Open in app

Sign in

Write

Sign in

Part 2: Cyber Threat Intelligence—Let’s Talk Interoperability

Interoperability: The ability of your business information systems to work together and exchange cybersecurity data within and outside your organization to effectively deliver cyber threat intelligence.

PolySwarm
PolySwarm
6 min readMay 3, 2018

--

Last week we covered the first of our two-part series on cyber threat intelligence (CTI) for the enterprise; “Part 1: Cyber Threat Intelligence — Do You Have A Strategic Approach?” If you missed it, we focused on the strategic component of your threat intelligence needs, including leadership and human error. In Part 2 we will address a technical component of cyber threat intelligence: interoperability.

Before addressing its importance in CTI, let’s take a look at the consequence of a lack of interoperability. The lack of interoperability and intelligence sharing between information systems can result in serious consequences, limiting response capability against cyber attacks and even worse, terrorism. For example:

In 2003, after a lengthy investigation, the Joint Congressional Committee of the House and Senate intelligence panels found that the 9/11 attacks were preventable, but the plot went undetected because of communications gaps between the FBI and CIA.

The two organizations failed to share intelligence related to two hijackers, even though the CIA knew about the terror connections between the terrorists for nearly two years prior to the 2001 attacks (New York Times and 9/11 Commission Report).

Operating in a silo like this, and not sharing critical cyber threat intelligence, can also be disastrous for your business. This is just one reason PolySwarm will be vital for enterprises as they look to improve their security options and processes:

“Decentralization mandates an open source, interoperable environment. Participation in the PolySwarm marketplace must abide by rules written in smart contracts and enforced by the community. No longer will enterprises be forced to choose the least-worst, ‘best fit’ solution; they will simply mix and match intelligence that addresses their threat profile,” explains Paul Makowski, PolySwarm CTO in, The Case for Decentralizing Cybersecurity.

PolySwarm may be just one part of your overall CTI strategy, so let’s dive into interoperability and its importance to cyber threat intelligence.

Why is Interoperability Important for Cyber Threat Intelligence?

Cybersecurity analysts often share data with different systems within and or outside their organization.

The SANS Institute, which specializes in information security, cybersecurity training and security expert certification, conducted a survey early in 2018 to see how organizations could collect security intelligence data from a variety of sources.

They also wanted to see how these organizations then recognize and act upon indicators of attack and compromise scenarios in a timely manner. (See full results of the survey here.)

The survey found (Details in Figure 1, Table 1 & 2):

  • There’s a growing use of CTI data and the need for more integration between CTI tools and data feeds.
  • CTI is becoming more useful overall, especially to security operations teams.
  • CTI is becoming more integrated, with the SIEM still the most common tool for management of CTI.
  • CTI tools need to be easier to configure, integrate with other systems, and use overall, allowing junior staff to do more with less time.

Long story short: interoperability is critical for successful threat intelligence.

The Benefits of Interoperability in CTI

We see from the SANS survey results that CTI systems are becoming more integrated, and the CTI data is being used for threat detection and response.

This means your organization would benefit in a number of ways from improved interoperability:

  • Interoperability makes it possible for organizations to share and receive this cyber threat intelligence within and beyond their organization’s boundaries. This collaboration with threat detection, analysis, and threat data exchange yields better productivity for individual security analysts.
  • Interoperability helps cybersecurity experts detect intrusion fast and let’s them better prepare for and/or respond to those attacks effectively.
  • CTI interoperability through the STIX framework improves a variety of capabilities, including as collaborative threat analysis, automated threat exchange, automated detection and response.

Interoperability in cyber threat intelligence allows consumers and producers to be able to work with a common language. The interoperability data exchange standard provides a guideline for consistent and machine-readable formatting, which in turn helps the cybersecurity communities to better understand cyberattacks.

Standards and frameworks exist to streamline and facilitate any CTI data exchange. They ensure consistent and machine-readable formatting, which in turn helps the cybersecurity communities to better understand cyberattacks.

Today we’re going to highlight three specific standards because:

  1. They’re open standard. Proprietary standard can be an issue limiting interoperability
  2. They’re built from public and private efforts (DHS (fed) + OASIS (consortium of infosec orgs)
  3. They’re used by major security corporations, including IBM and CISCO.

CybOX (Cyber Observable eXpression)

This is a standardized language for encoding and communicating high-fidelity information about cyber observables, whether dynamic events or stateful measures that are observable in the operational cyber domain. The CybOX project was initially sponsored by the Department of Homeland Security office of Cybersecurity and Communications and developed by MITRE Corporation.

STIX (Structured Threat Information eXpression)

This is a structured language and serialization format used to exchange cyber threat intelligence. STIX 2 defines twelve STIX Domain Objects (SDOs) represented in JSON (Javascript Object Notation). CybOX requirements have been folded into STIX Version 2 (STIX 2).

STIX 2 defines twelve STIX Domain Objects (SDOs) including, Attack Pattern, Intrusion Set, Observed Data, Vulnerability and Relationship Used, allowing you to link two SDOs and describe how they are related to each other.

Source: OASIS

TAXII (Trusted Automated Exchange of Intelligence Information)

This is a transport mechanism for sharing sharing cyber threat intelligence. TAXII is an application protocol for CTI data exchanging CTI over HTTPS. The protocol defines RESTful API governing the exchange of services and message and the requirements for TAXII Clients and Servers.

Source: OASIS

The STIX and TAXII standards are governed by the OASIS Cyber Threat Intelligence Technical Committee, a consortium of private and public agencies supporting the automated information sharing for cybersecurity situational awareness, real-time network defense, and sophisticated threat analysis.

In summary, CybOX and STIX standards support the CTI data formatting while TAXII supports the mechanism for automated sharing, taking into consideration the confidentiality and authentication aspects of the data.

To learn more about CTI interoperability implemented through STIX and TAXII check out this webinar by presented by Allan Thomson, LookingGlass Cyber; Jason Keirstead, IBM Security Systems and Henry Peltokangas, Cisco Systems:

CTI Collaboration — STIX/TAXII v2 Interoperability Challenges and Solutions

Looking Ahead: CTI Systems and Analytics

In Part 3 of this series, we’ll address analytical components of cyber threat intelligence and cover topics such breadth of security coverage, real-time monitoring and threat intelligence feeds.

Follow us on Medium and Subscribe to our newsletter so you don’t miss Part 3!

Cybersecurity
Interoperability
Threat Intelligence
Antivirus
Enterprise

--

--

PolySwarm
PolySwarm

Written by PolySwarm

496 Followers

The world’s first decentralized threat intelligence market. Learn more @ https://polyswarm.io

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams