The Department of Homeland Security and the MITRE Corp. are developing a framework to standardize cyberthreat intelligence sharing and build deeper context into ongoing attacks.
Given the diversity of the attacks that are going on, we're recognizing that no organization has the full picture of what is going on.
software assurance principal, MITRE Corp.
Researcher Sean Barnum of MITRE will describe the new Structured Threat Information eXpression (STIX) framework this week at the 2012 Black Hat Briefings in Las Vegas. The framework, which is being tested by the U.S. Computer Emergency Response Team (US-CERT) and the financial industry, if successful, could be adopted broadly to share up-to-the-minute threat information when attacks happen.
STIX provides a common set of criteria to help organizations share cyberthreat intelligence data – observed attacks, tactics, techniques, malware, exploit targets and procedures – so the data can not only be read by incident response threat analysts, but also fed into automated systems for deeper analysis over time.
"They're recognizing that continuing to do the things the way we've done in the past isn't going to work," said Barnum, a software assurance principal at MITRE. "It really requires somewhat of a paradigm shift in how we actually get ahead of the adversary. Given the diversity of the attacks that are going on, we're recognizing that no organization has the full picture of what is going on."
STIX is being funded through DHS's Security Systems Engineering & Development Institute. Barnum said it is being developed with the help of security experts from industry, academia and government. While threat information is not new -- organizations in various industry sectors have been sharing threat information with US-CERT and their partners -- the goal, Barnum said, is to make threat indicator information more actionable.
"These communities have all been sharing stuff for a while, but they all share stuff that is very limited in its usefulness," Barnum said. "They're sharing a set of file hashes that they think are bad, or a set of IP addresses that they think are using malware. There's not a whole lot of context that goes along with it."
More from Black Hat 2012
Barnum said information sharing can help organizations gain a broader understanding of the threat landscape and potentially detect ongoing attacks on the network before cybercriminals can inflict maximum damage. A structured framework, he said, can boost automation to help threat analysts quickly execute defensive actions.
STIX incorporates a variety of security plans developed during the past five years for documenting attack patterns, observations and malware types. It uses Cyber Observable eXpression (CybOX), a language for documenting threat observations, Indicator Exchange eXpression (IndEX), the Common Attack Pattern Enumeration and Classification (CAPEC) schema, and other incident exchange formats. In addition, the framework supports standard vulnerability scoring systems, CVE, CVSS and CWSS.
Barnum said DHS intends to use STIX to support incident threat sharing among US-CERT and government and the private-sector organizations to exchange data elements and relationships defined by STIX using secure automated mechanisms. US-CERT is integrating STIX into its internal incident response and incident management processes.
The financial industry has also shown interest in the framework. The Financial Services Information Sharing and Analysis Center (FS-ISAC) is implementing the STIX architecture (including CybOX and IndEX) for cyberthreat intelligence information sharing among its core membership.