Sharing Cyber Intelligence Is No Longer An Option

The rate of major data breaches across all industry verticals has reached alarming levels. The pace of these attacks is fueled by sophisticated underground marketplaces where exploits are traded and gains are monetized by cyber criminals. In addition, nation-states are making significant investments that are directed to the discovery of new exploits and rapid development of hacking TTPs to execute cyber espionage strategies. On the defensive side, there are many disparate silos where threat information is shared, resulting in a patchwork of partially informed defenses that are easily exploited by attackers. Meanwhile, governments and industry balk at the creation of legislation to establish a mandatory and cohesive framework for threat information sharing.

It is imperative to share cyber intelligence widely and at network speeds to keep defensive capabilities up with the pace that attackers are able to maintain. Cyber intelligence is most useful if its accuracy and relevancy can be quickly ascertained and it can be translated into action at network speeds. Therefore, it is critical that cyber intelligence gathering and sharing are accomplished seamlessly, and applied rapidly within the OODA loop.

However, as a recent report by TM Forum – Managing Data, How to Combat Cyber Threats points out: “current threat information exchange systems and methods are anything but high speed in operation.”  Strategic and operational threat data are characterized by a multitude of data structures, and shared through a variety of open and proprietary forums and services.  Tactical threat data often can only be created, stored, manipulated and shared using proprietary tools. The report goes on to say that a lack of standards-based tools and support of common data models cause a “disconnect between security intelligence reporting systems and the activation of security response tools.”

Rapid Threat Information Sharing Is Dependent On Data Standards

There are initiatives underway by the Department of Homeland Security (DHS), the National Institute of Standards and Technology (NIST), MITRE (a federal R&D organization), and industry partners to create data model standards for sharing threat data at all levels, and to provide specifications to automate the conversion of tactical threat data into actionable intelligence – see https://crits.github.io/. These standards and specifications include:

• STIX™ – Structured Threat Information Expression (https://stix.mitre.org/) – an XML standard to automate the sharing of operational threat intelligence…
• TAXII™ – Trusted Automated Exchange of Indicator Information (https://taximitre.org/) – a set of technical specifications that enable organizations to exchange and securely transport cyber threat information represented as STIX.
• CAPEC™ – Common Attack Pattern Enumeration and Classification (https://capec.mitre.org) – a publicly available, community-developed list of common attack patterns along with a comprehensive schema and classification taxonomy.
• MAEC™ – Malware Attribute Enumeration and Characterization (https://maec.mitre.org) – a standardized language for encoding and communicating high-fidelity information about malware based upon attributes such as behaviors, artifacts, and attack patterns.
• CybOX™ – Cyber Observable eXpression (http://cybox.mitre.org) – a standardized language for encoding and communicating information about cyber observables.

STIX, CAPEC, and MAEC each use CybOX to describe cyber observables or artifacts.  A cyber observable is a measurable event or stateful property in the cyber domain. Examples of measurable events include: a registry key is created, a file is deleted, an HTTP GET is received.  Example of stateful properties include: the value of a registry key, the MD5 hash of a file, the existence of a mutex. The CybOX schema is natively imported and used within STIX, CAPEC, and MAEC to characterize system and network events and behaviors observed within the operational cyber domain, or for use within cyber indicators and patterns, or observable malware attributes and patterns.

By specifying a common structured schematic mechanism for cyber observables, the intent is to enable detailed automated sharing, mapping, detection and analysis heuristics, as well as the potential ability to automatically apply mitigations specified for attack patterns.

STIX describes threats using 8 basic constructs that are standardized for threat information sharing, including:

• Threat Actor – Who was doing it
• Campaign – Why they are doing it
• Tactics, Techniques, Procedures (TTPs) – What exactly they were doing
• Exploit Target – What they were looking for
• Courses of Action – What should you do about it
• Incident – Where was it seen
• Indicator – When should you care about it
• Observable – What you are looking for.

These observables help to pinpoint and diagnose attacks and develop defensive measures.

Implementing data standards for cyber intelligence helps to increase sharing of threat data within an enterprise and between enterprises, while improving the speed of detection and the accurate diagnosis of threats. This is especially true for sharing within trusted communities such as Information Sharing and Analysis Centers (ISAC). FS-ISAC – a forum for the Financial Services community has begun to adopt these standards for threat sharing. By sharing cyber observables in an industry forum such as FS-ISAC, enterprises can reduce the time necessary to respond to targeted attacks, and to develop more adaptive security measures.

The use of cyber observables extends beyond cyber threat intelligence to cover other cyber measurable events and object states. For example, continuous monitoring tools focus on detecting and validating observables that reflect the vulnerability posture and patching status of endpoints, while network access control tools help to monitor the security state of endpoints that are requesting access to enterprise resources. Cyber observables can also contribute to the development of reputation scores and security ratings for web sites. Ratings could be based on the frequency of incidents and whether the web site is part of a targeted cyber campaign or not.

Challenges Remain for the Effective Sharing and Use of Cyber Intelligence

However, there are other challenges to ensuring effective sharing and use of cyber intelligence, such as dealing with information overload and integration with enforcement capabilities to quickly mitigate the cyber threat. Many organizations are already experiencing a glut of cyber sensor information that is overwhelming their ability to do anything with the information.  These challenges are addressed by other ACD capability areas, such as big data analytics, automated security orchestration, and intelligent networks. Probably the biggest challenge to threat sharing is not technical but legal and cultural – specifically, liability, trust, and privacy issues which hinder cyber legislation, as well as the willingness to share threat information by industry.  Even so, there are several threat information exchanges that seem to be quite effective for participating organizations, such as DIBNet or Defense Industrial Base Network (see http://dibnet.dod.mil/), DHS-Net and US CERT (see https://www.us-cert.gov/forms/report), the various information sharing and analysis centers or ISACs (see http://www.isaccouncil.org/memberisacs.html), and the regional FBI InfraGard forums (see https://www.infragard.org/).

Let me know what you think of these threat information sharing efforts and other threat and incident data standards efforts such as IODEF (incident data) from IETF – see http://www.ietf.org/rfc/rfc5070.txt and OpenIOC (threat data) led by Mandiant – see http://www.openioc.org/. Does your organization actively participate in a threat sharing forum? Is your organization using any of these standards or forums to share threat or incident data?  Thanks for reading and keep sharing.