CTI Collaboration Using STIX and Elasticsearch
In this talk we explore the concepts that underpin true intelligence collaboration and describe a means to achieve it using STIX and elasticsearch.
The combined knowledge of the cyber security and intelligence community is vast and yet many teams still work in splendid isolation. This talk will work through an example, active intrusion set - worked on in separate teams - to show the highs and lows of parallel analysis. We investigate how multiple viewpoints increase intelligence quality but also introduce bias and data complexity - and then show how to solve that with (free) technology.
The method this talk will focus on applies the core concepts of search (elasticsearch), provenance (in a git-like way) and data modelling (purist STIX) to produce a truly global and collaborative threat intelligence repository.
Chris O'Brien, Former Senior Director of Intelligence