Introduction

CIF is a cyber threat intelligence management system. CIF allows you to combine known malicious threat information from many sources and use that information for identification (incident response), detection (IDS) and mitigation (null route). The most common types of threat intelligence warehoused in CIF are IP addresses, domains and urls that are observed to be related to malicious activity.

More can be found by continuing on to What is CIF? and some history

Getting Started

Due to the various content "licenses" for each of the feeds (malwaredomains, zeustracker, etc) We do NOT offer this as a service, we can't give you an api-key to "test with". As an org; you're free to download this data, but we're not able to do it for you, which is why we give you the tools... we teach you how to phish... :)

(testing) v1

• deploy a v1 instance
• deploy a v1 client
• current v1 issues
• generating your own feeds
• writing your own smrt config
• leverage the v1 API

the Community

• how others are leveraging the framework
• join the community
• jump in to IRC on freenode #cif
• the CommunityRules
• feature requests, bugs should be logged here, or they will get lost.
• potential new feed sources
• bored? what to contribute back?

Resources

• visit our presentation archive
• an example legal template for sharing data with partners can be found here

RoadMap

A semi-updated roadmap can be found here

(deprecated) v0

• deploy a v0 instance.
• deploy a v0 client
• using the feeds
• writing your own cif_feedparser config
• leverage the v0 API

Partners

• REN-ISAC (project lead)
• Indiana University
• Internet2
• National Science Foundation

This material is partially-based upon work supported by the National Science Foundation under Grant No. 1127425

Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.