance to poll intel from the hub and extend connectivity in your network.

Before you Start 

  • You must have View, Create, and Update permissions for Spoke/Subsidiaries.

  • Ensure that the email server in CTIX > Configuration > General Settings is configured. By default, the spoke activates with the same email server configurations as the hub.

  • You must have at least one license to add a spoke.

Steps 

To create new spoke, follow these steps:

  1. Go to Administration > Integration Management and select Spoke/Subsidiaries under FEED CONSUMERS.

  2. Click Add Spoke and enter the following details:

    • Spoke Code: Enter a unique spoke code to identify the tenant for spoke configuration. For example, spoke1. The spoke code is used to create a unique URL for the spoke.

    • Spoke Name: Enter a name to identify the spoke in the hub.

    • Collections: Select the STIX collections of the hub from which the spoke will poll intel.

    • Enable Allow Listing User Domain: Enter the domains to add to the allowed list of the spoke for seamless exchange of intel. For example, cyware.com.

    • Spoke Admin Email Address: Enter the email address of a user to configure as the spoke administrator and share the credentials to access the spoke.

  3. Click Add.

It takes about five minutes to create a spoke. You will receive an app notification after the spoke is created. The configured administrator will receive an email with the credentials to sign in to the spoke.

Add Existing Spoke

Notice

This feature is available in Intel Exchange (CTIX) v3.5.3.0 onwards.

You can incorporate existing spoke instances to integrate existing pre-established elements into your network ensuring efficient collaboration and resource utilization.

Before you Start 

  • You must have View, Create, and Update permissions for Spoke/Subsidiaries.

  • You must have the API credentials of the spoke instance. For more information, see Configure Open API.

Steps 

To incorporate an existing spoke, follow these steps:

  1. Go to Administration > Integration Management and select Spoke/Subsidiaries under FEED CONSUMERS.

  2. Click Add Spoke and enter the following details:

    • URL: Enter the base URL of the spoke. For example, https://spokecode.sampledomaincom/ctixapi/.

    • Collections: Select the STIX collections of the hub from which the spoke will poll intel.

    • Access ID: Enter the API access ID of the spoke.

    • Secret Key: Enter the API secret key of the spoke.

  3. Click Add.

The spoke is added to the hub.

Visualize Hub and Spoke Network

CTIX can visualize the network of the hub, that is, you can view the number of spokes, sources, and subscribers attached to the hub. This visualization consolidates the information of spokes, sources, and subscribers in respective clusters, and in a graphic presentation allowing the admin to have easy access and visibility of the hub's network.

Ensure that you have the View Spokes/Subsidiaries permission to view and expand or collapse the clusters in the visualization screen.

To view the network, navigate to Administration, select Integration Management, select Spoke/Subscribers under FEED CONSUMERS, and click Hub & Spoke Visualization on the top right corner.

With this visualization, you can:

  • Expand each cluster to show the details of respective spokes, sources, and subscribers.

  • Drag and drop the clusters at your convenience.

  • Fit the whole hub and spoke network on the window as per the screen's capacity.

  • Zoom in and zoom out to have a closer or a wider look at the components of the clusters.

  • View the network in full-screen mode.

To switch back to the table view of the network, click Switch to Table Visualization on the top right corner.

Manage Spokes

You can view the list of spokes added to the hub on Spoke/Subsidiaries. You can view basic details of the spokes, such as the spoke code, collections, email ID of the creator, creation date, and status.

You can perform the following activities to manage spokes:

Note

You must have the Update permission for Spoke/Subsidiaries to manage spokes.

  • Show Preview: View license-specific details of the spoke, such as license expiry, spoke URL, associated collections, and platform version. You can also view the utilization statistics of users, read-only users, subscribers, open API, sources, and allowed indicators as per the spoke license.

  • Open in new tab: Directly access the spoke instance from the hub in a new browser tab.

    Note

    If your account does not exist in the spoke, then your account is automatically created in the spoke with administrative permissions.

  • Edit Collections: Add or remove the STIX collections from which the spoke polls intel.

  • Test Connectivity: Verify if a spoke is connected to the hub. If the connectivity fails, verify the validity of the open API credentials you have provided to configure the spoke.

  • Decommission: Decommission a spoke from polling threat data from the hub. An email is sent to Cyware Support with the decommission request. After the spoke is decommissioned, an email is sent to you and Spoke/Subsidiaries displays the spoke as inactive. You cannot perform any activity on an inactive spoke.

Access a Spoke Dashboard

You can access a Spoke Dashboard by doing the following:

  1. From Administration, select Integration Management and select Spoke/Subsidiaries under FEED CONSUMERS.

  2. Select the spoke and click the ellipsis and select Go to Dashboard.

    The spoke environment opens. You can access the available features on the spoke.