ENISA CTL methodology works on promoting consistent, transparent threat intelligence sharing

The European Union Agency for Cybersecurity (ENISA) released Wednesday an open and transparent framework to support the development of threat landscapes and bring about consistent and transparent threat intelligence sharing. By establishing the ENISA Cybersecurity Threat Landscape (CTL) methodology, the agency aims to set a baseline for the transparent and systematic delivery of horizontal, thematic, and sectorial cybersecurity threat landscapes. 

The horizontal threat landscapes include the overarching ENISA Threat Landscape (ETL), a product that aims to holistically cover a wide range of sectors and industries. Thematic threat landscapes, such as the ENISA Supply Chain Threat Landscape, a product that focuses on a specific theme, but covers many sectors, and Sectorial threat landscapes, such as the ENISA 5G Threat Landscape, focus on a specific sector. A sectorial threat landscape provides more focused information for a particular constituent or target group.

The ENISA CTL methodology consists of six main steps with feedback foreseen and associated with each step, including direction, collection, processing, analysis and production, dissemination, and feedback. The methodology intends to provide a high-level overview of how to produce a CTL and is hence meant to evolve in time according to any possible new developments in the process. Furthermore, the ongoing research and work ENISA performs in the area are meant to ensure transparency and trust in the contents of the reports produced.

The ENISA ad-hoc working group has validated the CTL methodology on the Cybersecurity Threat Landscape (CTL WG). The group comprises European and international experts from the public and private sectors. The methodological framework’s overall focus involves identifying and defining the process, methods, stakeholders, tools, and the various elements that provide content and constitute the CTL. 

ENISA aims to build on its expertise and enhance this activity so that stakeholders receive relevant and timely information for policy-creation, decision-making, and applying security measures, and increasing knowledge and information for specialized cybersecurity communities or for establishing a solid understanding of the cybersecurity challenges related to new technologies. The added value of ENISA cyberthreat intelligence efforts lies in offering updated information on the dynamically changing cyber threat landscape. The efforts support risk mitigation, promote situational awareness and proactively respond to future challenges.

The CTL document is aimed at European Commission and European Member States policymakers, including but not limited to European Union Institutions (EUIs), EU institutions, bodies and Agencies (EUIBAs), cybersecurity experts, industry, vendors, solution providers, SMEs, and the Member States and national authorities, such as cybersecurity authorities. Adopting and/or adapting the proposed new CTL framework will enhance their ability to build situational awareness, monitor, and tackle existing and potential threats.

The ENISA CTL methodology aims to describe a systematic process for data collection and analysis, which is to be used for the formation of CTLs. The methodology aims to address what is the structure (components and contents) a threat landscape should follow, how should the targeted audiences be determined, how should the data be collected, how should the data be analyzed, how should the products be disseminated, and what is the process for collecting feedback.

The framework is based on the different elements considered in the cybersecurity threat landscape analysis performance. It includes the identification and definition of the process, methods, and tools used and the stakeholders involved.

Building on the existing modus operandi, the methodology provides directions on defining components and contents of each of the different types of CTL, assessing the target audience for each type of CTL to be performed, how data sources are collected, how data is analyzed, how data is to be disseminated, and how feedback is to be collected and analyzed.

Currently, the methodology involves a lot of manual work. Although human interaction and analysis will still be a part of the process for a long time, most of the work could be automated, the ENISA document said. “For example, different solutions specialize in one or more areas to identify, collect, preserve, process, review, analyze and produce electronically stored information (ESI). Such solutions would allow for the efficient processing, cross-validation, and analysis of a variety of ESIs that are currently used to shape the CTL, ranging from common information sources such as Outlook and Microsoft Data to more dynamic or esoteric sources like OSINT and (vulnerability) databases,” it added. 

In this context, these automated solutions could enable the exploration of patterns, trends, and relationships within unstructured and structured data to uncover insights and intelligence that will enable stakeholders to respond to future cybersecurity challenges proactively or reactively. 

Additionally, Artificial Intelligence (AI) is increasingly influencing people’s everyday lives and playing a key role in digital transformation through its capabilities, the CTL document said. “The benefits of this technology are significant and will have a notable effect on the production of the CTL. Indeed, having an AI able to collect and provide analysis based on predefined requirements will significantly speed up the process of producing a CTL,” it added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.