Collective Intelligence Framework

the fastest way to consume threat intelligence

Our Flagship Project, is a cyber threat intelligence management system. CIF allows you to combine known malicious threat information from many sources and use that information for identification (incident response), detection (IDS) and mitigation (null route). The most common types of threat intelligence warehoused in CIF are IP addresses, domains and urls that are observed to be related to malicious activity.

• join the cif-users list
• join #cif on freenode.net

Primary Sponsors

• the REN-ISAC community
• National Science Foundation

*This material is partially-based upon work supported by the National Science Foundation under Grant No. 1127425. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.

Releases

• CIF v3 (beta release)
• CIF v2 (stable release -- deprecating..)

In the Wild

Introductions

• [2017] the CIFv3 Book
• [2015] the CIF Book
• [2014] Applied Network Security Monitoring
• [2013] How to Normalize Threat Intelligence Data from Multiple Sources- Tech Talk
• [2012] Introduction to the Collective Intelligence Framework
• [2012] Toolsmith
• [2012] 3rd party CIF public instance
• [2012] VZ: Everyday I'm CIFing

SEM Integration

• [2015] Query CIF from Logstash
• [2012] Querying CIF Data From Splunk
• [2012] How to get CIF working with ELSA
• [2012] CIF Integration with ArcSight
• [2012] Using CIF to create content for ArcSight – Part 1
• [2012] Using CIF to create content for ArcSight – Part 2
• [2012] ELSA with the Collective Intelligence Framework
• [2012] More (Advanced) Querying CIF Data With Splunk
• [2012] Using CIF with SiLK

Advanced Stuff

• [2014] Identifying Malware Traffic with Bro and the Collective Intelligence Framework
• [2012] CIF Globe (github)
• [2013-07] Kyle Maxwell -- Open Source Threat Intelligence Overview [live] [slides]
• [2013-07] SANS - Blog Spam - annoying junk or a source of intelligence?
• [2012] Category Archives: CIF
• [2012] Accelerating CIF with Sphinx
• [2012] CIF-Lite: Customizing CIF to your schema
• [2012] VZ: Gluing Our Stuff Together
• [2012] VZ: Recent Improvements to CIFGlue
• [2012] VZ: CIF: Looking Under the Hood

Talks

All content licensed under CCv3 unless otherwise specifically specified.

• 2013 -- PacketPushers HealthyParanoia, the Dudes of REN-ISAC (podcast)
• 2013 -- AusCERT peering: the next ten years.
• 2013 -- MAAWG: data-sharing economics
• 2012 -- GFIRST/NIST|APWG: the next ten years
• 2012 -- FIRST.org: Sharing data's hard here's how we did it (mp3)
• 2012 -- Internet2 Combined Industry and Research Constituency Meeting
• 2012 -- Zombie Hunting
• 2011 -- ISOI9
• 2011 -- REN-ISAC Member Meeting
• 2011 -- Educause SPC
• 2010 -- SES v2 Update
• 2010 -- DDCSW2
• 2009 -- DDCSW1
• 2009 -- Joint Techs
• 2009 -- Educause SPC

Papers

• 2015 - SANS - Who's Using Cyberthreat Intelligence and How?
• 2015 - Microsoft - A framework for cybersecurity information sharing and risk reduction
• 2015 - SANS - Automated Defense Using Threat Intelligence to Augment Security
• 2014 - ENISA - Standards and tools for exchange and processing of actionable information
• 2014 - SANS - Tools and Standards for Cyber Threat Intelligence Projects
• 2013 - ENISA CSIRT Interop
• 2013 - Intelligence Exchange in a free market economy
• 2012 - CERT-PL: Proactive Detection and Automated Exchange of Network Security Incidents