Vulnerabilities / Threats

04:27 PM
Connect Directly

Attack Intelligence-Sharing Goes 'Wire-Speed'

STIX standard aimed at eliminating manual process of converting intelligence into useful defense

When a company hit by a cyberattack shares some details of the attack with another firm, it typically gives them a call or shoots them an email with some intelligence on the malware or other fingerprints of the attack. It's then up to the recipient to manually translate that information into a format it can use to automatically protect itself from falling prey to that attack.

That gap of time between receiving the intell and converting it into something useful can make all the difference in deflecting or mitigating an attack. To wit, an industry effort is under way to create a standard, machine-readable language that organizations can use to efficiently incorporate the latest threat information into their security infrastructures, called Structured Threat Information eXpression, or STIX.

"STIX is not a program or policy. It's not a system or application. It's not code or heuristics: It's purely a language," says Sean Barnum, a principal in cybersecurity at Mitre Corp., which is spearheading the project. "It's a way of expressing and specifying cyberthreat information. You can then use it any way you want."

The goal is to help automate the process with a consistent language for speaking intell. "So I can share my detection for your prevention tomorrow, so you can block it," Barnum says. "There's no standard way of doing this today. It's amazing how much time is spent translating [attack and threat] information from different players."

STIX, which is currently available as a 1.0 draft release, would make intell-sharing -- and reaction to new threats --"wire-speed," its backers say. The initial version uses XML Schema and is made up of eight core "constructs," including indicator, incident, exploit target, campaign, and threat actor.

And the project has some heavy-duty players behind it: The U.S. Department of Homeland Security (DHS), U.S. Computer Emergency Readiness Team (US-CERT), National Institute of Standards and Technology (NIST), Financial Services Information Sharing and Analysis Center (FS-ISAC), Depository Trust & Clearing Corporation (DTCC), General Dynamics, Lockheed Martin, NATO, and World Bank are among the contributors.

[Targeted attacks out of China against Google and other U.S. firms forced some chief information security officers to reach out to their counterparts in other organizations and share attack, forensics information. See 'Operation Aurora' Changing The Role Of The CISO.]

Michael "Aharon" Chernin, security automation program manager for corporate information security at DTCC and a contributor to STIX, says the goal of STIX is making intelligence machine-readable in a standard way. "It's not that the intell [today] being shared is bad -- it's that the intell isn't structured, so that when you receive it you have to manually act upon it.

"If I know it's going to be structured, I can develop automated tools to use it. STIX makes it so when you share intell, it's always in machine-readable format," Chernin says. And that way, organizations can respond to threats "at wire speed" as well, he says.

Chernin, whose organization is a participant in the FS-ISAC, describes STIX as the intelligence-sharing language architecture, while a companion standard from DHS, Trusted Automated eXchange of Indicator Information (TAXII), is the protocol for transporting the information. FS-ISAC plans to adopt both STIX and TAXII, he says.

DTCC has been a major contributor to STIX. "DTCC has been involved in security standards for a few years, even before STIX and TAXI. We are one of the top contributors to the OVAL [Open Vulnerability Assessment Language] repository," Chernin says.

Sharing malicious IP addresses, file hashes, URLs, and email addresses used in attacks has been going on for some time. It has just been a mostly manual process, he says. The goal is to make it more costly for the attacker with better defenses that force him to spend more money and time, he says.

RSA, the security division of EMC, had previously offered up its own XML-based language as a solution to the intell-sharing problem. The language is based on its NetWitness framework's technology for taking data from different sources, massaging it, and converting it into machine-readable format, says Eddie Schwartz, CSO at RSA. RSA demonstrated a prototype of the technology at the RSA Conference last year.

"You're going to see more and more of this, with companies like ours looking at different ways to use automated threat intelligence," he says. It's too soon to tell whether STIX will be the language, though, he says.

"It's pointing to the ongoing need for development of a format," he says. Schwartz says STIX and TAXII present intelligence information in a digestible way that can be easily integrated into their existing infrastructures.

The hope is that vendors, too, ultimately will adopt STIX support into their security products. "What we're trying to do is drive demand from the consumer and what the consumer needs, versus having solutions come from vendors," DTCC's Chernin says.

So far, aside from FS-ISAC, the DHS, US-CERT, Mitre, and Japan's Information-technology Promotion Agency have publicly committed to adopting STIX. According to STIX's developers, various U.S. and international organizations are considering adopting the standard, as well.

"In a perfect world, everyone would adopt STIX," Chernin says. "It would be a huge win if just the financial sector adopted it."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
2019 Attacker Playbook
Ericka Chickowski, Contributing Writer, Dark Reading,  12/14/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
[Sponsored Content] The State of Encryption and How to Improve It
[Sponsored Content] The State of Encryption and How to Improve It
Encryption and access controls are considered to be the ultimate safeguards to ensure the security and confidentiality of data, which is why they're mandated in so many compliance and regulatory standards. While the cybersecurity market boasts a wide variety of encryption technologies, many data breaches reveal that sensitive and personal data has often been left unencrypted and, therefore, vulnerable.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-12-18
An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restricti...
PUBLISHED: 2018-12-18
Artica Integria IMS 5.0.83 has CSRF in godmode/usuarios/lista_usuarios, resulting in the ability to delete an arbitrary user when the ID number is known.
PUBLISHED: 2018-12-18
A flaw was found in the Linux kernel in the NFS41+ subsystem. NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel id and cause a use-after-free. Thus a malicious container user can cause a host kernel memory corruption and a system ...
PUBLISHED: 2018-12-18
An issue was discovered on D-Link DVA-5592 A1_WI_20180823 devices. If the PIN of the page "/ui/cbpc/login" is the default Parental Control PIN (0000), it is possible to bypass the login form by editing the path of the cookie "sid" generated by the page. The attacker will have acc...
PUBLISHED: 2018-12-18
PHP Server Monitor before 3.3.2 has CSRF, as demonstrated by a Delete action.