As the number and diversity of cyber incidents increase, so do the sources of Threat Intelligence. There are many obstacles to its proper use: the different data standards used in Threat Intel, the different platforms, the different feeds and their quality... But the most important is how to use Threat Intel to protect organizations. This article presents an innovative system that uses the context of an Information System and Threat Intel to provide incident response in the form of measures to be taken.
At the core of the innovation lies a system that distributes Threat Intelligence and recommended Courses of Action (CoAs). Through an amalgamation of external insights and local context, they pinpoint the response system(s) for execution, seamlessly translating strategy into action. Utilizing STIX, the system adeptly expresses threat information, including CoAs. Tackling the challenge of aligning CoAs with actionable response steps, they seem to have devised a robust, scalable solution via a publish-subscribe model. Built upon the Extensible Messaging and Presence Protocol (XMPP) architecture, the solution boasts security and flexibility, catering to diverse data models and transport protocols. This article highlights the motivation and system details, along with practical applications
