We are the Independent Federated Intelligence Network (IFIN), and we're here to change how you think about threat intelligence. We're announcing ourselves to the world in hopes that like-minded people will join our efforts. Join the community and the mission here.

At its best, cyber threat intelligence drives defensive decision-making. But for most organizations, that ideal is far out of reach.

High quality intelligence can be difficult to obtain, locked behind steep paywalls, proprietary formats, or restrictive memberships. What is publicly accessible often lacks the relevance to improve defenses. Commercial offerings tend to favor drama over utility. Even foundational sources of information face new challenges to their effectiveness and trustworthiness.

These unfortunate circumstances present an opportunity for profound change. We need to rethink how we do threat intelligence—not as an "industry," but as an open, resilient community. By observing, sharing, and learning together, we can protect each other. 

The Value of Threat Intelligence

If cyber threat intelligence is to have any value at all, it must be accessible, trustworthy, and actionable.

Accessible threat intelligence does not reside in exclusive networks or databases, where one must pay to play. It does not arrive through a single service provider or technological platform, nor does it arrive in a proprietary format. Accessible intel follows open standards. It is shareable across platforms and networks. It is simple to consume and integrate into existing operations to support decision-making. 

Trustworthy threat intelligence comes from reputable contributors. This reputation comprises both a history of provided value and a verifiable identity. But unlike the trust and reputation of a website, the trustworthiness an intelligence provider is enhanced by its accessibility: the more people receive and make valuable use of the intelligence from a given provider, the more trustworthy that provider becomes.

Actionable threat intelligence provides the means to effect positive change in an organization's defensive posture. Actionable intelligence must be relevant to the consumer. It must be of a suitable type to the consumer. And, of course, actionable intelligence must be both accessible and trustworthy.

To make such intelligence available to all, we propose a new model: threat intelligence as mutual aid.

The IFIN Model

Mutual aid networks collaborate to determine everyone's needs, sharing among each other as needed. They are horizontally organized, without the need for central power structures. We've observed such networks support communities with food, medicine, shelter, childcare, and more. And indeed, decentralized intelligence sharing is nothing new. Consider the whisper networks which have kept women safe for, well, ever. Consider resistance cells within authoritarian regimes. Mutual aid in the form of information is a tried-and-true model. It's only through the dark mirror of capitalism that we perceive cyber threat intelligence's true form as a product to be consumed from a few anointed providers.

Our mission is to empower organizations to independently collect, analyze, and disseminate relevant cyber threat intelligence through training, open source tools, and a decentralized intelligence sharing network. 

Here's what we're proposing.

It all starts with a single node in a network. This node is an organization that has been trained in the skills necessary to collect, analyze, and share cyber threat intelligence that is relevant to them (this training is the "onboarding" to IFIN, and one of our core functions). Collection can involve monitoring their public footprint, deploying honeypots/nets, or any other established legal collection practice. Because the collection is performed for and by the organization, the resultant intelligence is immediately relevant to them—but also likely to others, especially in proximate geographies, industries, or technology profiles. One node joins others, sharing in communities of interest and the global network.

The result: a resilient mesh of intelligence sharing that is not dependent on a single source of information.

A true threat intelligence network is not just about sharing atomic indicators (IP addresses, domains, file hashes, etc.). This is about building a community that shares all levels of threat intelligence. Automated feeds of intelligence artifacts are necessary, but this network's substance is not data; it is relationships. This focus distinguishes IFIN's approach from other intelligence sharing organizations. Our intention is to build a human federation.

Many tools already exist to fuel this effort—MISP and OpenCTI, for example, could well power the technological aspect of IFIN. Those tools are means, not ends. We seek to build a network of people. Whatever tools are used, this enterprise succeeds because of the people committed to the collection, analysis, and sharing of intelligence. The more people who join, the stronger the network becomes.

Resilience Over Power Centers

Resilience of the network is a primary objective for IFIN in light of the current system's fragility. A compromise in one of the select few primary intelligence providers can poison the intelligence of all downstream providers.

It is dangerous for one, or a select few, to have the capacity and privilege to collect and disseminate intelligence for everyone else. Not just because of potential compromise, but because of relevance. The more distant the collection source is from those who would use it, the less likely it is to be relevant to their circumstances. Decentralization solves the economic problem of scaled intelligence, where only the hyper-capitalized can collect sufficient intelligence to provide to everyone. It also solves the relevance problem—what an organization collects for themselves is immediately relevant to them, and likely to their immediate peers.

It's time to build for ourselves the capacity to collect and analyze threat intelligence, and the network to share what's gathered.

How do we build this network? One node at a time.

IFIN's Plan

It all starts with education. IFIN is developing a "reference architecture," a blueprint for any organization who wishes to develop a cyber threat intelligence apparatus. This architecture, combined with training on the relevant tools and methods, enables an organization to not only create a cyber threat intelligence program from scratch, but to join IFIN as a network participant. They can train peers in turn, or introduce them to us. And so the network grows.

It's a simple plan, but one that has proven to work throughout history: Teach the skills; help them spread; be everywhere and nowhere so that nobody can bring the network down.

No particular part of this endeavor is new. The pieces have been around for some time. Our hope is that by putting the pieces together in a shape that maximizes human networking, education, decentralization, and openness, we can build a better intel sharing network. This is not a "Fifteenth standard" scenario. This is simply a considered implementation of good work that's come before.

You might wonder why any organization would bother with such an effort, especially when commercial threat intelligence products "just work."

IFIN offers a different value proposition than the status quo: the intelligence you collect is relevant to you because you collected it. Through your careful efforts, you have identified the true adversary, and can study their tactics and techniques. You can tune your defenses against them. And together, we can understand the threat landscape like never before. We can see and understand what was once invisible. We can prevent what was once unpreventable. We can win.

We are the Independent Federated Intelligence Network, and we hope you join us.