Open, automated and integrated security with STIX
Security landscape has always been very complex but with the shift to cloud it has become even more complicated. Following are some of the reasons.
- There are tons of security point products, ranging from firewalls to SIEM, IDS to EDRs.
- These products come from a diverse set of vendors; which aren’t compatible with each other so insights/knowledge gained from one can’t be easily utilized into other. As a simple example URL identified as malicious and logged by an EDR can’t be easily used in an IDS to block the attacks at the network level.
- The above mentioned lack of compatibility among products also results in the creation of data silos where data sits in isolation rather than being actively utilized to generated actionable security insights.
- As the number of tools in the organization increase you need more skilled workforce that is adept at all of these tools.
- Threat intelligence discovered by one organization isn’t easy to be shared with the global community. You need manual means to share them in spreadsheets, webpages or document files.
All the above mentioned problems can be solved if facilitate a way to integrate these point products so that they can pass on the insights between themselves, if we automate most of the security workload, and share threat intelligence data with other stake holders in the community. One answer is to use a common language that these point products can use to communicate with each other and using this language they can connect with each other, share intelligence and automate security operations.
So what is STIX?
A very simple explanation for structured threat information expression (STIX) is that it is a schema or json based representation of threats or objects that are related to threats.
We all hear numerous terms in cyber security such as security tools, vulnerabilities, malware, threat actors, indicators etc. STIX is simply a json based representation of these entities or objects.
For example Poison Ivy malware could be represented as the following STIX object.
{
“type”: “malware”,
“id”: “malware — 31b940d4–6f7f-459a-80ea-9c1f17b5891b”,
“created_by_ref”: “identity — f431f809–377b-45e0-aa1c-6a4751cae5ff”,
“created”: “2016–04–06T20:07:09.000Z”,
“modified”: “2016–04–06T20:07:09.000Z”,
“name”: “Poison Ivy”
}
An indicator is an artifact that is used to detect a malicious or suspicious activity. For example it could be a domain, hash or IP associated with a command and control server. Following is an example of an indicator for Poison Ivy malware. Note the pattern field that contains a unique hash, if you find this hash in your environment that ‘indicates’ that you are very likely impacted by this malware.
{
“type”: “indicator”,
“id”: “indicator — 8e2e2d2b-17d4–4cbf-938f-98ee46b3cd3f”,
“created_by_ref”: “identity — f431f809–377b-45e0-aa1c-6a4751cae5ff”,
“created”: “2016–04–06T20:03:48.000Z”,
“modified”: “2016–04–06T20:03:48.000Z”,
“labels”: [“malicious-activity”],
“name”: “Poison Ivy Malware”,
“description”: “This file is part of Poison Ivy”,
“pattern”: “[ file:hashes.’SHA-256' = ‘4bac27393bdd9777ce02453256c5577cd02275510b2227f473d03f533924f877’ ]”,
“valid_from”: “2016–01–01T00:00:00Z”
}
You can also create relationships between objects in STIX. For example above two objects can be shown in a relationship with the following STIX bundle. A bundle is when you have multiple STIX objects related to each other.
[
{
“type”: “indicator”,
“id”: “indicator — 8e2e2d2b-17d4–4cbf-938f-98ee46b3cd3f”,
“created_by_ref”: “identity — f431f809–377b-45e0-aa1c-6a4751cae5ff”,
“created”: “2016–04–06T20:03:48.000Z”,
“modified”: “2016–04–06T20:03:48.000Z”,
“labels”: [“malicious-activity”],
“name”: “Poison Ivy Malware”,
“description”: “This file is part of Poison Ivy”,
“pattern”: “[ file:hashes.’SHA-256' = ‘4bac27393bdd9777ce02453256c5577cd02275510b2227f473d03f533924f877’ ]”,
“valid_from”: “2016–01–01T00:00:00Z”
},
{
“type”: “relationship”,
“id”: “relationship — 44298a74-ba52–4f0c-87a3–1824e67d7fad”,
“created_by_ref”: “identity — f431f809–377b-45e0-aa1c-6a4751cae5ff”,
“created”: “2016–04–06T20:06:37.000Z”,
“modified”: “2016–04–06T20:06:37.000Z”,
“relationship_type”: “indicates”,
“source_ref”: “indicator — 8e2e2d2b-17d4–4cbf-938f-98ee46b3cd3f”,
“target_ref”: “malware — 31b940d4–6f7f-459a-80ea-9c1f17b5891b”
},
{
“type”: “malware”,
“id”: “malware — 31b940d4–6f7f-459a-80ea-9c1f17b5891b”,
“created”: “2016–04–06T20:07:09.000Z”,
“modified”: “2016–04–06T20:07:09.000Z”,
“created_by_ref”: “identity — f431f809–377b-45e0-aa1c-6a4751cae5ff”,
“name”: “Poison Ivy”
}
]
The above relationship can also be visualized in the form of a graph using STIX visualizer tools like this https://oasis-open.github.io/cti-stix-visualization/
Another example of relationship between objects would be what course of action you can take to remediate a malware lets say Poison Ivy.
[
{
“type”: “course-of-action”,
“id”: “course-of-action — 8e2e2d2b-17d4–4cbf-938f-98ee46b3cd3f”,
“created_by_ref”: “identity — f431f809–377b-45e0-aa1c-6a4751cae5ff”,
“created”: “2016–04–06T20:03:48.000Z”,
“modified”: “2016–04–06T20:03:48.000Z”,
“name”: “Add TCP port 80 Filter Rule to the existing Block UDP 1434 Filter”,
“description”: “This is how to add a filter rule to block inbound access to TCP port 80 to the existing UDP 1434 filter …”
},
{
“type”: “relationship”,
“id”: “relationship — 44298a74-ba52–4f0c-87a3–1824e67d7fad”,
“created_by_ref”: “identity — f431f809–377b-45e0-aa1c-6a4751cae5ff”,
“created”: “2016–04–06T20:07:10.000Z”,
“modified”: “2016–04–06T20:07:10.000Z”,
“relationship_type”: “mitigates”,
“source_ref”: “course-of-action — 8e2e2d2b-17d4–4cbf-938f-98ee46b3cd3f”,
“target_ref”: “malware — 31b940d4–6f7f-459a-80ea-9c1f17b5891b”
},
{
“type”: “malware”,
“id”: “malware — 31b940d4–6f7f-459a-80ea-9c1f17b5891b”,
“created_by_ref”: “identity — f431f809–377b-45e0-aa1c-6a4751cae5ff”,
“created”: “2016–04–06T20:07:09.000Z”,
“modified”: “2016–04–06T20:07:09.000Z”,
“name”: “Poison Ivy”
}
]
Using the visualizer the above relationship is graphed like this
Which is simply showing that Poison Ivy malware can be mitigated by blocking UDP and TCP ports on your firewall.
The above was a short description of STIX to show how it can help us achieve the objectives of sharing security intelligence, open security tools which can integrated with each other thus help us automate most of the security tasks.
