The Cins Army: Sharing Cyber Threat Intelligence For 10 Years

Collective Intelligence Network Security (CINS) turns 10 years-old this month. To celebrate, I thought I would spend a little time discussing the important functions of this underrated service and reflect on how it’s grown. Let me begin by providing an overview of what the CINS Army is exactly.

What Is CINS?

CINS works by gathering attack data and other enrichment information from each of the Sentinel units deployed around the world. The diversity of networks protected by Sentinel help to provide a comprehensive picture of the threat landscape with respect to different industry verticals and geographic regions. We then take that information and calculate what’s known as a “CINS Score,” a rating of trustworthiness for every IP address flagged by our system. The CINS Score includes relevant details for each rated IP address including WHOIS information, country of origin, as well as the nature, frequency, and breadth of observed events. (As an example, many of the IP addresses on our lists scan the web and look for known vulnerabilities – like the recent log4j issue.) It also includes input from other popular and well-respected threat feeds that we use to provide an even more accurate assessment of an IP address.

Ultimately, we share this information with the infosec community through CINS Army, so that organizations can better protect their systems and data. We do two things to promote this mission. First, we update the CINS information hourly so that security teams have the latest intelligence into digital threats confronting their employer’s networks. Second, we offer this information free of charge. Infosec is a team sport, a reality which explains why we use “” as the initiative’s domain name. Only by working together can we stay secure.

Sound Familiar?

You might think that CINS sounds a lot like cyber threat intelligence (CTI). If so, you’re not wrong. CTI comes with many benefits that mirror those of CINS. Per Help Net Security, CTI provides teams with additional context into what they’re seeing on their organization’s systems and network. They can leverage that information to mount an appropriate response more quickly, thereby driving speed and efficiency.

What’s more, CTI helps security teams to learn about digital threats before they hit their organizations’ network. They can use that opportunity to implement security controls before an incident even takes place, noted Help Net Security. As such, CTI can help infosec teams embrace a proactive security approach where they prioritize and anticipate potential threats. This translates into a more mature security program for the organization. We’ve been doing that for, well, 10 years now on every Sentinel in the field: actively blocking IPs on the CINS threat intel list before they even have a chance to trip a scan or exploit alert. We’ve always called it, “Active Threat Intelligence.”

That being said, it’s important to note that CINS came before the industry even started talking about CTI, and well before an entire industry evolved around threat intelligence. Today, there are providers of threat intelligence gateways, threat intelligence aggregators, and ongoing discussions around how to share threat intelligence. None of that existed when we first decided to spread the news of IPs with bad reputations to the infosec community.

Acknowledging this history, it’s perhaps unsurprising that Sentinel and CINS Army have ties to one of the first innovators in the threat intelligence space.

“As one of the first widely distributed threat feeds, CINS Army filters out most of the noise caused by malicious scanners, allowing analysts to focus on more important threats. Its strength comes from the source of its data: A diverse Sentinel customer base made up of real networks, with real people behind them,” says Greg Martin, an advisor to Sentinel, and founder of Anomali (the first and still the largest threat intel platform) and JASK.

What’s the Current State of CINS?

CINS is stronger than it’s ever been. As it currently stands, there are 20,000 unique users of the list on any given day or week. But the CINS Army is much more numerous than that. One user could be a threat intelligence aggregator with 1,000 customers, for instance. It’s impossible to know exactly how strong this army is.

Meanwhile, in terms of geography, the initiative is spread across over 100 different countries. CINS is also included in pretty much every threat feed aggregator, include Emerging Threats, Virus Total, and PF Sense Firewalls.

Such popularity reflects the value that CINS brings to organizations. By focusing on basic scans and probes that are looking for vulnerabilities, the initiative knocks out low-hanging fruit from an attack perspective. It thereby eliminates a lot of the noise in the threat landscape, allowing security personnel to dedicate their time and resources to combatting more sophisticated threats.

Leverage the Power of CINS

Want to use the CINS Lists? The list is available in its old-school text file format here:

It’s also available as a tarball, which contains several formats, including both STIX/TAXII and IPS rules. Get it here:

Interested in signing up for the CINS Army Briefs? You can start here:

Put Us In Your Corner.

We back you up with managed threat protection, visibility, and support, 24/7.