Skip to content
This repository has been archived by the owner on Apr 30, 2022. It is now read-only.

Introduction

wes edited this page Jun 26, 2018 · 1 revision

What is the Collective Intelligence Framework?

CIF is a cyber threat intelligence management system. CIF allows you to combine known malicious threat information from many sources and use that information for identification (incident response), detection (IDS) and mitigation (null route). The most common types of threat intelligence warehoused in CIF are IP addresses, domains and urls that are observed to be related to malicious activity.

This framework pulls in various data-observations from any source and creates a series of observations "over time" (eg: reputation). When you query for the data, you'll get back a series of observations chronologically and can help you make decisions much as you would look at an email thread.

CIF helps you to parse, normalize, store, post process, query, share and produce data sets of threat intelligence.

The Process

Parse

CIF supports ingesting many different sources of data of the same type; for example data sets or “feeds” of malicious domains. Each similar dataset can be marked with different attributes like source and confidence to name a few.

Normalize

Threat intelligence datasets often have subtle differences between them. CIF normalizes these data sets which gives you a predictable experience when leveraging the threat intelligence in other applications or processes.

Post Process

CIF has many post processors that derive additional intelligence from a single piece of threat intelligence. A simple example would be that a domain and an IP address can be derived from a URL ingested into CIF.

Store

CIF has a database schema that is highly optimized to store millions of records of threat intelligence. CIF v2 uses ElasticSearch as it's datastore.

Query

CIF can be queried via a web browser, native client or directly using the API. CIF has a database schema that is highly optimized to perform queries against a database of millions of records.

Share

CIF supports users, groups and api keys. Each threat intelligence record can be tagged to be shared with specific group of users. This allows the sharing of threat intelligence among federations.

Produce

CIF supports creating new data sets from the stored threat intelligence. These data sets can be created by type and confidence. CIF also supports whitelisting during the feed generation process.