No. 43 - A service architecture for an enhanced Cyber Threat Intelligence capabilityand its value for the cyber resilience of Financial Market Infrastructures

In recent years, more and more organizations have been building up or enhancing their own Cyber Threat Intelligence (CTI) capability. Financial entities need to improve their own cyber resilience posture to face the ever-expanding range of money-driven or state sponsored threat actors aiming to undermine the stability of targeted countries by compromising their financial infrastructures. At the same time, the digital transformation process and steadily growing information sharing initiatives make a huge amount of data available for CTI analysis. International committees related to Financial Market Infrastructures (FMI), via commonly agreed policies or directives, and EU institutions, through normative initiatives, are firmly committed to improving the cybersecurity posture of FMIs. To this end, one of the main lines of action is to increase information sharing among financial entities. The large number of heterogeneous information sources and the overwhelming quantity and variety of available data could have negative impacts on the efficiency of CTI activities and compromise the effectiveness of defence capabilities. Therefore, the consolidation and automation of CTI processes must be prioritized in order to improve the effectiveness and sustainability of CTI operations. However, the definition and automation of CTI processes is still at a rather immature stage: for example, well-established and vendor-neutral best practices do not yet exist. The present paper proposes a framework, developed and adopted by the Computer Emergency Response Team of Banca d'Italia (CERTBI) that integrates a taxonomy and specific processes to develop an enhanced CTI capability.