A Common Language For Sharing Intelligence On Cybersecurity Threats

Uploaded on 2017-03-21 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Threat analysts need a more robust framework for characterizing suspicious activity on their endpoints and networks. By Jane Ginn

In order to effectively share threat intelligence, a common understanding of each of the data elements to be shared must be agreed upon by all parties.  The Cyber Threat Intelligence Technical Committee (CTI TC) of the OASIS international standards body released a Committee Specification Draft for STIX 2.0 in early 2017 that provides such a framework.  

STIX is built on multiple predecessor frameworks that have emerged over the past few decades from risk management professionals, threat analysts, malware analysts, incident response professionals, remedial action engineers, data architects, digital forensics specialists and others.

STIX is a conceptual data model that extends and builds on the idea of a common understanding of terms and makes explicit various elements that can affect the technology stack during an attack scenario.  STIX also plays a key role in analyst and incident responder actions and decisions such as:

 

•    Collection and use of internal and external “feeds” including open source and proprietary feeds;
•    Fusion of disparate data sources into a single data set used to evaluate correlations;
•    Query of aggregate data sets to test analyst hypotheses regarding potential correlations;
•    Enrichment of raw data with secondary and tertiary correlations that reveal more about the threat actors’ motivations and intent;
•    Storage of raw and processed data for easy access, comparison, and correlation;
•    Processing of data for analytical and reporting services; and
•    Analysis of data for furthering the testing of hypotheses regarding potential threat actor activity.

STIX data elements are commonly aggregated in a threat intelligence platform (TIP), many of which are currently emerging in the markets. In essence, the TIP takes in raw data and then is used by the analyst to aid the testing of hypotheses regarding the Who, What, When, Why and How questions about threat activity.  The more integrated the TIP is with other sharing companies and organizations and/or with internal tools for network and endpoint monitoring, the more effective the threat analyst can be.

The most current versions of STIX are issued as a Draft Specification 2.0 and are divided into the following five parts:

•    STIX Version 2.0 Part 1: STIX Core Concepts
•    STIX Version 2.0 Part 2: STIX Objects
•    STIX Version 2.0 Part 3: Cyber Observable Core Concepts
•    STIX Version 2.0 Part 4: Cyber Observable Objects 
•    STIX Version 2.0 Part 5: STIX Patterning

Exhibit 1 provides a summary of the architecture for STIX 2.0 which includes a listing of the 18 Cyber Observable objects plus two likely objects that will be issued in Version 2.1 (i.e., Event and Incident). Note that the nodes are the STIX Data Objects (SDOs) and the edges (lines with properties) are the STIX Relationship Objects (SROs).

Exhibit 1 – STIX 2.0 Architecture

(Image Source: CTIN - Creative Commons BY/SA)
This version of STIX has completely subsumed the Cyber Observable Exchange enumeration system formerly known as CybOX.  The STIX data objects included in the Version 2.0 release are as follows:

•    Attack Pattern
•    Campaign
•    Course of Action (Stub) 
•    Identity
•    Indicator
•    Intrusion Set
•    Malware (Stub) 
•    Observed Data
•    Report
•    Threat Actor
•    Tool
•    Vulnerability

The reader will note that the final part of the five-part protocol is the new STIX Patterning Language that has been developed by the CTI TC.  Patterning was developed as an abstraction layer between the STIX data model and other proprietary frameworks that are in common usage. These signature-based ontologies represent tried-and-true methods for network and endpoint defenders in configuring devices on known threats such as malware variants or Netflow patterns monitored by intrusion detection systems (IDSs). STIX Patterning provides a common means for integrating threat intelligence and remedial action functions using these signatures.  

Exhibit 2 provides an illustration and another example of how the STIX Patterning Language works and frames out these key building blocks diagrammatically.
 
Exhibit 2 – STIX Patterning Language Diagram

(Image Source:  STIX 2.0 Committee Specification Draft, Part 5, 2017)

Work is ongoing within the CTI TC to further develop and extend the STIX data model to include other data objects important to key communities of interest, to further define Cyber Observable objects, and to further define the STIX Patterning Language.  As the protocol suite matures, threat analysts will have an even more robust framework for characterizing suspicious activity on their endpoints and networks. 

Interested parties should contact OASIS at: oasis-open.org for information on how to join the CTI Technical Committee or obtain a copy of the most current Committee Specification Draft.

By: Jane Ginn, MSIA, MRP
Co-Founder, Cyber Threat Intelligence Network, Inc.
Secretary, Cyber Threat Intelligence Technical Committee, OASIS

ENISA Threat Landscape 2016 report: cyber-threats becoming top priority:

 

« The High Cost Of Politicising Intelligence
Is There A Positive Aspect To CIA Spying? »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

European Cyber Security Organisation (ECSO)

European Cyber Security Organisation (ECSO)

The main objective of ECSO is to support all types of initiatives or projects that aim to develop, promote and encourage European cybersecurity.

CLUSIS

CLUSIS

CLUSIS is an association for the information security industry in Switzerland.

Lynxspring

Lynxspring

Lynxspring provides edge-to-enterprise solutions and IoT technology for intelligent buildings, energy management, equipment control and specialty machine-to-machine applications.

Clavis Information Security

Clavis Information Security

Clavis is an Information Security company offering a complete portfolio of solutions from Pentesting and Security Assessments to Managed Security Services and Training.

Global EPIC

Global EPIC

Global EPIC is an international cybersecurity initiative designed to combat growing world challenges by facilitating global collaboration in the field of cyber security.

Insight Partners

Insight Partners

Insight Partners is a leading global private equity and venture capital firm investing in growth-stage technology, software and Internet businesses.

SecureThings

SecureThings

SecureThings focus is to provide guidance and technology to secure connected vehicles in order to build end-to-end security for the automotive industry.

Binary Defense

Binary Defense

Binary Defense protect businesses of all sizes through advanced cybersecurity solutions including Managed Detection and Response, Security Information and Event Management and Counterintelligence.

White Hawk Software

White Hawk Software

White Hawk provides code tamper-proofing solutions to protect mission critical software applications from malicious and Zero day attacks and reverse engineering at run time.

6clicks

6clicks

6clicks is an easy way to implement your risk and compliance program or achieve compliance with ISO 27001, SOC 2, PCI-DSS, HIPAA, NIST, FedRAMP and many other standards.

Ping Identity

Ping Identity

At Ping Identity, we believe in making digital experiences both secure and seamless for all users, without compromise. That’s digital freedom.

Guardsman Cyber Intelligence (GCI)

Guardsman Cyber Intelligence (GCI)

GCI provides proven cyber intelligence solutions to protect your business against ever present physical and digital threats shadowing your online business.

Seedcamp

Seedcamp

Seedcamp identify and invest early in world-class founders attacking large and global markets through disruptive technology in areas including AI, cybersecurity, and Fintech.

Nagomi Security

Nagomi Security

Nagomi is changing the way security teams balance risk and defense, empowering customers to focus on what matters now.

Toro Solutions

Toro Solutions

Toro provide managed security & consultancy to keep governments, businesses & society resilient in the space where cyber, physical & people security converge.

Tosibox

Tosibox

Tosibox mission is to Safeguard Critical OT Environments with a Purpose-Built Cybersecurity Platform.