A Common Language For Sharing Intelligence On Cybersecurity Threats

Uploaded on 2017-03-21 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Threat analysts need a more robust framework for characterizing suspicious activity on their endpoints and networks. By Jane Ginn

In order to effectively share threat intelligence, a common understanding of each of the data elements to be shared must be agreed upon by all parties.  The Cyber Threat Intelligence Technical Committee (CTI TC) of the OASIS international standards body released a Committee Specification Draft for STIX 2.0 in early 2017 that provides such a framework.  

STIX is built on multiple predecessor frameworks that have emerged over the past few decades from risk management professionals, threat analysts, malware analysts, incident response professionals, remedial action engineers, data architects, digital forensics specialists and others.

STIX is a conceptual data model that extends and builds on the idea of a common understanding of terms and makes explicit various elements that can affect the technology stack during an attack scenario.  STIX also plays a key role in analyst and incident responder actions and decisions such as:

 

•    Collection and use of internal and external “feeds” including open source and proprietary feeds;
•    Fusion of disparate data sources into a single data set used to evaluate correlations;
•    Query of aggregate data sets to test analyst hypotheses regarding potential correlations;
•    Enrichment of raw data with secondary and tertiary correlations that reveal more about the threat actors’ motivations and intent;
•    Storage of raw and processed data for easy access, comparison, and correlation;
•    Processing of data for analytical and reporting services; and
•    Analysis of data for furthering the testing of hypotheses regarding potential threat actor activity.

STIX data elements are commonly aggregated in a threat intelligence platform (TIP), many of which are currently emerging in the markets. In essence, the TIP takes in raw data and then is used by the analyst to aid the testing of hypotheses regarding the Who, What, When, Why and How questions about threat activity.  The more integrated the TIP is with other sharing companies and organizations and/or with internal tools for network and endpoint monitoring, the more effective the threat analyst can be.

The most current versions of STIX are issued as a Draft Specification 2.0 and are divided into the following five parts:

•    STIX Version 2.0 Part 1: STIX Core Concepts
•    STIX Version 2.0 Part 2: STIX Objects
•    STIX Version 2.0 Part 3: Cyber Observable Core Concepts
•    STIX Version 2.0 Part 4: Cyber Observable Objects 
•    STIX Version 2.0 Part 5: STIX Patterning

Exhibit 1 provides a summary of the architecture for STIX 2.0 which includes a listing of the 18 Cyber Observable objects plus two likely objects that will be issued in Version 2.1 (i.e., Event and Incident). Note that the nodes are the STIX Data Objects (SDOs) and the edges (lines with properties) are the STIX Relationship Objects (SROs).

Exhibit 1 – STIX 2.0 Architecture

(Image Source: CTIN - Creative Commons BY/SA)
This version of STIX has completely subsumed the Cyber Observable Exchange enumeration system formerly known as CybOX.  The STIX data objects included in the Version 2.0 release are as follows:

•    Attack Pattern
•    Campaign
•    Course of Action (Stub) 
•    Identity
•    Indicator
•    Intrusion Set
•    Malware (Stub) 
•    Observed Data
•    Report
•    Threat Actor
•    Tool
•    Vulnerability

The reader will note that the final part of the five-part protocol is the new STIX Patterning Language that has been developed by the CTI TC.  Patterning was developed as an abstraction layer between the STIX data model and other proprietary frameworks that are in common usage. These signature-based ontologies represent tried-and-true methods for network and endpoint defenders in configuring devices on known threats such as malware variants or Netflow patterns monitored by intrusion detection systems (IDSs). STIX Patterning provides a common means for integrating threat intelligence and remedial action functions using these signatures.  

Exhibit 2 provides an illustration and another example of how the STIX Patterning Language works and frames out these key building blocks diagrammatically.
 
Exhibit 2 – STIX Patterning Language Diagram

(Image Source:  STIX 2.0 Committee Specification Draft, Part 5, 2017)

Work is ongoing within the CTI TC to further develop and extend the STIX data model to include other data objects important to key communities of interest, to further define Cyber Observable objects, and to further define the STIX Patterning Language.  As the protocol suite matures, threat analysts will have an even more robust framework for characterizing suspicious activity on their endpoints and networks. 

Interested parties should contact OASIS at: oasis-open.org for information on how to join the CTI Technical Committee or obtain a copy of the most current Committee Specification Draft.

By: Jane Ginn, MSIA, MRP
Co-Founder, Cyber Threat Intelligence Network, Inc.
Secretary, Cyber Threat Intelligence Technical Committee, OASIS

ENISA Threat Landscape 2016 report: cyber-threats becoming top priority:

 

« The High Cost Of Politicising Intelligence
Is There A Positive Aspect To CIA Spying? »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

PhishLabs

PhishLabs

PhishLabs provides 24/7 services that help organizations protect against the cyberattacks targeting their employees, their customers and their brands.

Intertek Group

Intertek Group

Intertek Group provides Assurance, Testing, Inspection and Certification services. Activities include cybersecurity testing and certification.

Atomicorp

Atomicorp

Atomicorp, the leader in Secure Linux, is a developer of solutions for the protection and support of cloud, virtual, shared, and dedicated web hosting environments.

MAY Cyber Technology

MAY Cyber Technology

MAY Cyber Technology is a Security Management solutions provider located in Turkey & Germany.

Proteus

Proteus

Proteus is an Information Security consulting firm specialized in Risk Analysis and Executive Control.

SWAT Systems

SWAT Systems

SWAT Systems is an IT support and cyber security managed service provider.

NSA Career Development Programs

NSA Career Development Programs

NSA offers entry-level programs to help employees enhance their skills, improve their understanding of a specific discipline and even cross-train into a new career field.

Peraton

Peraton

Peraton provides innovative solutions for the most sensitive and critical programs in government today, developed and executed by scientists, engineers, and other experts.

Neptune Cyber

Neptune Cyber

Neptune is a cyber security company that works exclusively in the marine sector. Our team combines experts in shipbuilding, maintenance and operations and cyber security testing and design.

West Midlands Cyber Resilience Centre (WMCRC)

West Midlands Cyber Resilience Centre (WMCRC)

The East Midlands Cyber Resilience Centre supports and helps protect SMEs and supply chain businesses and third sector organisations in the region against cyber crime.

Intel Ignite

Intel Ignite

Intel Ignite is an internationally renowned acceleration program for early-stage deep tech startups.

HTL Support

HTL Support

HTL Support, your trusted partner for comprehensive IT support in London. We specialize in delivering top-tier IT solutions tailored to both large enterprises and small businesses.

Alset Technologies

Alset Technologies

Alset Technologies provides DASH - a comprehensive solution to DISA STIG (Security Technical Implementation Guide) compliance.

Sage IT

Sage IT

Sage IT offer a wide range of professional and consulting services to help organizations overcome the challenges of today's ever-changing business environment.

LeakSignal

LeakSignal

At LeakSignal, we transform the way you monitor and protect your data. We provide unparalleled visibility and control over your sensitive data flows.

Bumi Optimus

Bumi Optimus

Bumi Optimus aims to be in the forefront of the digital industry with technologies such as AI, Data Science, Mixed Reality, Blockchain, Cybersecurity and Cloud Computing.