How Our Sharing Works

How Our Sharing Works

How the Sharing Model Works

Members upload information to the platform: Members upload Structured Threat Information Expression 2.0 (STIX™) packages of linked intelligence with pre-set fields to the CTA platform. All STIX 2.0 packages must contain at least one observable with accompanying context, some elements of which are required. All packages are attributed to the submitting member, but the affected entity’s data is anonymized. CTA’s use of the STIX 2.0 submission format enables easier sharing and improved readability of indicator and context data, empowering members in their efforts to disrupt hostile actors and better protect their customers.

CTA’s algorithm scores submission: Each package is assigned a total point value at the time of submission. Each package is correlated with other members’ submissions for mutual validation; members will score more points by validating observables previously submitted by other members while including new or additional context. CTA’s scoring system prioritizes the submission of information that our members value. If a member’s average total daily points is greater than the set minimum value, they are in good standing.

Members extract information from the platform: Members in good standing can set filters to extract other members’ submissions. Filters include: the member who submitted, the threat actor name, and the submission date. On average, members are sharing approximately 4 million observables per month, including two-thirds files and one-third network observables.

What data intelligence is currently being shared?

Approximately 135,000 STIX packages per day, with an average of two pieces of context per observable.
Packages include a range of observables and TTPs across the kill chain.
Observables include, for example: files, domain names, addresses, and Uniform Resource Identifiers (URIs).
TTPs: Over 50 TTPs from MITRE’s Common Attack Pattern Enumeration and Classification (CAPEC™) and Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™).
Membership in CTA gives members access to validated, curated threat intelligence they might otherwise not have.