Decentralization is a core IFIN operating principle. Here we refer primarily to the decentralization of intelligence sources and decisions surrounding them. Decentralization achieves the objectives of resilience, diversity, and visibility. The specific model of decentralization we employ is federation, in which data is replicated across multiple nodes in the network.

Resilience

Data in the network does not reside in or flow to/from a single point of failure. The network can tolerate nodes falling silent without the entire network collapsing. Nodes can fail for any number of reasons. Our threat model includes both benign failures (natural disasters, power outages, server moves) as well as targeted attacks against the network or its members. Federating (distributing and replicating) the intelligence data across the network mitigates the impact of such attacks.

Diversity

The network benefits from diverse sources contributing intelligence. The diversity improves the visibility of the network—the more types and locations of nodes, the more relevant intelligence the network produces for all prospective members. What's more, diverse nodes can corroborate each other's discoveries, and expand the understanding of threat actor campaigns.

Imagine: a university sees attacks on their Palo Alto firewalls coming from a specific AS. That information is then shared to IFIN. At this point, the Diamond Model for this campaign only reveals that this AS is targeting a single institution. However, once the information is shared to the network, other institutions from other sectors and geographic locations also identify similar traffic. As it happens, they all have Palo Alto firewalls. Now the victimology concerns technology rather than industry or geography. Packet capture analysis from multiple nodes shows attempted exploitation of a recently-disclosed vulnerability. Additional reports enter the network of similar traffic from different ASes, but other indicators (User-Agent, JA4 fingerprints) are consistent with the original discovery. As the understanding of the campaign expands, each network node has access to more enriched intelligence, which translates into more robust defenses for all.

Federation

"Federation" refers to the network's topology. IFIN is not a hub-and-spoke network, in which all intelligence flows initially from a single node. All nodes share-alike as desired, with each making decisions about which sub-communities of intelligence are relevant to them. Perhaps a healthcare institution does not care about the data from heavy industry. They can ignore information from that cluster of the network. Conversely, perhaps a university-aligned hospital wishes to be involved in both education and healthcare communities. IFIN's structure makes this easy.

Federation also protects the network from bad actors. Suppose a node begins introducing low-quality intel, or begins monetizing the feed in a way the community doesn't like. Nodes can choose to no longer share intelligence with this bad apple, effectively protecting the network from the poor intel, and stymieing the bad node's attempts at monetizing the intel from others. While a centralized network with a single decision point about including/excluding sources could also take action, a federated model decentralizes power, allowing the network as a whole to decide for itself what is in its best interest. While IFIN's organizational governance is a central entity, the network's operation is not. This prevents network capture by the organization itself, instead entrusting the value and continuity of the network to its members.

Ultimately, we believe it is the connections between organizations that matter, not a single organization, including IFIN itself. These relationships should be self-sustaining, and consequently should not belong to any single power center. Decentralization/federation is the model that best serves that goal.