A Common Language For Sharing Intelligence On Cybersecurity Threats

Uploaded on 2017-03-21 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Threat analysts need a more robust framework for characterizing suspicious activity on their endpoints and networks. By Jane Ginn

In order to effectively share threat intelligence, a common understanding of each of the data elements to be shared must be agreed upon by all parties.  The Cyber Threat Intelligence Technical Committee (CTI TC) of the OASIS international standards body released a Committee Specification Draft for STIX 2.0 in early 2017 that provides such a framework.  

STIX is built on multiple predecessor frameworks that have emerged over the past few decades from risk management professionals, threat analysts, malware analysts, incident response professionals, remedial action engineers, data architects, digital forensics specialists and others.

STIX is a conceptual data model that extends and builds on the idea of a common understanding of terms and makes explicit various elements that can affect the technology stack during an attack scenario.  STIX also plays a key role in analyst and incident responder actions and decisions such as:

 

•    Collection and use of internal and external “feeds” including open source and proprietary feeds;
•    Fusion of disparate data sources into a single data set used to evaluate correlations;
•    Query of aggregate data sets to test analyst hypotheses regarding potential correlations;
•    Enrichment of raw data with secondary and tertiary correlations that reveal more about the threat actors’ motivations and intent;
•    Storage of raw and processed data for easy access, comparison, and correlation;
•    Processing of data for analytical and reporting services; and
•    Analysis of data for furthering the testing of hypotheses regarding potential threat actor activity.

STIX data elements are commonly aggregated in a threat intelligence platform (TIP), many of which are currently emerging in the markets. In essence, the TIP takes in raw data and then is used by the analyst to aid the testing of hypotheses regarding the Who, What, When, Why and How questions about threat activity.  The more integrated the TIP is with other sharing companies and organizations and/or with internal tools for network and endpoint monitoring, the more effective the threat analyst can be.

The most current versions of STIX are issued as a Draft Specification 2.0 and are divided into the following five parts:

•    STIX Version 2.0 Part 1: STIX Core Concepts
•    STIX Version 2.0 Part 2: STIX Objects
•    STIX Version 2.0 Part 3: Cyber Observable Core Concepts
•    STIX Version 2.0 Part 4: Cyber Observable Objects 
•    STIX Version 2.0 Part 5: STIX Patterning

Exhibit 1 provides a summary of the architecture for STIX 2.0 which includes a listing of the 18 Cyber Observable objects plus two likely objects that will be issued in Version 2.1 (i.e., Event and Incident). Note that the nodes are the STIX Data Objects (SDOs) and the edges (lines with properties) are the STIX Relationship Objects (SROs).

Exhibit 1 – STIX 2.0 Architecture

(Image Source: CTIN - Creative Commons BY/SA)
This version of STIX has completely subsumed the Cyber Observable Exchange enumeration system formerly known as CybOX.  The STIX data objects included in the Version 2.0 release are as follows:

•    Attack Pattern
•    Campaign
•    Course of Action (Stub) 
•    Identity
•    Indicator
•    Intrusion Set
•    Malware (Stub) 
•    Observed Data
•    Report
•    Threat Actor
•    Tool
•    Vulnerability

The reader will note that the final part of the five-part protocol is the new STIX Patterning Language that has been developed by the CTI TC.  Patterning was developed as an abstraction layer between the STIX data model and other proprietary frameworks that are in common usage. These signature-based ontologies represent tried-and-true methods for network and endpoint defenders in configuring devices on known threats such as malware variants or Netflow patterns monitored by intrusion detection systems (IDSs). STIX Patterning provides a common means for integrating threat intelligence and remedial action functions using these signatures.  

Exhibit 2 provides an illustration and another example of how the STIX Patterning Language works and frames out these key building blocks diagrammatically.
 
Exhibit 2 – STIX Patterning Language Diagram

(Image Source:  STIX 2.0 Committee Specification Draft, Part 5, 2017)

Work is ongoing within the CTI TC to further develop and extend the STIX data model to include other data objects important to key communities of interest, to further define Cyber Observable objects, and to further define the STIX Patterning Language.  As the protocol suite matures, threat analysts will have an even more robust framework for characterizing suspicious activity on their endpoints and networks. 

Interested parties should contact OASIS at: oasis-open.org for information on how to join the CTI Technical Committee or obtain a copy of the most current Committee Specification Draft.

By: Jane Ginn, MSIA, MRP
Co-Founder, Cyber Threat Intelligence Network, Inc.
Secretary, Cyber Threat Intelligence Technical Committee, OASIS

ENISA Threat Landscape 2016 report: cyber-threats becoming top priority:

 

« The High Cost Of Politicising Intelligence
Is There A Positive Aspect To CIA Spying? »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Mielabelo

Mielabelo

Belgian consulting firm providing services in the security and compliance of information systems and IT service management.

Secusmart

Secusmart

Secusmart provide highly secure and encrypted speech and data communication solutions.

Mastercard

Mastercard

MasterCard is a leading global payments solutions company that serves consumers and businesses in over 210 countries and territories worldwide.

Intrusion

Intrusion

Intrusion provides IT professionals with the most robust tool set available for performing in-depth research and analysis of network traffic.

NuSummit

NuSummit

NuSummit (formerly NSEIT) specializes in empowering financial services firms to navigate complex challenges with cutting-edge, technology-driven solutions.

Fischer Identity

Fischer Identity

Fischer Identity provide identity & access management and identity governance administration solutions.

Depth Security

Depth Security

Depth Security assessment services provide organizations with real-world visibility into threats facing their infrastructure and applications.

Vigilant Technology Solutions

Vigilant Technology Solutions

Vigilant is a global cyber security technology company offering solutions to manage entire IT & cyber security lifecycles.

Quantum Armor

Quantum Armor

Quantum Armor is a next-gen cyber security monitoring platform that allows you to continuously stay aware of your security posture, and proactively spot trends, vulnerabilities and potential attacks.

TopSOC Information Security

TopSOC Information Security

TopSOC Information Security provide a wide range of security consultation, implementation and training services.

North West Cyber Resilience Centre (NWCRC)

North West Cyber Resilience Centre (NWCRC)

The North West Cyber Resilience Centre is a trusted, not-for-profit venture between Greater Manchester Police and Manchester Digital.

Nomios

Nomios

Nomios develops innovative solutions for your security and network challenges. We design, secure and manage your digital infrastructure.

SRG Security Resource Group

SRG Security Resource Group

SRG Security Resource Group is a Canadian company dedicated to providing world-class Physical and Cyber Security services.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

GrayHats

GrayHats

GrayHats is a platform-based cybersecurity company devoted to delivering comprehensive, scalable, and proactive protection for businesses in an ever-evolving threat landscape.

Securitybricks

Securitybricks

Securitybricks specialize in cloud security and compliance. Our mission is to automate regulatory compliance backed by human validation.