New Lingua Franca For Exchanging Cyberattack Intelligence

It's not easy for organizations to share firsthand attack intelligence in a confidential or even meaningful way, so many don't bother, which gives the bad guys another leg up. But tools to facilitate the sharing of attack information are gradually emerging: most recently, a new open-source framework for describing the technical earmarks of a specific threat.

The so-called Open Indicators of Compromise (OpenIOC) released last week by Mandiant is one layer of facilitating the anonymous sharing of attack intelligence among victim organizations. Mandiant originally built the technology in-house for its homegrown tools and forensics engagements, and is now offering it in the public domain.

There's no single, standardized way for how people to share attack intelligence, says Dave Merkel, CTO at Mandiant. "The technologies used to deploy are varied and not consistent in a way to take intelligence and boil it down to something ... actionable. It's fragmented," he says.

Mandiant originally created IOC for its internal use. "We needed a way to bridge technology and intelligence. That's important because we have services and products," Merkel says. And Mandiant's clients started asking if they could use IOC as well.

Merkel says the idea is to offer security vendors a standardized way to represent intelligence for their products to "consume" and share, but for now, most of the early OpenIOC adopters are organizations in the government, defense, and energy industries.

Mitre also offers a similar open schema, with its Malware Attribute Enumeration and Characterization (MAEC), which provides a standard language for encoding and communicating information -- specifically about malware.

"The characterization of malware using such abstract patterns offers a wide range of benefits over the usage of physical signatures. Namely, it allows for the accurate encoding of how malware operates and the specific actions that it performs. Such information can not only be used for malware detection but also for assessing the end-goal the malware is pursuing and the corresponding threat that it represents," according to the Mitre's description of MAEC.

The idea is to hone in on the malware's behavior and features to help detect threats that bypass existing security products, and to get rid of the confusion with existing malware descriptions and identification.

Mandiant's Merkel says some vendors have their own ways of representing threat intelligence information, and Mitre's MAEC is the closest thing to addressing what OpenIOC does. "We've talked and exchanged [information]. We are not solving the same problem the same way, though, but it's the closest thing I've seen to what OpenIOC [is]," he says.

OpenIOC is an XML-based standard, and Mandiant also is offering for free its IOC Finder tool for incident responders to share threat intelligence in a machine-readable format. OpenIOC also provides a format for describing an attacker's methodology, according to Mandiant. It currently has more than 500 indicator definitions.

"Over the long term, we'd like to build a community around it, sharing techniques in how they are using the schema," Merkel says. "I could see vendors supporting" it, he says.

But the big hurdle continues to be organizations that are wary, or unable to, share intelligence. While the defense industry and some government organizations have done so for some time, there's no go-to place for all organizations to share attack intelligence.

Verizon Business last year took a stab at helping to build out such a destination by releasing its Verizon Incident-Sharing (VerIS) framework for gathering and analyzing forensics data from a data breach that is the basis for its comprehensive annual data breach reports. The hope was that the framework would facilitate more cooperation and data-sharing among breach victim organizations. It's basically a tool for describing security incidents in a consistent way, according to Verizon executives.

Merkel says OpenIOC could serve as a subset of VERIS, for example. "This is solving a lower-order problem" than VERIS, he says.

The importance of intelligence-sharing among victim organizations is not lost on forensics experts. According to Verizon, as many as half of the security breaches it investigates are related to another attack in some way. So sharing that attack information in a way that can be incorporated into their security tools would help block future attacks, and help victims better understand the threats.

"The short-term benefit [of OpenIOC] is it's a consistent way to capture that information and apply it again and again" in a tactical way," Merkel says.

Long term, Merkel says he hopes more industries will build their own intelligence-exchange communities like the defense contractor community has done.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.