A Common Language For Sharing Intelligence On Cybersecurity Threats

Threat analysts need a more robust framework for characterizing suspicious activity on their endpoints and networks. By Jane Ginn

In order to effectively share threat intelligence, a common understanding of each of the data elements to be shared must be agreed upon by all parties.  The Cyber Threat Intelligence Technical Committee (CTI TC) of the OASIS international standards body released a Committee Specification Draft for STIX 2.0 in early 2017 that provides such a framework.  

STIX is built on multiple predecessor frameworks that have emerged over the past few decades from risk management professionals, threat analysts, malware analysts, incident response professionals, remedial action engineers, data architects, digital forensics specialists and others.

STIX is a conceptual data model that extends and builds on the idea of a common understanding of terms and makes explicit various elements that can affect the technology stack during an attack scenario.  STIX also plays a key role in analyst and incident responder actions and decisions such as:

 

•    Collection and use of internal and external “feeds” including open source and proprietary feeds;
•    Fusion of disparate data sources into a single data set used to evaluate correlations;
•    Query of aggregate data sets to test analyst hypotheses regarding potential correlations;
•    Enrichment of raw data with secondary and tertiary correlations that reveal more about the threat actors’ motivations and intent;
•    Storage of raw and processed data for easy access, comparison, and correlation;
•    Processing of data for analytical and reporting services; and
•    Analysis of data for furthering the testing of hypotheses regarding potential threat actor activity.

STIX data elements are commonly aggregated in a threat intelligence platform (TIP), many of which are currently emerging in the markets. In essence, the TIP takes in raw data and then is used by the analyst to aid the testing of hypotheses regarding the Who, What, When, Why and How questions about threat activity.  The more integrated the TIP is with other sharing companies and organizations and/or with internal tools for network and endpoint monitoring, the more effective the threat analyst can be.

The most current versions of STIX are issued as a Draft Specification 2.0 and are divided into the following five parts:

•    STIX Version 2.0 Part 1: STIX Core Concepts
•    STIX Version 2.0 Part 2: STIX Objects
•    STIX Version 2.0 Part 3: Cyber Observable Core Concepts
•    STIX Version 2.0 Part 4: Cyber Observable Objects 
•    STIX Version 2.0 Part 5: STIX Patterning

Exhibit 1 provides a summary of the architecture for STIX 2.0 which includes a listing of the 18 Cyber Observable objects plus two likely objects that will be issued in Version 2.1 (i.e., Event and Incident). Note that the nodes are the STIX Data Objects (SDOs) and the edges (lines with properties) are the STIX Relationship Objects (SROs).

Exhibit 1 – STIX 2.0 Architecture

(Image Source: CTIN - Creative Commons BY/SA)
This version of STIX has completely subsumed the Cyber Observable Exchange enumeration system formerly known as CybOX.  The STIX data objects included in the Version 2.0 release are as follows:

•    Attack Pattern
•    Campaign
•    Course of Action (Stub) 
•    Identity
•    Indicator
•    Intrusion Set
•    Malware (Stub) 
•    Observed Data
•    Report
•    Threat Actor
•    Tool
•    Vulnerability

The reader will note that the final part of the five-part protocol is the new STIX Patterning Language that has been developed by the CTI TC.  Patterning was developed as an abstraction layer between the STIX data model and other proprietary frameworks that are in common usage. These signature-based ontologies represent tried-and-true methods for network and endpoint defenders in configuring devices on known threats such as malware variants or Netflow patterns monitored by intrusion detection systems (IDSs). STIX Patterning provides a common means for integrating threat intelligence and remedial action functions using these signatures.  

Exhibit 2 provides an illustration and another example of how the STIX Patterning Language works and frames out these key building blocks diagrammatically.
 
Exhibit 2 – STIX Patterning Language Diagram

(Image Source:  STIX 2.0 Committee Specification Draft, Part 5, 2017)

Work is ongoing within the CTI TC to further develop and extend the STIX data model to include other data objects important to key communities of interest, to further define Cyber Observable objects, and to further define the STIX Patterning Language.  As the protocol suite matures, threat analysts will have an even more robust framework for characterizing suspicious activity on their endpoints and networks. 

Interested parties should contact OASIS at: oasis-open.org for information on how to join the CTI Technical Committee or obtain a copy of the most current Committee Specification Draft.

By: Jane Ginn, MSIA, MRP
Co-Founder, Cyber Threat Intelligence Network, Inc.
Secretary, Cyber Threat Intelligence Technical Committee, OASIS

ENISA Threat Landscape 2016 report: cyber-threats becoming top priority:

 

« The High Cost Of Politicising Intelligence
Is There A Positive Aspect To CIA Spying? »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Grid32

Grid32

Grid32 provides independent computer system and physical security audit services to government and corporate clients of all sizes.

Indium Software

Indium Software

Indium Software is an Independent Software Testing Company offering software testing services (including security testing) and offshore Quality Assurance solutions.

Cloudbric

Cloudbric

Cloudbric is a cloud-based web security service, offering award-winning WAF, DDoS protection, and SSL, all in a full-service package.

NPCore

NPCore

NPCore is specialized in defense solution against unknown APT and Ransomware and provides two-level defense on network and endpoint based on behavior.

Bechtel

Bechtel

Bechtel’s Industrial Control Systems Cyber Security Laboratory focuses on protecting large-scale industrial and infrastructure systems that support critical infrastructure.

ClearBlade

ClearBlade

ClearBlade is the Edge Computing software company enabling enterprises to rapidly engineer and run secure, real-time, scalable IoT applications.

NexGenT

NexGenT

NexGenT have combined military-style training with decades of network engineering and cyber security experience into an immersive program to get people into cyber security fast and effectively.

Kainos

Kainos

Kainos is a leading provider of Digital Services and Platforms. Our services include Digital Transformation, Cyber Security, Cloud, AI, IoT and more.

Proximity

Proximity

Proximity is a leading professional services organisation providing consulting, legal and commercial advisory solutions with a focus on government and regulated industries.

US Coast Guard Cyber Command

US Coast Guard Cyber Command

US Coast Guard Cyber Command’s focus is to ensure the security of our cyberspace, maintain superiority over our adversaries,and safeguard our Nation’s critical maritime infrastructure.

National Cybersecurity Consortium (NCC)

National Cybersecurity Consortium (NCC)

The NCC’s mandate is to keep Canada’s cyber and critical infrastructures and citizens safe while ensuring Canada’s global competitiveness and leadership in cybersecurity.

EtherAuthority

EtherAuthority

EtherAuthority's engineering team has been helping blockchain businesses to secure their smart contract based assets since 2018.

Strategic Technology Solutions (STS)

Strategic Technology Solutions (STS)

Strategic Technology Solutions specialize in providing Cybersecurity and Managed IT Services to the legal industry.

CyBourn

CyBourn

Cybourn's diverse offerings include engineering, analysis, product development, assessment, and advisory services in the cybersecurity space.

MyTurn Career LLC

MyTurn Career LLC

Looking for a rewarding career in cybersecurity? Explore a wide range of cybersecurity jobs and opportunities in this rapidly evolving field.

Cydea

Cydea

Cydea are an optimistic cyber security consultancy of experts in security, data, technology and design that want to build a safer, more secure world where more things go right.