The road to blissful cyber threat intelligence sharing often
feels like a bumpy dirt track in a Wild West ghost town, but there’s hope on
the horizon: A new language, designed to define and describe a broad swath of threat
activity, is beginning to take shape. This language, known as STIX, and its
transport method, called TAXII, offers security firms, industry, and government
the promise of better and faster cyber threat intelligence sharing.
STIX and TAXII have been getting key support and backing
from groups as diverse as the Department of Homeland Security, The MITRE
Corporation, and members of various information security groups and vendors,
including Blue Coat Systems. For the past 6 months, I have been heading up Blue
Coat’s participation in this effort.
STIX (Structured Threat Information eXpression) is a
language used to communicate a set of cyber threat intelligence idioms,
including:
·
Threat Actors
·
Campaigns
·
Techniques, Tactics, and Procedures
·
Exploit Targets
·
Indicators
·
Incidents
·
Cyber-Observables
·
Courses of Action
TAXII (Trusted Automated eXchange of Indicator Information)
is the preferred delivery mechanism for STIX data. Technically, TAXII is a lightweight
XML-over-HTTP transport protocol, specifically designed to deliver STIX data.
TAXII allows publishers to share STIX data with (and, optionally, get STIX data
from) subscribers, or for peers to share STIX data with other peers.
The STIX and TAXII standards have matured well beyond their initial
drafts and first release in 2013. In fact, major vendors are lining up to
announce support and governments, incident responders and CERTs, the Financial
Services Information Sharing and Analysis Center (FS-ISAC), and the Industrial
Control Systems Information Sharing and Analysis Center (ICS-ISAC) (to name a
few) have already started using STIX and TAXII in their production environments.
With all new technologies and community driven efforts, there
inevitably comes a point when someone asks the question "when will this move to
an official international standards body?" It is my opinion that moving right
now to an international standards body would just inhibit development and slow
down adoption. For the past two years, the amazing grassroots efforts of MITRE and
DHS – with the help of FS-ISAC – have produced remarkable results.
In my opinion, four issues are slowing down the adoption of STIX
and TAXII as the de facto standard:
Item 1: The absence of a hardened, full-featured, open source, Berkeley
Software Distribution (BSD) licensed, TAXII server that end users, enterprises,
and vendors can easily use and adapt for their needs. A project currently
underway at FS-ISAC called Avalanche may solve this need, in the end. We need
the TAXII equivalent of a FreeRADIUS server. It would be nice if it were highly
efficient, fully featured, and written in a compiled language for performance
reasons.
Item 2: Better support for creating and interpreting STIX packages.
MITRE has done a lot of good work on creating and maintaining Python APIs, and there
are some up and coming Java APIs. However, additional language support is
needed; Hopefully, the community will create additional bindings. Part of the
issue comes from the debate among contributors about the format that the data
will eventually take: XML, JSON, or Cap'n Proto. In my experience, most
academics love XML, and most developers ask for anything but XML.
Item 3: A fully featured, standalone GUI client or application –
or a combination of the two – that will allow someone to manually create and/or
understand STIX packages from their computer and/or mobile device. Even though
you can publish STIX data via TAXII, I still see people posting cyber threat
information on their Web site, FTP server, or via an RSS feed. We really
need a way of reading those packages and being able to update/change them and
re-publish the results back in STIX format. It would be great if this GUI tool
could also talk to a remote TAXII server and query it by asking "give me
information you have about 'foo' and 'bar'". Having access to a tool like
this would make it a lot easier for someone researching issues they see in
their own network.
Item 4: My personal wish item is an analytics tool for the cyber threat
data itself. Once you start collecting large repositories (millions of
indicators or bigger) of STIX data. As
repositories of indicators increase in size, it becomes difficult to see the
big picture. Imagine having the ability to run some sort of analytics tool on
top of your cyber threat intelligence data to make sense of it all: Something
that can build correlations while visually helping you research and understand the
threat data you have. I could see someone taking a tool like this and
overlaying their own traffic to answer interesting questions like 'what types
of threat data are actually found in my network?’ and ‘what other entities are
seeing the same types of data?' (said another way, 'what threat feeds are the
most relevant for my network?').
With every user that jumps on board, every vendor that comes
to the table, and—as owners of large cyber threat data decide to play—everyone
wins and becomes more secure. As a result, that deserted bumpy road of cyber
threat intelligence sharing in the middle of a Wild West ghost town will no
longer be deserted, and will become a smooth paved boulevard of information
exchange.
Eventually, STIX and TAXII will evolve into the de facto standard
because it is the first standard collaboratively created by the people that
actually WANT to share and WILL share critical cyber threat intelligence.
