What We Do at the CTA

What We Do

How the Sharing Model Works

Members upload information to the platform: Members upload Structured Threat Information Expression (STIX™) packages of linked intelligence with pre-set fields to the CTA platform. All STIX™ packages must contain at least one observable and its associated Cyber Kill Chain phase. All packages are attributed to the submitting member, but the affected entity’s data is anonymized.

CTA’s algorithm scores submission: Each package is assigned a total point value at the time of submission. Each package is correlated with other members’ submissions for mutual validation. If a member’s average total daily points is greater than the set minimum value, they are in good standing.

Members extract information from the platform: Members in good standing can set filters to extract other members’ submissions. Filters include: the member who submitted, the threat actor name, and the submission date.

What data intelligence is currently being shared?

Approximately 40,000 STIX™ packages per day, averaging over 300,000 points.
Packages include a range of observables and TTPs across the kill chain.
Observables include: files, Uniform Resource Identifiers (URIs), domain names, and addresses.
TTPs: Over 50 TTPs from Mitre’s Common Attack Pattern Enumeration and Classification (CAPEC™) and Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™).
The CTA gives members access to validated intelligence they might otherwise not have.