We were founded in 2014 through an informal agreement to share intelligence among Fortinet, McAfee, Palo Alto Networks, and Symantec. They called this arrangement the Cyber Threat Alliance, but CTA had no dedicated staff nor any legal paperwork. In 2015, the companies developed a white paper on the Cryptowall Crimeware. The paper garnered a lot of attention and showed the value of collaboration among the cybersecurity community.
At this point, the companies realized that they were involved in something bigger.
In order to increase the impact across the ecosystem, CTA needed to scale. To achieve this, the Founding Members decided to establish CTA as an independent organization and re-launch it in February 2017 at RSA. The revamped CTA now has dedicated staff, resources, and a technology platform for sharing advanced threat data. As a result, CTA members can all share timely, actionable, contextualized, and campaign-based intelligence that can be used to improve their products and services to better protect their customers, more systematically thwart adversaries, and improve the security of the digital ecosystem.
In addition to sharing through out platform, CTA members share blogs, research findings, and analysis through our Early Sharing program ahead of general publication. Typically, members receive 3-5 early shares per week.
HOW DOES OUR SHARING PLATFORM WORK?
Members Upload Information To The Platform
Members upload Structured Threat Information Expression 2.0 (STIX™) packages of linked intelligence with pre-set fields to the CTA platform. All STIX 2.0 packages must contain at least one observable with accompanying context, some elements of which are required. Context is organized around the MITRE ATT&CK framework. CTA’s use of the STIX 2.0 submission format enables easier sharing and improved readability of indicator and context data, empowering members in their efforts to disrupt hostile actors and better protect their customers.
CTA’s Algorithm Scores Each Submission
Each package is assigned a total point value at the time of submission and is correlated with other members’ submissions for mutual validation. All packages are attributed to the submitting member, but the affected entity’s data is anonymized. Members will score more points by validating observables previously submitted by other members while including new or additional context. CTA’s scoring system prioritizes the submission of information that our members value. If a member’s average total daily points is greater than the set minimum value, they will remain in good standing.
Members Extract Data From The Platform
Members in good standing can set filters to extract other members’ submissions. Filters include: the member who submitted, the threat actor name, and the submission date. On average, members are sharing more than 11 million observables per month.
LEARN MORE ABOUT MEMBERSHIP TODAY
JOIN YOUR PEERS IN SHARING CYBER THREAT INTELLIGENCE TO BETTER PROTECT YOUR CUSTOMERS AND THE DIGITAL ECOSYSTEM.