Use of standards for cyberthreat intelligence exchange

The cyber threat landscape is rapidly evolving. New cyber threats as well as vulnerabilities emerge at a great pace and become more severe and persistent. Furthermore, due to the dynamic nature of modern cyber threats, they are becoming more autonomous and complex and they are thus able to use more sophisticated techniques to exploit the target system.

In order to cope effectively with the rapidly evolving landscape of cyber threats, cybersecurity professionals exchange Cyber Threat Intelligence (CTI). CTI is organised knowledge concerning cyber threats and vulnerabilities that has been properly collected, evaluated and analysed using specific rigorous analysis techniques by cybersecurity experts. Although CTI facilitates cybersecurity professionals in dealing with cyber threats, certain actions such as automated exchange, storage and analysis of these information remain complicated.

Hence, a structured representation of CTI according to a common standard is essential in order to facilitate and speed up the sharing process as well as enhance its efficiency. Among the various CTI standards, the two most popular and widely used is the OpenIOC and the Structured Threat Information Expression (STIX).

OpenIOC, developed by Mandiant, is an extensible XML schema containing technical characteristics that identify a known threat, an attacker’s methodology or other evidence of a compromise.

STIX is a language and serialisation format used to exchange cyber threat intelligence. It is expressive, as it includes IOCs and additional cyber threat information, such as techniques and procedures, indicators, cyber observables, campaigns and threat mitigations. Furthermore, it is flexible given that it can be extended with custom user-defined fields. The latest version of STIX (2.x) is defined using JSON schemas, thus rendering it easier to parse and expand than its XML-based predecessor (STIX 1.x).

STIX CTI is exchanged using the Trusted Automated Exchange of Intelligence Information (TAXII) protocol. TAXII is an application protocol which is used to exchange CTI that is described in STIX using HTTPS. Using TAXII, organisations are able to exchange CTI by defining an API that aligns with common sharing models (e.g. hub-and-spoke, peer-to-peer, source-subscriber).

Arnold Spyros
InnoSec, Greece

CS-AWARE2019-07-22T13:01:15+00:00February 22nd, 2019|Blog|

Use of standards for cyberthreat intelligence exchange

Share This Story, Choose Your Platform!

Related Posts

A great base scenario for CS-AWARE-NEXT?

CS-AWARE team members publish a book on cybersecurity awareness

NIS2 is on the horizon: Organisational resilience is not only an immaterial good. Strengthening EU-wide cybersecurity will pave the way!

It is the socio-technical approach that matters (and makes the difference)

CS-AWARE Corporation has successfully acquired a new Horizon Europe research project!