It is the middle of the night in a remote part of the world but there is a group active in the dark to ruin the day on the other side of the globe. A few days later, you hear the news that a new cyber attack campaign has stolen a significant amount of money or data from people in your country. This scenario happens far too often yet such incidents seem to happen out of nowhere. Why is it so?
One big reason why this happens so often is that the guys in charge of protecting our internet infrastructure and keeping us all secure, have historically not been able to collaborate and communicate amongst themselves in the best possible means. It is not entirely a human problem either. The cybersecurity community, in the past, faced challenges on many fronts due to legal, privacy, and trust issues.
Fortunately, we are headed in a positive direction due to the developments in recent years. The key changes have come both from a technological and the legal front. The passing of an act like the Cybersecurity Information Sharing Act of 2015 in the US has been a piece of positive news for the industry. Equally and perhaps more important is the development of shared standards and tools for sharing cyber threat intelligence among security operatives.
Shared Community Efforts
The cybersecurity community has come up with two key standards - STIX and TAXII - for developing a shared methodology of communication. The development of these standards is also supported by many tech giants including IBM, HPE, Cisco, Dell, and even the government agencies like the NSA and Department of Defense in the US.
Knowing about these new standards and using them for security operations has become quite important for all organizations wishing to enhance their cyber defense capabilities. Let us take a brief look at these two standards.
What is STIX?
STIX, which stands for Structured Threat Information eXchange is a standardized language developed for communicating threat information among security operatives.
Technically, it is an edge-and-node based graph data model consisting of two components - the nodes known as STIX Data Objects (SDO) and the edges called STIX Relationship Objects (SRO).
SDOs can carry various kinds of information like Observables, Indicators (IOCs), Incidents, Adversary Tactics, Techniques, and Procedures (TTP), Exploit Targets, Courses of Action, Campaigns, Threat Actors, and Reports.
SROs, on the other hand, represent relations between various SDOs and enable security professionals to identify attack patterns, potential targets, attack attribution, and more.
What is TAXII?
Trusted Automated eXchange of Indicator Information, or TAXII in short, is an application layer protocol for communication of the threat information stored in a format like STIX.
It opens up the field for anyone to build security tools which help the organizations, researchers, and government agencies effectively communicate for detection, prevention, and mitigation of any cyber threat.
Thus, STIX standardizes the threat information vocabulary and TAXII establishes the protocol layer on top to communicate using that vocabulary.
The utility of STIX and TAXII lies in empowering the field of cyber threat intelligence which had earlier been a dormant area of the security industry. However, the introduction of STIX and TAXII has sprung life into this sector.
The introduction of STIX has helped standardize threat information and enabled sharing due to a common format. On the other hand, TAXII has laid out the path for cybersecurity product providers to build state-of-the-art solutions which deliver the benefits of STIX along with added benefits of threat management and forming intel sharing communities.
However, the cybersecurity solutions built on top of STIX and TAXII rely on the benefits gained from a network effect when a large number of organizations share threat intel with each other. Unless a large number of organizations join the CTI revolution, the full benefits of these technologies cannot be realized.
The path forward for the cybersecurity industry needs to be about moving towards shared threat intelligence models, incorporating the latest generation of CTI solutions, and training the new generation of cybersecurity professionals to effectively use these tools.