Threat Intelligence by Shelf: A Culture of Data Sharing

Effective exchange of information about threats among many participants works like herd immunity: the more participants are involved in this process, the higher the likelihood of successfully resisting attackers. I will tell in the article about the culture of exchanging such data abroad, how the Russian practice differs, and what are the main pitfalls of this area.

What is a data culture and why is it needed?

It is worth sharing information about threats for at least three reasons. Firstly, to save money, because it is cheaper to prevent an attack than to eliminate damage from it. Second, to be socially responsible: to fight together with other companies against a common enemy. Finally, thirdly, to have a good reputation. If a company is conditionally safe, it is trusted not only by clients, but also by investors.

Today, there are several types of data that TI exchange participants share:

  • incidents – detailed information about attempted attacks and their success;

  • Threats and vulnerabilities – it often happens that attackers manage to exploit a vulnerability before it reaches the known vulnerability databases;

  • methods of eliminating vulnerabilities, localizing or blocking threats;

  • information about new adverse events in the world of information security.

This data is exchanged in various ways. The first is through open-source feeds generated by members of the TI community and some companies, open-source and proprietary platforms. The advantages of this method include free access to feeds, their large selection and ease of use. However, there are also disadvantages: a large amount of irrelevant data and, therefore, the need to filter it, as well as a lack of context. The second way is to create and participate in specialized organizations. Their list is quite large: CERT, CSIRT, CIRC, CIRT, SIRT, IRT, IRC, SERT, ISAC, ISAO. I will tell you more about what they are below. The third way is to participate in specialized events, for example, FIRST CTI SIG Summit, SANS CTI Summit, Threat Intelligence Summit, Black hat, Cyber ​​Intelligence Asia

The degree of maturity of the culture of exchanging data on cyber threats is a complex indicator that is directly or indirectly influenced by the number of specialized events, the number of TI vendors, the activity and involvement of potential exchange participants: members of the TI community, private companies, and the state. The threat landscape, the activeness and sophistication of new attackers’ methods also determine the quality of the response and the skill of the defenders.

My team and I believe that given these factors, the culture of sharing threat intelligence in the US and Europe is more mature and we should learn a lot from them. Let’s see how it works “with them”.


The United States has a number of TI communications programs developed by the Cybersecurity and Infrastructure Security Agency (CISA).

  • ISAC (Information Sharing and Analysis Center) are centers for the exchange and analysis of information that are formed around a specific industry: finance, energy, industry, and so on. They were first created in 1998 by decree of the President of the United States to exchange information on cyber threats between owners and operators of critical infrastructures. In total, there are 25 such centers in the United States today.

  • ISAO (Information Sharing and Analysis Organization) – organizations focused primarily on the protection of shared information. This is the so-called ISAC extension, which is not associated with a specific industry: the members of these organizations can unite on other grounds, for example, by territorial.

  • AIS (Automated Indicator Sharing) allows the exchange of indicators of compromise in real time. AIS involves both private and public sector entities. All participants are guaranteed the anonymity and confidentiality of the information transmitted, and in addition, they are not subject to antitrust, federal, and state laws.


In Europe, there are similar organizations created by the European Union Agency for Network and Information Security (ENISA). European ISACs appeared later than American ones, they used their experience, so there are some differences between them.

Thus, ISACs in the EU are not necessarily associated with any industry. Here are the models for building ISAC in Europe:

  • ISACs within a single country are most often managed by a Computer Security Incident Response Team (CSIRT).

  • Industry ISACs focus on organizations in a single, usually critical or vital, sector and are largely supported by the sector or government itself.

  • International ISACs bring together key experts from all over the world, but due to cultural differences and different approaches, they often face the problem of trust between experts. Examples of international ISACs established in Europe: EU FI-ISAC (financial sector), EE-ISAC (energy sector).

TI’s data exchange structures are similar in most EU countries. There are ISACs that can be represented by Response Teams (CERTs), CSIRTs and others, and there are higher-level organizations to coordinate ISAC interactions.

The development of the ISAC ecosystem in Europe depends on the general level of trust between public and private structures. Therefore, for countries where this trust is not enough, it may be advisable to first start developing PPP structures (public-private partnerships, a less formal organization compared to ISAC) and then transform them into ISAC.

The ISAC can be initiated by the government or the private sector (in which case the government can act as an intermediary). Regardless of the structure of ISAC, for flexible and effective cooperation, a regulation of interaction between the members of the association is required, which describes, among other things, the procedures for checking new members of the community.

Collaboration takes place not only within ISAC, but also between different organizations of this type. For example, as a result of community collaboration, the X-ISAC platform was created. It is operated and maintained by the Computer Incident Response Center Luxembourg (CIRCL) and the MISP project.


When talking about the exchange of information on cyber threats, one cannot fail to mention FIRST (the Forum of Incident Response and Security Teams). Since its inception in 1990, the organization has worked almost continuously on thousands of security vulnerabilities. It is unfair to attribute FIRST to a certain state, because it is a large-scale international community, so I decided to devote a separate section to it.

FIRST identifies three components as its mission.

  • Global Coordination – FIRST provides platforms, tools and tools for incident responders.

  • Global Language – FIRST supports initiatives to develop common communications media.

  • Governance – FIRST members do not operate in isolation, but are part of a larger system.

FIRST brings together information security incident response teams (CERT, CSIRT), product security incident response teams (PSIRT) and independent information security researchers.

I will dwell in more detail on the types of response teams. CERT is a registered trademark of Carnegie Mellon University. It was here, by order of the US government in 1988, that the first CERT team was formed to fight the so-called Morris worm. Today, this is the designation for groups of experts who are constantly monitoring information about the emergence of information security threats, their classification and neutralization. Such teams can be both national and sector-focused. Their main goal is to respond to new threats in a timely manner and communicate them to stakeholders. To this end, CERTs issue bulletins with aggregated threat information and recommendations for responding to them.

CSIRT is another term for a Computer Incident Response Team. The difference is that it can be used without special permission. In 1992, the Danish academic provider SURFnet created Europe’s first CSIRT team called SURFnet – CSIRT.

In addition, other abbreviations are used in practice: IRT (Incident Response Team), CIRT (Computer Incident Response Team), SERT (Security Incident Response Team). The main goal for CERT, CSIRT, ISAC, ISAO and other similar organizations is the same – to improve the information security landscape, but for CERT and CSIRT the main focus is on responding to information security incidents and only then on raising awareness among stakeholders.


In Russia, the participants in the exchange of threat data include regulators and a number of commercial organizations. For example, based on FinCERT, a special structural unit of the Central Bank, operates a system of information exchange about computer attacks in the credit and financial sector. Another regulator – NKTsKI, coordinates the interaction of subjects of critical information infrastructure with the state system for detecting, preventing and eliminating the consequences of computer attacks GosSOPKA.

Commercial organizations include CERT-GIB, BI.ZONE-CERT, Infosecurity CERT and KASPERSKY ICS CERT… Also, speaking about the participants in the TI data exchange, it is worth mentioning the non-profit organization RU-CERTaimed at reducing the level of cyber threats for Runet users.

Despite the rather large list of exchange participants, there is no established and large community dedicated to Threat Intelligence in Russia yet. At the same time, there is a noticeable progress: numerous chats appear on Telegram (sometimes they are created by vendors) and open-source feeds, thematic events are held. Nevertheless, the regulator’s demand remains the main motivator and engine of information exchange.

Underwater rocks

The basis for the exchange of information on cyber threats can be considered trust between the participants in this process: the higher the level of trust, the more effective interaction and cooperation. In addition to the lack of trust, there are several more problematic points:

  • Lack of awareness – not all organizations understand the benefits and potential benefits of participating in information exchange.

  • Fear – Many organizations believe that sharing information about an attack will damage their reputation.

  • Insufficient funding is a sea of ​​information, for its analysis specialists are needed, who, in turn, need money, and this requires a budget.

  • Lack of qualified specialists – both in the field of information security and to support the exchange infrastructure.

A parallel can be drawn between the TI data culture issue and the environmental issue (what? Yes!). Pinpoint initiatives will not bring results. It is necessary that each link of the exchange was interested and active in achieving the goal, the format of the exchange was consistent.

And of course, the most important thing is for the government and business to understand the scale of the risks associated with cyber threats and to increase the volume of investments in the development of information security.

Author: Valeria Chulkova, systems analyst, R-Vision Threat Intelligence Platform

More related articles

  • Threat Intelligence Dive: Who Needs Cyber ​​Intelligence and Why

  • Threat Intelligence by Shelf: Understanding Data Exchange Standards

  • Understanding Threat Intelligence Sources

Similar Posts

Leave a Reply