On May 14, the Federal Bureau of Investigation posted a call for capability statements on Threat Intelligence Platform Proof of Concept Software (Solicitation Number: CYD2015).Responses due May 22, no later than 11:59pm Eastern.
The National Cyber Investigative Joint Task Force (NCIJTF) is requesting information regarding software with the ability to perform as a Threat Intelligence Platform (TIP). The main function of the TIP is to provide indicator/knowledge management of cyber threats. In order to accomplish the main function, the TIP should have the ability to aggregate data from multiple sources (public and private), automatically extract observables from those sources and then enrich the extracted data with third party data sets (ie geoip, whois, etc). The TIP should then provide the functionality to establish signatures based on the observables and retain the original context of the signature (ie what was the original report, intrusion set, etc). The TIP should provide the functionality for analysts to exploit the data which was ingested by providing a robust search/filter capability. In order to promote sharing the TIP should provide the ability to export data to be shared with trusted partners. As part of the sharing effort the TIP should provide the ability to ingest and export Structured Threat Information eXpression (STIX).
Future enhancements to the TIP should include a flexible reporting ability which allows the user to establish queries and filters based upon the data available. The TIP should have the flexibility to enrich the data with localized data stores (ie local versions of geoip, whois, etc). The TIP should provide a robust Application Program Interface (API). The TIP should promote a robust sharing capability which would include providing the user the ability to search/filter on what is to be shared and provide multiple mediums. One specific medium would be STIX formatted conforming to ESSA standards. The TIP should also provide the user the ability to visualize the data in an effort to identify connections which cannot be readily identified through traditional tabular views. The TIP should provide a collaborative environment for the users where they can enter comments/workflow observables, signatures, etc. The TIP should allow users to identify what type of intrusion set(s) they are interested in and the TIP should automatically notify the user when new information is identified regarding the intrusion set(s) they selected. The TIP should also provide administrative functionality to allow a supervisor to assign users to intrusion set(s) and identify what data has and has not been reviewed and work-flowed. The TIP should also provide the ability to support large scale incident response (IR). Supporting IR may include allowing users to establish the ability to identify information/intelligence related to a particular incident (either through tagging or establishing an incident). The TIP should automatically query the dataset to identify relationships quickly for the analyst. The IR functionality should also allow all users involved in the IR to collaborate in an effort to promote coordination and also produce daily reporting.
Interested vendors should submit their capability statement which specifically addresses the requirements in this notice. Based upon a review of the capability statement, those vendors whose products meet the requirements will be requested to demo the product.
Details are available here.