Draft:Cyber Threat Alliance

The Cyber Threat Alliance (CTA) is a 501(c)(6) membership-based, nonprofit organization, that shares cyber threat intelligence among its member companies and ​​works to promote cybersecurity practices.

Since CTA's founding in 2014 and official incorporation in January 2017, it has facilitated cyber threat information sharing among its members.

The organization is currently headquartered in Arlington, Virginia with member companies headquartered in 12 countries and active in several others.

Formation
CTA was formed by technology and cybersecurity companies Fortinet, McAfee, Palo Alto Networks, and Symantec as an information-sharing initiative, based on the idea that no single company can identify all cyber threats. Sharing initially began with malware samples. As the sharing began to grow and prove useful for threat intelligence, the original members realized that they needed to create a separate, neutral entity to manage the sharing activities. Along with Cisco and Checkpoint, they established CTA as an independent, nonprofit company in January 2017.

In attempts to aid companies' customers before hackers are aware of being identified, the founding organizations developed an "early sharing" model to help governments and companies be aware of early warnings to decrease the spread of hacking campaigns. CTA launched its early sharing program in May 2018, where Cisco's cybersecurity unit, Talos, used CTA to quietly notify companies of the early stages of a potentially expansive cyberattack against Ukraine known as VPNFilter malware.

Later in 2018, the Cyber Threat Alliance released research that found a significant increase in illicit crypto mining malware between 2017 and 2018. This trend allows hackers to illegally infect a computer and use it to perform cryptocurrency mining calculations in order to earn money.

Since the VPNFilter alert, CTA has continued addressing warnings about hacking groups linked to nation-states and criminal hacking campaigns, including Symantec's early warning about a China-linked group that allegedly stole and repurposed hacking tools and the $4 billion WannaCry attack launched by North Korea.

Leadership
Michael Daniel currently serves as the President and CEO of CTA. Daniel assumed the role in February of 2017.

Jeannette Jarvis currently serves as CTA's Chief Membership and Communications Officer.

Automated Sharing
To retain membership, CTA members must share a minimum amount of technical cyber threat intelligence on a weekly basis, including malware hashes and binaries, malicious domain names and Internet Protocol addresses, botnets, command and control (C&C) server information, file properties, registry keys, and other indicators of compromise (IOC). This shared intelligence flows through an automated platform and it includes information on both cybercrime or advanced persistent threats (APTs).

CTA's framework utilizes an algorithm to assign a point value to the automated intelligence to help users understand why a certain threat indicator is important and provide members the opportunity to educate each other on complex and multidimensional attacks.

Analytic Sharing
Analytic sharing activities include regular video meetings with cyber research teams, the use of an instant messaging platform, and the distribution of pre-publication, embargoed blog posts, research findings, and white papers among CTA members. This last type of collaboration, which CTA calls "early sharing," began in 2018, when Cisco provided an early warning to companies about the VPNFilter malware. This model of 'early sharing' was continued by CTA subsequent to the VPNFilter incident, including providing access to research from Palo Alto Networks on a cyber espionage operation identified in late 2021.

Ransomware Task Force

The Cyber Threat Alliance serves as a member of the Ransomware Task Force (RTF), a group of stakeholders from industry and government recommending policy solutions to combat ransomware.

To support these efforts, CTA helped draft a Cyber Incident Reporting Framework which identifies a set of principles that incident reporting regulations should incorporate in addition to a set of mock reporting formats which the Cybersecurity and Infrastructure Security Agency (CISA) can use as a foundation for reporting forms.

Atlas Project
As a member of the World Economic Forum's Centre for Cybersecurity, CTA supported the Forum's launch of the ATLAS Project in 2022. Inspired by the definition of an atlas — a book of maps involving different points of view and uses — the project aims to “create a repository of information that can generate different views about the cybercriminal ecosystem” to facilitate a greater understanding of the data and security ecosystem, particularly for law enforcement and network defenders.

Members
CTA has 36 current member companies. Members are expected to make annual financial contributions to the Cyber ​​Threat Alliance. The organization employs seven people.

CTA's members are headquartered in 11+ countries and mostly include cybersecurity companies.

Founding Members

 * Check Point
 * Cisco
 * Fortinet
 * McAfee
 * Palo Alto Networks
 * Symantec – A Division of Broadcom