A Common Language For Sharing Intelligence On Cybersecurity Threats

Threat analysts need a more robust framework for characterizing suspicious activity on their endpoints and networks. By Jane Ginn

In order to effectively share threat intelligence, a common understanding of each of the data elements to be shared must be agreed upon by all parties.  The Cyber Threat Intelligence Technical Committee (CTI TC) of the OASIS international standards body released a Committee Specification Draft for STIX 2.0 in early 2017 that provides such a framework.  

STIX is built on multiple predecessor frameworks that have emerged over the past few decades from risk management professionals, threat analysts, malware analysts, incident response professionals, remedial action engineers, data architects, digital forensics specialists and others.

STIX is a conceptual data model that extends and builds on the idea of a common understanding of terms and makes explicit various elements that can affect the technology stack during an attack scenario.  STIX also plays a key role in analyst and incident responder actions and decisions such as:

 

•    Collection and use of internal and external “feeds” including open source and proprietary feeds;
•    Fusion of disparate data sources into a single data set used to evaluate correlations;
•    Query of aggregate data sets to test analyst hypotheses regarding potential correlations;
•    Enrichment of raw data with secondary and tertiary correlations that reveal more about the threat actors’ motivations and intent;
•    Storage of raw and processed data for easy access, comparison, and correlation;
•    Processing of data for analytical and reporting services; and
•    Analysis of data for furthering the testing of hypotheses regarding potential threat actor activity.

STIX data elements are commonly aggregated in a threat intelligence platform (TIP), many of which are currently emerging in the markets. In essence, the TIP takes in raw data and then is used by the analyst to aid the testing of hypotheses regarding the Who, What, When, Why and How questions about threat activity.  The more integrated the TIP is with other sharing companies and organizations and/or with internal tools for network and endpoint monitoring, the more effective the threat analyst can be.

The most current versions of STIX are issued as a Draft Specification 2.0 and are divided into the following five parts:

•    STIX Version 2.0 Part 1: STIX Core Concepts
•    STIX Version 2.0 Part 2: STIX Objects
•    STIX Version 2.0 Part 3: Cyber Observable Core Concepts
•    STIX Version 2.0 Part 4: Cyber Observable Objects 
•    STIX Version 2.0 Part 5: STIX Patterning

Exhibit 1 provides a summary of the architecture for STIX 2.0 which includes a listing of the 18 Cyber Observable objects plus two likely objects that will be issued in Version 2.1 (i.e., Event and Incident). Note that the nodes are the STIX Data Objects (SDOs) and the edges (lines with properties) are the STIX Relationship Objects (SROs).

Exhibit 1 – STIX 2.0 Architecture

(Image Source: CTIN - Creative Commons BY/SA)
This version of STIX has completely subsumed the Cyber Observable Exchange enumeration system formerly known as CybOX.  The STIX data objects included in the Version 2.0 release are as follows:

•    Attack Pattern
•    Campaign
•    Course of Action (Stub) 
•    Identity
•    Indicator
•    Intrusion Set
•    Malware (Stub) 
•    Observed Data
•    Report
•    Threat Actor
•    Tool
•    Vulnerability

The reader will note that the final part of the five-part protocol is the new STIX Patterning Language that has been developed by the CTI TC.  Patterning was developed as an abstraction layer between the STIX data model and other proprietary frameworks that are in common usage. These signature-based ontologies represent tried-and-true methods for network and endpoint defenders in configuring devices on known threats such as malware variants or Netflow patterns monitored by intrusion detection systems (IDSs). STIX Patterning provides a common means for integrating threat intelligence and remedial action functions using these signatures.  

Exhibit 2 provides an illustration and another example of how the STIX Patterning Language works and frames out these key building blocks diagrammatically.
 
Exhibit 2 – STIX Patterning Language Diagram

(Image Source:  STIX 2.0 Committee Specification Draft, Part 5, 2017)

Work is ongoing within the CTI TC to further develop and extend the STIX data model to include other data objects important to key communities of interest, to further define Cyber Observable objects, and to further define the STIX Patterning Language.  As the protocol suite matures, threat analysts will have an even more robust framework for characterizing suspicious activity on their endpoints and networks. 

Interested parties should contact OASIS at: oasis-open.org for information on how to join the CTI Technical Committee or obtain a copy of the most current Committee Specification Draft.

By: Jane Ginn, MSIA, MRP
Co-Founder, Cyber Threat Intelligence Network, Inc.
Secretary, Cyber Threat Intelligence Technical Committee, OASIS

ENISA Threat Landscape 2016 report: cyber-threats becoming top priority:

 

« The High Cost Of Politicising Intelligence
Is There A Positive Aspect To CIA Spying? »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

HackerOne

HackerOne

HackerOne was started by hackers and security leaders who are driven by a passion to make the internet safer.

NDIA - Cyber Division

NDIA - Cyber Division

NDIA Cyber division’s contributes to US national security by promoting interaction between the cyber defense industry, government and military.

Immersive Labs

Immersive Labs

Immersive Labs have created a kinesthetic learning platform which identifies gaps in your teams cyber skills.

CSO GmbH

CSO GmbH

CSO GmbH provide specialist consultancy services in the area of IT security.

Bunifu Technologies

Bunifu Technologies

Bunifu Technologies is an Information Security and Custom Software Development Company.

ENAC

ENAC

ENAC is the national accreditation body for Spain. The directory of members provides details of organisations offering certification services for ISO 27001.

Austrian Institute of Technology (AIT)

Austrian Institute of Technology (AIT)

AIT is Austria's largest research and technology organisation and a specialist in the key infrastructure issues of the future including data science and cybersecurity.

Cyber-Physical Systems Security Institute (CPSSI)

Cyber-Physical Systems Security Institute (CPSSI)

CPSSI is a non-profit, by-invitation-only research and educational organization focused on practical and theoretical solutions to the cybersecurity challenges facing Cyber-Physical Systems.

Pivot Point Security

Pivot Point Security

Pivot Point Security is a trusted leader in information security consulting. We help clients master their information security management systems.

Two Six Technologies

Two Six Technologies

Two Six Technologies delivers R&D, innovation, productization and implementation expertise in cyber, data science, mobile, microelectronics and information operations.

nexSecurity

nexSecurity

neXSecurity is an IT and Information security consulting company with more than 2 decades worth of software development and security experience.

The Citadel Department of Defense Cyber Institute (CDCI)

The Citadel Department of Defense Cyber Institute (CDCI)

CDCI is established to address the critical national security needed for a skilled cybersecurity workforce.

Digitale Gründerinitiative Oberpfalz (DGO)

Digitale Gründerinitiative Oberpfalz (DGO)

Digital Founder Initiative Oberpfalz's goal is to build a sustainable start-up culture in the field of digitization throughout the Upper Palatinate district of Bavaria.

Kennedys

Kennedys

Kennedys is a global law firm with expertise in litigation/dispute resolution and advisory services, particularly in the insurance/reinsurance and liability sectors, including cyber risk.

Wabbi

Wabbi

Wabbi’s continuous security platform centralizes, automates and orchestrates security governance and vulnerability management to empower development teams to own appsec.

Digistor

Digistor

Digistor is a leading manufacturer of industrial-grade flash storage products, secure storage products, and Removable Secure Data Storage.