Skip to main content

General Documents

Hub and Spoke: A Bidirectional threat intelligence exchange model

Category: Cyware Product

Cyware Products Used:

  • Cyware Threat Intelligence eXchange (CTIX)

Problem Statement

Tackling advanced cyber threats requires intelligence exchange and collaboration between various organizations. It is challenging for an organization to defend itself by being in a silo. Hence organizations must adapt to a secure and effective threat intelligence model.

Threat intelligence exchange can be challenging to implement in a multi-stakeholder environment consisting of subsidiaries, partners, clients, vendors, regulatory agencies, sectorial ISACs, and other large organizations. With the advent of data formats and protocols for storing and exchanging threat intelligence, various threat intelligence platforms (TIPs) were built and used different information-sharing methods. However, most of the issues organizations face in setting up effective cyber threat intelligence operations remain unaddressed.

Solution

Cyware offers an extensive client-server-based threat intelligence exchange platform — Cyware Threat Intelligence Exchange (CTIX) — that allows your security teams to automate the entire threat intelligence lifecycle and reduce the time taken for threat detection. The platform also enables analysts to enrich threat intelligence effectively for investigation and response.

When it comes to threat intelligence exchange, Cyware is always cognitive of the pain points of its clients. To address the threat intelligence exchange problem, CTIX uses the Hub and Spoke model that provides a structured yet flexible approach for threat intelligence exchange.

Hub and Spoke is a threat intelligence sharing model where one organization functions as the central clearinghouse for information (Hub), coordinating information exchange between partner organizations (Spokes). Spokes can produce and/or consume information from the Hub.

How to set up the Hub and Spoke model?
  1. Add STIX Collections: Threat Intel packages shared from CTIX can be grouped into STIX Collections to identify and categorize shared threat details. STIX Collections act as containers that play a unique role in categorizing threat intel packages for sharing with Subscribers and also displaying intel packages received from associated sources. To create collections, see the documentation.

  2. Add new Spokes: CTIX equips organizations with the unique ability to efficiently disseminate and consume threat intelligence in a bi-directional manner. Organizations can use the CTIX Hub to share threat intelligence from multiple sources by setting up client-server-like relationships with different partners that act as CTIX Spokes. The Hub combines and anonymizes threat intel from multiple Sources/Spokes while removing duplicates and enriching it with further analysis before sharing it back with other Spokes in the organization’s network. To add a new spoke, see the documentation.

  3. Create Subscribers: The CTIX Hub disseminates finished threat intelligence to the right recipients called Subscribers. Each Subscriber may represent a different audience for threat intelligence. To configure subscribers, see the documentation.

  4. Bi-Directional Intel Exchange: CTIX Spoke organizations can share threat intel packages back to the CTIX Hub. This allows the trusted exchange of threat intel between intel sharing communities and peer organizations. To visualize your Hub and Spoke network, see the documentation.

  5. Share Intel with Third-Party Solutions: CTIX can integrate with SIEM tools such as QRadar, log management, and several other security solutions such as Rapid7, Phantom, Crowdstrike, Cisco Umbrella, CISA AIS, and the Cyware Situation Awareness Platform (CSAP) for sharing threat intelligence. Threat intel shared from CTIX can help enforce actions and monitor integrated applications. CTIX Spoke users could share threat intel with integrated tools.

Hub and Spoke Benefits

CTIX Hub and Spoke model enable organizations to build trusted relationships to serve different purposes.

Exchange Intel between the Hub organization and its connected organizations

It facilitates threat intelligence exchange between a connected group of organizations with ultimate control residing with the Hub organization. The parent organization can act as a Hub to collect, investigate, and share threat intel, and its members, the Spokes, can receive consolidated and contextual threat intel and immediately deploy necessary actions.

Receive real-time alerts from CERT, ISAC, or other government agencies

It enables quick and secure sharing of threat intel with CERT and other member organizations.

Exchange threat indicators and collaborate as part of a sectoral ISAC

Cyber teams can better detect threats, mitigate risks, prepare defenses with alerts on member events and incidents, and affiliate analysis and share intel on threat indicators. This enables sectoral collaboration and enables organizations to remain proactive against threats that target a particular sector or area of business operation.

Exchange threat information with their clients and vendors

The Hub and Spoke model enables vendor partners to access and exchange threat intelligence. This threat intelligence continuously improves vendor’s and partner’s ability to detect and attribute attacks, allows for attack prioritization, and provides organizations with a rich context about the attacks in their environment.

Receive threat intel from various Intel feed providers

Cyber threat intelligence focuses on providing actionable information on adversaries and hence, receiving threat intelligence feeds from trusted feed providers is key to remaining proactive against threats. CTIX allows both Hub and Spoke users to configure feed-providing sources and start receiving threat intel feeds from them.

Using Cyware’s Hub and Spoke capabilities, organizations can build their own Trusted Sharing Member Network.

Hub and Spoke Model and the Threat Intelligence Lifecycle

Threat Intelligence often follows a series of steps that can be referred to as its lifecycle, which often helps security analysts to analyze and investigate threats efficiently. The threat response docker is mapped to this Threat Intelligence Lifecycle with categories mapped to different phases.

The Hub and Spoke model plays an important role in the Dissemination and Feedback phase of the Threat Intelligence Lifecycle.

  • Dissemination: After analyzing various threats and indicators, organizations can share this information with other companies to benefit the community.

  • Feedback: After completing the above lifecycle, the organization reflects on performed actions and reaffirms/modifies procedures implemented.